CloudFront Flashcards
What is CloudFront (from a high level)?
CDN - Content Delivery Network, with 216 global points of access.
What are some benefits of using CloudFront?
- Improves read performances as content is cached at the edge (i.e., edge locations)
- DDoS protection, integration with Shield, AWS Web Application Firewall
What origins does CloudFront offer?
S3 bucket
-> For distributing files and caching them at the edge
-> Enhanced security with CloudFront Origin Access Control (OAC)
-> CloudFront can be used as an ingress (to upload files to S3)
Custom Origin (HTTP)
-> ALB
-> EC2 instance
-> S3 website
(-> Any HTTP backend you want)
What is the difference between CloudFront and S3 Cross Region Replication?
CloudFront
- Global Edge network
- Files are cached for a TTL
- Great for static content that must be available everywhere
S3 Cross Region Replication
- Must be setup for each region you want replication to happen
- Files are update in near real-time
- Read only
- Great for dynamic content that needs to be available at low latency in few regions
What is a strategy for maximizing cache hits?
Separate out static and dynamic distributions
e.g.,
Static requests
- Simple request with no headers/session caching rules is forwarded to S3
Dynamic requests
- Cache based on correct headers and cookie, forwarded to ALB and EC2
What do you have to do when uploading a new version of a file to S3 in order to get the new version through CloudFront, and why?
- Create an invalidation on the object path
This will invalidate the cache and force CloudFront to fetch the latest version again.
What would prevent CloudFront from fetching information from an EC2 instance?
The instance is private, and so CloudFront cannot fetch data from it (as it is a public CDN).
How can you allow CloudFront to interact with EC2 instances?
- Allow public IP of edge locations within the instance
- Use a public ALB with a security group, and allow the security group of the ALB to the EC2 instance.
What is CloudFront Geo Restriction, and what is the use case?
- Restrict access based on location with a blocklist/allowlist
- Country is determined using a 3rd party Geo-IP database
Use case: Copyright Laws to control access to content.
What is the difference between Signed URL for CloudFront vs S3
CloudFront:
- Allow access to a path, no matter the origin
- Account wide key-pair; only the root can manage it
- Can filter by IP, path, date, expiration
- Can leverage caching features
S3:
- Issue a request as the person who pre-signed the URL
- Uses the IAM key of the signing IAM principal
- Limited lifetime
How can you sign CloudFront URLs?
- Use a trusted key group
- Use an AWS account that contains a CloudFront Key Pair
Why is one method of signing URLs preferred over the other
- Trusted key group creates and rotates keys (and IAM for API security)
- Using a Key Pair requires managing the keys using the root account and the AWS console (should not be using root account for this)
How can you allow EC2 instances to create signed URLs?
Use a trusted key group
- Generate a public/private key
- The private key is used by your applications to sign URLs
- The public key (uploaded) is used by CloudFront to verify URLs
How is CloudFront priced?
- Cost is of data out per edge location
- This cost varies based on location
- Price classes can offer cost reduction by restricting number of regions available:
-> Price Class All - all regions, best performance, most expensive
-> Price Class 200 - most regions but excludes most expensive regions
-> Price Class 100 - only the least expensive regions
How does CloudFront Multiple Origin work?
Route to different kinds of origins based on content type
- Based on path pattern
e.g.,
/images/* - set the cache behaviour to access content through an ALB
/* - set the cache behaviour to access content through S3 bucket
