Cloudfront Flashcards
SSL
Cloudfront does not use SSL Certificate. It uses ACM for HTTPS.
*.cloudfront.net
Cloudfront TTL
- More frequent cache HITS = lower origin load
- Default TTL (behaviour) = 24 hours (validity period)
- You can set Minimum TTL and Maximum TTL values
Cloudfront will apply any of the two that occur first; Max TTL or Expiry date.
Headers
* Origin Header: Cache-Control max-age (seconds)
* Origin Header : Cache-Control s-maxage (seconds)
* Origin Header: Expires (Date & Time)
Custom Origin or S3 (Via object metadata)
Versioned FileNames vs Cache invalidation
Versioned filenames is more cost-effective because even if the file is cached in the user’s machine, only the specified version (in the application) will be returned.
Using customized Domain name with cloud front
Not using the xxxxxxxxxx.cloudfront.com requires an ssl certification if your Domain name is a Https or not
ACM
Importing an SSL certificate into cloudfront is done using ACM. Using US-EAST-1
Self-Signed vs Public Certificates
Cloudfront(as a Public service) does not work with self-signed certificates. therefor, for both Origin and viewer certificates must be a publicly valid certificate
Cloud front SSL
*cloudfront.com
Alternate Domain Name feature allows customized Domain name for cloudfront distribution. This has to be updated in the domain’s zone file, and an SSL certificate for the custom domain is required.
Cloudfront Custom Domain
Custom domain can be used with Cloudfront as Alternate domain name.
Route 53 has to be updated with the alternate Domain name.
Wether or not HTTPs is needed or not, a valid proof of ownership of the provided domain name has to be established. Hence, SSL certificate has to be generated or imported into ACM
This Certificate must be created or added in US-EAST-1
at what layer does https encryption happens
One of the most popular encryption schemes usually associated with the presentation layer is the Secure Socket Layer (SSL) protocol.” HTTPS is the application layer protocol using ssl at layer 6 for encryption purposes. SSL works on OSI layer 6.
HTTPS uses an encryption protocol to encrypt communications. The protocol is called Transport Layer Security (TLS), although formerly it was known as Secure Sockets Layer (SSL).
SNI
Server Name Indication, often abbreviated SNI, is an extension to TLS that allows multiple hostnames to be served over HTTPS from the same IP address.
by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.
SSL for S3
S3 inherently has its own Certificate that can neither be modified or created.
EC2 and ELB Certificates
Origins need to have certificates issued by a trusted authority (CA) - ALB can use
ACM, others need to use an external generated cert. NO SELF-SIGNED CERTS
EC2 and ELB origin have to also present publicly supported certificateEC2 and Load Balancer certificates, no matter the origin, has to be applied manually because **ACM does not automatically apply their certificates.
Certificates (Both Clients side and Origin side must match the domain name as the target website
True
Origin vs Viewer Protocol
Are Automatically matched at both sides.No user configuration is required
Lambda at Edge
Use Cases
A/B testing - Viewer Request
* Migration Between S3 Origins - Origin Request
* Different Objects Based on Device - Origin Request
* Content By Country - Origin Request
Throughput
128MB/5sec