CloudFront Flashcards
What is CloudFront?
is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment
What does improve CloudFront?
read performance
Where is content cached by CloudFront?
at the edge
What are the CloudFront Origins?
S3 buckets Custom Origin (HTTP)
What is used for CloudFront in front of S3 buckets?
For distributing files and caching them at the edge.
As an ingress (to upload files to S3)
What is the best and most secure way to communicate CloudFront with a S3 bucket?
Using OAI, and have a bucket policy only allowing access from that OAI
What are the CloudFront HTTP Custom Origins?
- Application Load Balancer
- EC2 instance
- S3 static website
- Any HTTP backend you want, including on-prem
What conditions must be met by an ALB or an EC2 instance behind a CloudFront distribution?
Must be public and the SG must allow public IP of Edge locations
How can you geo restrict who access your CloudFront distribution?
Using Whitelists or Blacklists to allow / prevent based on countries
How is the user country determined by CloudFront?
using a third party Geo-IP DB
What is great for CloudFront?
Great for static content that must be available everywhere
I have a CloudFront distribution in front of a S3 bucket, however when I access my CloudFront Url I am being redirected to the S3 bucket URL, why is this happening?
It is a temporary redirect, you need to wait a few hours for DNS propagation
What can you use to distribute paid shared content to premium users over the world?
CloudFront Signed URL or CloudFront Signed Cookies
What you need to define to use a CloudFront Signed URL or a CloudFront Signed Cookies?
- URL expiration
- IP ranges to access the data from
- Trusted signers (which AWS accounts can create signed URLs)
What is the difference between CloudFront Signed URL and CloudFront Signed Cookies?
- Signed URL = access to individual files (one signed URL per file)
- Signed Cookies = access to multiple files (one signed cookie for many files)
How is CloudFront protected?
DDoS protection thanks to AWS Shield and Web Application Firewall
How long should be valid for a CloudFront signed URL for shared content?
a few minutes
How long should be valid for a CloudFront signed URL for private content?
you can make it last for years
What is not great for CloudFront that it is S3 CRR?
for dynamic content that needs to be available at low-latency in few regions
What is based on CloudFront Edges caches?
o Headers
o Session Cookies
o Query String Parameters
What can you use to control the CloudFront cache?
TTL
What are the range and default values of CloudFront TTL?
0 seconds <= 1 day <= 1 year
How can the origin set the CloudFront TTL?
using the Cache-Control header, Expires header…
What is used for the CreateInvalidation API in CloudFront?
To invalidate part of the cache
What can you invalidate in CloudFront’s cache?
you can specify either the path for individual files or a path that ends with the * wildcard, which might apply to one file or to many, as shown in the following examples: o * (everything) o /images/image1.jpg () o /images/image* () o /images/* ()
What is a common strategy in CloudFront for serving dynamic content?
to separate your cache for your dynamic requests and your static requests by using two different CloudFront distributions
What can you configure in CloudFront in terms of security policies besides the geo restriction policies?
- Viewer Protocol Policy
- Origin Protocol Policy (HTTP or S3)
What are the options for CloudFront Viewer Protocol Policy?
o HTTP and HTTPS
o HTTP to HTTPS
o HTTPS only
What are the options for CloudFront Origin Protocol Policy?
o HTTPS only
o Match Viewer (HTTP => HTTP & HTTPS => HTTPS)
What communication is controlled by the CloudFront Viewer Protocol Policy?
between the client and the edge location
What communication is controlled by the CloudFront Origin Protocol Policy?
between the edge location and the origin
