CloudFront Flashcards
What does CloudFront provide?
CloudFront uses caching and an efficient global network to improve the delivery of content from its original location to the viewers of that content.
What is an origin in CloudFront?
The origin is the source location of your content. It can be an S3 origin or a custom origin (a web server with a publicly routable IPv4 address).
What is a distribution in CloudFront?
A distribution is the configuration unit of CloudFront.
What is an Edge Location in CloudFront?
An Edge Location is a local cache of your data.
What is a Regional Edge Cache in CloudFront?
A Regional Edge Cache is a larger version of an Edge Location that provides another layer of caching for content that is accessed less frequently, but still benefits from being cached closer to customers.
What rules must a CloudFront distribution domain name adhere to?
It must be unique and it must end in “cloudfront.net”.
Does CloudFront support SSL certificates?
Yes, CloudFront integrates with AWS Certificate Manager (ACM).
Does CloudFront support upload caching?
No, uploads are sent directly to the Origin. CloudFront supports read-only caching.
What are Behaviors in CloudFront?
Behaviors are part of a Distribution and define Origins, Origin Groups, TTL, Protocol Policies, and restricted access. Behaviors are configured with a path patterns (e.g., * or img/*). If a request matches a pattern (most specific wins), that Behavior is used.
When an expired cached object is requested at an Edge Location, what HTTP codes may be returned by the Origin when the Edge Location requests an update?
304 Not Modified (if the version in the cache is the small as the one in the Origin)
200 OK (along with a new version of the object)
What is a benefit of more frequent cache hits on Edge Locations in CloudFront?
Lower load on the Origin.
What is the default TTL for an object in a CloudFront cache?
24 hours.
What headers are used by the Origin to set the TTL value for an object?
Cache-Control max-age [seconds]
Cache-Control s-maxage [seconds]
Expires [Date & Time]
What can override the TTL value of an object in a CloudFront cache?
The minimum and maximum TTL values for the Behavior.
How do you manually invalidate specific objects in CloudFront?
You can use Cache Invalidation to invalidate specific paths (/images/cats.jpg or /images/* or /*) in a distribution. The invalidation is not instant (it takes time) and there is a cost.
What is an alternative to Cache Invalidation?
Using versioned file names (cats_v1.jpg, cats_v2.jpg, etc.). The benefit is that you can update the application to point at the new name and it won’t matter that the old version is cached. Also, even if the old version is cached in the user’s browser, the new version will be used.
Logging is also more effective because you will know exactly which version of the object is being used.
Does CloudFront support SSL by default?
Yes, via the default domain name (xyz.cloudfront.net) and the *.cloudfront.net certificate.
If you want to use your own domain name, you need to add a matching certificate in ACM in us-east-1.
What type of certificates are needed for both SSL connections in a CloudFront deployment (View => CloudFront and CloudFront => Origin)?
Valid public certificates. Self-signed certs will not work.
When using older browsers that don’t support Server Name Indication (SNI) what does each CloudFront Edge Location require?
A dedicated IP at each Edge Location.
If your S3 bucket is configured to host a static website, what type of origin does CloudFront consider it to be?
A custom origin. Any non-static website S3 buckets are considered S3 origins.
How do you restrict an S3 bucket so that it is only accessible via CloudFront.
By setting origin access control in the origin in CloudFront.
How do you restrict a custom origin so that it is only accessible via CloudFront.
By accepting custom headers that are included in all requests that CloudFront sends to the origin. These headers are defined in the origin configuration in CloudFront.
Alternatively, you can set your firewall rules to only allow access from the CloudFront IP range, which is published by AWS.
What is an Origin Access Identity?
An OAI can be associated with CloudFront Distributions. When requesting content from an S3 origin, CloudFront “becomes” the OAI. Since the OAI can be used in S3 Bucket Policies, you can DENY all but one or more OAIs to ensure that the S3 bucket is only accessed via CloudFront.
What do you need to access Private Distribution in CloudFront?
A signed cookie or signed URL.
What is a Trusted Signer in CloudFront?
A Trusted Signer holds a CloudFront Key (created by the Account Root User for the account that owns the CloudFront distribution). The Trusted Signer can create signed cookies and signed URLs for Private Distributions in CloudFront.
What is the preferred method for generating signed cookies and signed URLs to access Private Distributions in CloudFront?
Trusted Key Groups.
What do Signed URLs provide access to in CloudFront Private Distributions?
One object.
What do Signed cookies provide access to in CloudFront Private Distributions?
Groups of objects.
When should you use signed URLs and when should you use signed cookies for Private Distributions in CloudFront?
Signed URLs
- To access a single object
- If your client doesn’t support cookies
Signed cookies
- To access groups of objects
- To access all files of a type (e.g., all gifs)
- If you want to control the format of the URL
