CloudFront Flashcards
What is CloudFront?
How does CloudFront improve read performance?
What type of protection do you get with CloudFront?
A content delivery netowork (CDN).
By caching content at the edge. For instance if your content is stored in Australia, but someone in the US accesses it, the content they access will then be cached at the edge location.
DDoS Protectionn, integration with Shield and AWS Web Application Firewall
What are the origins for CloudFront and why would you use them?
What must you configure for Custom origin HTTPs
S3 Buckets
Distributing large file and caching them at the edge
Enhanced security with CloudFront Origin Access Identity (OAI, an IAM Role to only allow access from CloudFront)
CloudFront can be used as an ingress to upload files to S3
Custom Origin (HTTP) - Anything that respects the HTTP protocol Application load balancer EC2 Instance S3 Website Any HTTP backend you want
The security groups to allow all of the IP addresses from the Edge locations.
What is cloudfront geo restriction?
What are the two types of restrictions?
What is the use-case for geo resctrictions?
Allows you to restrict access to your content based on a users geo location.
Whitelisting and black listing.
Proving to regulators that you are only allowing access to content for specific locations.
What is difference between CloudFront and S3 Cross region replication?
CloudFront is a global edge network and files have a TTL
It’s great for static content that must be available everywhere.
S3 Cross Region Replication must be setup for each region you want replication in, file are updated in real time and it’s read only
Cross Region Replication is great for dynamic content that needs to be available at low-latency in a few regions.
What is a CloudFront signed URL or signed cookie?
When would you use a signed URL/cookie?
What are the parameters for a policy for a Signed URL/cookie?
What’s the difference between a signed URL and a signed cookie?
It’s similar to an S3 signed cookie in that it provided access to private content hosted behind CloudFront.
When you want to distribute premium paid content across the world.
URL Expiration
IP Ranges to access the data from
Trusted signers
Signed URL - Access to individual files
Signed cookie - Access to multiple files
How do you generate a signed-URL or signed cookie?
When would you use a signed URL vs a pre-signed URL
You generate a signed URL from your server-side application which will utilize the SDK to generate the signed URL/cookie.
A signed URL is going to give users access to individual or multiple files for download from cloudfront. This will allow you to take advantage of all of the features of cloudfront. You really only want to use a pre-signed key when users are connecting directly to S3. The pre-signed URL is also going to give the person using it the same privileges as the person who generated it.
Is the pricing of data out the same across all edge locations?
What are the three price classes for CloudFront?
No, it varies by region.
All - All regions, best performance
200 - Most regions, but excludes the most expensive regions
100 - Only the least expensive regions.
What is Cloudfront Multiple Origin?
What is CloudFront Origin Groups?
It allows you to route to multiple origins based on the content type or path pattern. For example you can rout to the application load balancer for /api/* and to your S3 bucket for /*
Origin groups are used to increase high-availability and do failover. When defining a group, set one primary resource and one secondary. For example, if your origin is an EC2 instance, you could add both instances to your origin group and if the primary instance goes down, CloudFront will automatically use the secondary origin. The same thing is available for S3 origins using replication.
What is cloudfront field level encryption and how does it work?
Where are the fields encrypted?
CloudFront field level encryption work by encrypting sensitive data at the field level (like credit card information) so that it cannot be decrypted. Custom application logic is needed to decrypt the fields
They are encrypted when they reach an edge location
What is the AWS Global accellerator?
The AWS Global accelerator allows your to make requests to a static IP that will route your request over the AWS network to the nearest origin.
When would you use CloudFront vs when you need Global Accelerator
Cloudfront is great for when you need to improve performance for cachable content such as images or dynamic content such as API acceleration.
Global Accelerator offers no caching, but can improve performance over a wide ranch of TCP or UDP applications like gaming or iOT. It’s also good when you need to use a static IP address
Global accelerator is also useful for Deterministic, fast regional failover.
