CloudFront

Question 1

What does CloudFront provide?

Answer 1

CloudFront uses caching and an efficient global network to improve the delivery of content from its original location to the viewers of that content.

Question 2

What is an origin in CloudFront?

Answer 2

The origin is the source location of your content. It can be an S3 origin or a custom origin (a web server with a publicly routable IPv4 address).

Question 3

What is a distribution in CloudFront?

Answer 3

A distribution is the configuration unit of CloudFront.

Question 4

What is an Edge Location in CloudFront?

Answer 4

An Edge Location is a local cache of your data.

Question 5

What is a Regional Edge Cache in CloudFront?

Answer 5

A Regional Edge Cache is a larger version of an Edge Location that provides another layer of caching for content that is accessed less frequently, but still benefits from being cached closer to customers.

Question 6

What rules must a CloudFront distribution domain name adhere to?

Answer 6

It must be unique and it must end in “cloudfront.net”.

Question 7

Does CloudFront support SSL certificates?

Answer 7

Yes, CloudFront integrates with AWS Certificate Manager (ACM).

Question 8

Does CloudFront support upload caching?

Answer 8

No, uploads are sent directly to the Origin. CloudFront supports read-only caching.

Question 9

What are Behaviors in CloudFront?

Answer 9

Behaviors are part of a Distribution and define Origins, Origin Groups, TTL, Protocol Policies, and restricted access. Behaviors are configured with a path patterns (e.g., * or img/*). If a request matches a pattern (most specific wins), that Behavior is used.

Question 10

When an expired cached object is requested at an Edge Location, what HTTP codes may be returned by the Origin when the Edge Location requests an update?

Answer 10

304 Not Modified (if the version in the cache is the small as the one in the Origin)

200 OK (along with a new version of the object)

Question 11

What is a benefit of more frequent cache hits on Edge Locations in CloudFront?

Answer 11

Lower load on the Origin.

Question 12

What is the default TTL for an object in a CloudFront cache?

Answer 12

24 hours.

Question 13

What headers are used by the Origin to set the TTL value for an object?

Answer 13

Cache-Control max-age [seconds]
Cache-Control s-maxage [seconds]
Expires [Date & Time]

Question 14

What can override the TTL value of an object in a CloudFront cache?

Answer 14

The minimum and maximum TTL values for the Behavior.

Question 15

How do you manually invalidate specific objects in CloudFront?

Answer 15

You can use Cache Invalidation to invalidate specific paths (/images/cats.jpg or /images/* or /*) in a distribution. The invalidation is not instant (it takes time) and there is a cost.

Question 16

What is an alternative to Cache Invalidation?

Answer 16

Using versioned file names (cats_v1.jpg, cats_v2.jpg, etc.). The benefit is that you can update the application to point at the new name and it won’t matter that the old version is cached. Also, even if the old version is cached in the user’s browser, the new version will be used.

Logging is also more effective because you will know exactly which version of the object is being used.

Question 17

Does CloudFront support SSL by default?

Answer 17

Yes, via the default domain name (xyz.cloudfront.net) and the *.cloudfront.net certificate.

If you want to use your own domain name, you need to add a matching certificate in ACM in us-east-1.

Question 18

What type of certificates are needed for both SSL connections in a CloudFront deployment (View => CloudFront and CloudFront => Origin)?

Answer 18

Valid public certificates. Self-signed certs will not work.

Question 19

When using older browsers that don’t support Server Name Indication (SNI) what does each CloudFront Edge Location require?

Answer 19

A dedicated IP at each Edge Location.

Question 20

If your S3 bucket is configured to host a static website, what type of origin does CloudFront consider it to be?

Answer 20

A custom origin. Any non-static website S3 buckets are considered S3 origins.

Question 21

How do you restrict an S3 bucket so that it is only accessible via CloudFront.

Answer 21

By setting origin access control in the origin in CloudFront.

Question 22

How do you restrict a custom origin so that it is only accessible via CloudFront.

Answer 22

By accepting custom headers that are included in all requests that CloudFront sends to the origin. These headers are defined in the origin configuration in CloudFront.

Alternatively, you can set your firewall rules to only allow access from the CloudFront IP range, which is published by AWS.

Question 23

What is an Origin Access Identity?

Answer 23

An OAI can be associated with CloudFront Distributions. When requesting content from an S3 origin, CloudFront “becomes” the OAI. Since the OAI can be used in S3 Bucket Policies, you can DENY all but one or more OAIs to ensure that the S3 bucket is only accessed via CloudFront.

Question 24

What do you need to access Private Distribution in CloudFront?

Answer 24

A signed cookie or signed URL.

Question 25

What is a Trusted Signer in CloudFront?

Answer 25

A Trusted Signer holds a CloudFront Key (created by the Account Root User for the account that owns the CloudFront distribution). The Trusted Signer can create signed cookies and signed URLs for Private Distributions in CloudFront.

Question 26

What is the preferred method for generating signed cookies and signed URLs to access Private Distributions in CloudFront?

Answer 26

Trusted Key Groups.

Question 27

What do Signed URLs provide access to in CloudFront Private Distributions?

Answer 27

One object.

Question 28

What do Signed cookies provide access to in CloudFront Private Distributions?

Answer 28

Groups of objects.

Question 29

When should you use signed URLs and when should you use signed cookies for Private Distributions in CloudFront?

Answer 29

Signed URLs
- To access a single object
- If your client doesn’t support cookies

Signed cookies
- To access groups of objects
- To access all files of a type (e.g., all gifs)
- If you want to control the format of the URL