CloudFront

Question 1

What is CloudFront?

Answer 1

is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment

Question 2

What does improve CloudFront?

Answer 2

read performance

Question 3

Where is content cached by CloudFront?

Answer 3

at the edge

Question 4

What are the CloudFront Origins?

Answer 4

S3 buckets
Custom Origin (HTTP)

Question 5

What is used for CloudFront in front of S3 buckets?

Answer 5

For distributing files and caching them at the edge.

As an ingress (to upload files to S3)

Question 6

What is the best and most secure way to communicate CloudFront with a S3 bucket?

Answer 6

Using OAI, and have a bucket policy only allowing access from that OAI

Question 7

What are the CloudFront HTTP Custom Origins?

Answer 7

• Application Load Balancer
• EC2 instance
• S3 static website
• Any HTTP backend you want, including on-prem

Question 8

What conditions must be met by an ALB or an EC2 instance behind a CloudFront distribution?

Answer 8

Must be public and the SG must allow public IP of Edge locations

Question 9

How can you geo restrict who access your CloudFront distribution?

Answer 9

Using Whitelists or Blacklists to allow / prevent based on countries

Question 10

How is the user country determined by CloudFront?

Answer 10

using a third party Geo-IP DB

Question 11

What is great for CloudFront?

Answer 11

Great for static content that must be available everywhere

Question 12

I have a CloudFront distribution in front of a S3 bucket, however when I access my CloudFront Url I am being redirected to the S3 bucket URL, why is this happening?

Answer 12

It is a temporary redirect, you need to wait a few hours for DNS propagation

Question 13

What can you use to distribute paid shared content to premium users over the world?

Answer 13

CloudFront Signed URL or CloudFront Signed Cookies

Question 14

What you need to define to use a CloudFront Signed URL or a CloudFront Signed Cookies?

Answer 14

• URL expiration
• IP ranges to access the data from
• Trusted signers (which AWS accounts can create signed URLs)

Question 15

What is the difference between CloudFront Signed URL and CloudFront Signed Cookies?

Answer 15

• Signed URL = access to individual files (one signed URL per file)
• Signed Cookies = access to multiple files (one signed cookie for many files)

Question 16

How is CloudFront protected?

Answer 16

DDoS protection thanks to AWS Shield and Web Application Firewall

Question 17

How long should be valid for a CloudFront signed URL for shared content?

Answer 17

a few minutes

Question 18

How long should be valid for a CloudFront signed URL for private content?

Answer 18

you can make it last for years

Question 19

What is not great for CloudFront that it is S3 CRR?

Answer 19

for dynamic content that needs to be available at low-latency in few regions

Question 20

What is based on CloudFront Edges caches?

Answer 20

o Headers
o Session Cookies
o Query String Parameters

Question 21

What can you use to control the CloudFront cache?

Answer 21

TTL

Question 22

What are the range and default values of CloudFront TTL?

Answer 22

0 seconds <= 1 day <= 1 year

Question 23

How can the origin set the CloudFront TTL?

Answer 23

using the Cache-Control header, Expires header…

Question 24

What is used for the CreateInvalidation API in CloudFront?

Answer 24

To invalidate part of the cache

Question 25

What can you invalidate in CloudFront’s cache?

Answer 25

you can specify either the path for individual files or a path that ends with the * wildcard, which might apply to one file or to many, as shown in the following examples:
o	* (everything)
o	/images/image1.jpg ()
o	/images/image* ()
o	/images/* ()

Question 26

What is a common strategy in CloudFront for serving dynamic content?

Answer 26

to separate your cache for your dynamic requests and your static requests by using two different CloudFront distributions

Question 27

What can you configure in CloudFront in terms of security policies besides the geo restriction policies?

Answer 27

• Viewer Protocol Policy

- Origin Protocol Policy (HTTP or S3)

Question 28

What are the options for CloudFront Viewer Protocol Policy?

Answer 28

o HTTP and HTTPS
o HTTP to HTTPS
o HTTPS only

Question 29

What are the options for CloudFront Origin Protocol Policy?

Answer 29

o HTTPS only

o Match Viewer (HTTP => HTTP & HTTPS => HTTPS)

Question 30

What communication is controlled by the CloudFront Viewer Protocol Policy?

Answer 30

between the client and the edge location

Question 31

What communication is controlled by the CloudFront Origin Protocol Policy?

Answer 31

between the edge location and the origin