Global Content Delivery Flashcards
What is ACM?
AWS Certificate Manager (ACM) is a service which allows for the creation, management, and renewal of certificates.
True/False. ACM can run as either a public or private Certificate Authority (CA).
True.
Can ACM generate or import certificates?
Both.
True/False. If ACM generates a certificate, it cannot renew said certificate for us.
False. If ACM generates a certificate, it CAN renew said certificate for us.
True/False. If we import a certificate into ACM, we are responsible for renewing the certificate.
True.
Can ACM certificates be deployed to all AWS services?
No. Certificates can only be deployed to supported services.
Can ACM be used with EC2?
No.
True/False. ACM is a regional service.
True.
True/False. Certificates cannot leave the region they are generated or imported in.
True.
Do services using ACM certificates need to be in the same region as the ACM certificate that they are using?
For most services, the certificate needs to be located in the same region as the service (if the service is in ap-southeast-2 then the ACM would also need to be in ap-southeast-2).
For global services, such as CloudFront, the ACM would need to be located in ’us-east-1’.
What is CloudFront?
CloudFront is a Content Delivery Network (CDN) within AWS.
What all can be configured in CloudFront on a behavior basis?
Caching policies, allowed HTTP methods, and viewer access can be configured on a behavior basis.
What is the default TTL for objects cached in CloudFront?
Objects cached by CloudFront have a default TTL of 24 hours.
Is it possible to set min/max TTL values in CloudFront?
It’s possible to set minimum TTL and maximum TTL values that will be applied across all objects.
Different headers can also be used to set TTLs, but if the values indicated in these headers is outside the range of the minimum/maximum TTLs, the minimum/maximum TTL would then be applied.
What are examples of headers that can be used with custom origins in CloudFront?
Origin Header: Cache-Control max-age (seconds)
Origin Header: Cache-Control s-maxage (seconds)
Origin Header: Expires (Date & Time)
How is cache invalidations performed in CloudFront?
Cache invalidations are performed on a distribution.
What do CloudFront Distributions do for CloudFront?
CloudFront distributions tell CloudFront where we want content to be delivered from, and the details about how to track and manage content delivery.
Cache invalidations are applied to all edge locations within that distribution.
How can we identify what specific image was used when viewing CloudFront logs in CloudWatch?
Versioned file names can be useful for quickly identifying what specific image was used when we view our logs in CloudWatch, and it also results in us not needed to be overly dependent on using cache invalidations.
Does CloudFront support SSL by default?
CloudFront supports SSL by default via the following certificate:
*.cloudfront.net
When can we not use the default SSL certificate in CloudFront?
The default SSL certificate cannot be used if we’re taking advantage of the Alternate Domain Names feature and using a DNS Provider such as Route53 to point our Alternate Domain Name at our CloudFront Distribution.
What is SNI?
Server Name Identification (SNI) is an extension for the TLS protocol to indicate a hostname in the TLS handshake.
What are CloudFront origins?
CloudFront origins are the location where content is stored, and from which CloudFront gets content to serve to users.
What type of identity can be associated with CloudFront Distributions that utilize S3 Origins?
An Origin Access Identity (OAI) is a type of identity that can be associated with CloudFront Distributions that utilize S3 Origins.
True/False. OAIs can be used in S3 Bucket Policies to allow access from an OAI, but implicitly deny everything else.
True.
True/False. OAIs are generally used to ensure direct access to S3 objects is allowed when using private CloudFront Distributions.
False. OAIs are generally used to ensure NO direct access to S3 objects is allowed when using private CloudFront Distributions.
How can CloudFront Distributions be secured that use custom origins?
To secure CloudFront Distributions that use custom origins, we can either require custom headers or use the publicly available IP ranges of CloudFront to create a firewall around our custom origin(s).
What security modes can CloudFront run in?
- Public — This is the default mode, and it results in open access to objects. When using this mode, content is available to any viewer.
- Private — If this mode is configured, requests require a signed cookie or signed URL.
What is AWS Global Accelerator?
AWS Global Accelerator is designed to improve global network performance by offering entry points onto the global AWS transit network as close to customers as possible via the usage of anycast IP addresses.
What is Anycast?
Anycast is an IP network addressing scheme that allows multiple servers to share the same IP address, allowing for multiple physical destination servers to be logically identified by a single IP address.
What is the difference between Global Accelerator and CloudFront?
One difference between Global Accelerator and CloudFront is that Global Accelerator can be used for non HTTP/HTTP applications (this means it could work with TPC/UDP applications whereas CloudFront wouldn’t be able to).
Another difference between the two is that Global Accelerator doesn’t cache content, whereas CloudFront does.
How does Global Accelerator improve performance for customers?
Global Accelerator improves performance simply by moving the AWS network closer to customers.
What is Lambda@Edge?
Lambda@Edge is a feature of CloudFront that allows us to run lightweight Lambda functions at CloudFront edge locations to modify traffic.
These functions can adjust the data between the Viewer & the Origin.
What languages does Lambda@Edge currently support?
Lambda@Edge currently only supports Node.js and Python.
True/False. It runs in the AWS Public Space.
True.
True/False. Lambda@Edge supports Lambda Layers.
False. Lambda@Edge does not support Lambda Layers.
