Cloudfront

Question 1

What is Amazon Cloudfront?

Answer 1

It is a Content Delivery Network (CDN). Improves read performance, content is cached at the edge.
DDos protection, integration with Shield, AWS Web Application Firewall

Question 2

What can be the Origin for Cloudfront?

Answer 2

• S3 bucket
• ALB
• EC2 instance
• S3 website
• Any HTTP backend

Question 3

What is the enhanched security between Cloudfront and S3?

Answer 3

THe Origin Access Control (OAC)

Question 4

Describe Cloudfront az a high level.

Answer 4

Client requests a resource (GET /beach.jpg), then Cloudfront edge location checking if its in the local cache. If its there returns it, otherwise it will fetch from the server (origin)

Question 5

What is the difference between Cloudfront and S3 Cross Region Replicas?

Answer 5

Cf:
* Global Edge network
* Files are cached for a TTL
* Great for static content that must be available everywhere

S3:
* Must setup for each region you want repplication
* Files are updated in near real-time
* Read only
* Great for dynamic content that needs to be available at low-latency in few regions

Question 6

Describe Cloudfront caching.

Answer 6

• The cache lives at each CloudFront Edge Location
• CloudFront identifies each object in the cache using the Cache Key
• You want to maximize the Cache Hit ratio to minimize requests to the origin
• You can invalidate part of the cache using the CreateInvalidation API

Question 7

What is CloudFront Cache Key?

Answer 7

• A unique identifier for every object in the cache
• By default, consists of hostname + resource portion of the URL
• You can add other elements (HTTP headers, cookies, query strings) to the Cache Key using CloudFront Cache Policies

Question 8

List the different configurations for the Cloudfront Cache Policies.

Answer 8

Cache is based on
* HTTP Headers: None – Whitelist
* Cookies: None – Whitelist – Include All-Except – All
* Query Strings: None – Whitelist – Include All-Except – All

Question 9

How can you control the TTL in Cloudfront cache policies?

Answer 9

Can be set by the origin using the Cache-Control header and Expires header.

Question 10

What is sent to the origin if you applied Cloudfront Cache Policies?

Answer 10

All HTTP headers, cookies, and query strings that you include in the Cache Key are automatically included in origin requests

Question 11

What is Cloudfront Origin Request Policy?

Answer 11

Specify values that you want to include in origin requests without including them in the Cache Key (no duplicated cached content).

Question 12

What can you include in Cloudfront Origin Request Policy?

Answer 12

• HTTP headers: None – Whitelist – All viewer headers options
• Cookies: None – Whitelist – All
• Query Strings: None – Whitelist – All

Question 13

Whats Cloudfront Cache Invalidations?

Answer 13

You can force an entire or partial cache refresh (thus bypassing the TTL) by performing a CloudFront Invalidation.
You can invalidate all files () or a special path (/images/).

Question 14

What are Cloudfront Cache Behaviors?

Answer 14

Configure different settings for a given URL path pattern
* Use case: Route to different kind of origins/origin groups based on the content type or path pattern
* Default Cache Behavior is always the last to be processed and is always /

Question 15

Whats a must if your Cloudfront distribution points to an EC2 instace?

Answer 15

• The instance must be public
• You have to allow ALL public IP of the edge locations

Question 16

Whats a must if your Cloudfront distribution points a front ALB before EC2 instance?

Answer 16

• ALB must be public -> EC2 can be private
• ALB must enable public IP’s of edge locations

Question 17

What is Cloudfront Geo Restriction?

Answer 17

You can restrict who can access your distribution:
* Allowlist: Allow your users to access your content only if they’re in one of the
countries on a list of approved countries.
* Blocklist: Prevent your users from accessing your content if they’re in one of the
countries on a list of banned countries

Country determined by a 3rd party

Question 18

What are Cloudfront Signed Url / Signed Cookies?

Answer 18

Give access to content is Cloudfront. Can attach a policy to it:
* Url expiration
* IP ranges to access data
* Trusted signers

Question 19

Whats the difference between Cloudfront Signed Url vs Signed Cookies?

Answer 19

• Signed URL = access to individual files (one signed URL per file)
• Signed Cookies = access to multiple files (one signed cookie for many files)

Question 20

Describe the difference between CloudFront Signed URL vs S3 Pre-Signed URL?

Answer 20

CloudFront Signed URL:
* Allow access to a path, no matter the origin
* Account wide key-pair, only the root can manage it
* Can filter by IP, path, date, expiration
* Can leverage caching features

S3 Pre-Signed URL:
* Issue a request as the person who pre-signed the URL
* Uses the IAM key of the signing IAM principal
* Limited lifetime

Question 21

Whats the best way for CloudFront Signed URL Process?

Answer 21

Create a trusted key group.

Question 22

What are the 3 price classes for Cloudfront?

Answer 22

1. Price Class All: all regions – best performance
2. Price Class 200: most regions, but excludes the most expensive regions (100 + Asia, Africa)
3. Price Class 100: only the least expensive regions (USA, EU)

Question 23

What is Cloudfront Multiple Origin?

Answer 23

To route to different kind of origins based on the content type.

Question 24

What are Cloudfront Origin Groups?

Answer 24

• To increase high-availability and do failover
• Origin Group: one primary and one secondary origin
• If the primary origin fails, the second one is used

Question 25

What is Cloudfront Field level encryption?

Answer 25

• Sensitive information encrypted at the edge close to user
• Uses asymmetric encryption
• Usage:
• Specify set of fields in POST requests that you want to be encrypted (up to 10 fields)
• Specify the public key to encrypt them