Global Content Delivery

Question 1

What is ACM?

Answer 1

AWS Certificate Manager (ACM) is a service which allows for the creation, management, and renewal of certificates.

Question 2

True/False. ACM can run as either a public or private Certificate Authority (CA).

Answer 2

True.

Question 3

Can ACM generate or import certificates?

Answer 3

Both.

Question 4

True/False. If ACM generates a certificate, it cannot renew said certificate for us.

Answer 4

False. If ACM generates a certificate, it CAN renew said certificate for us.

Question 5

True/False. If we import a certificate into ACM, we are responsible for renewing the certificate.

Answer 5

True.

Question 6

Can ACM certificates be deployed to all AWS services?

Answer 6

No. Certificates can only be deployed to supported services.

Question 7

Can ACM be used with EC2?

Answer 7

No.

Question 8

True/False. ACM is a regional service.

Answer 8

True.

Question 9

True/False. Certificates cannot leave the region they are generated or imported in.

Answer 9

True.

Question 10

Do services using ACM certificates need to be in the same region as the ACM certificate that they are using?

Answer 10

For most services, the certificate needs to be located in the same region as the service (if the service is in ap-southeast-2 then the ACM would also need to be in ap-southeast-2).

For global services, such as CloudFront, the ACM would need to be located in ’us-east-1’.

Question 11

What is CloudFront?

Answer 11

CloudFront is a Content Delivery Network (CDN) within AWS.

Question 12

What all can be configured in CloudFront on a behavior basis?

Answer 12

Caching policies, allowed HTTP methods, and viewer access can be configured on a behavior basis.

Question 13

What is the default TTL for objects cached in CloudFront?

Answer 13

Objects cached by CloudFront have a default TTL of 24 hours.

Question 14

Is it possible to set min/max TTL values in CloudFront?

Answer 14

It’s possible to set minimum TTL and maximum TTL values that will be applied across all objects.

Different headers can also be used to set TTLs, but if the values indicated in these headers is outside the range of the minimum/maximum TTLs, the minimum/maximum TTL would then be applied.

Question 15

What are examples of headers that can be used with custom origins in CloudFront?

Answer 15

Origin Header: Cache-Control max-age (seconds)

Origin Header: Cache-Control s-maxage (seconds)

Origin Header: Expires (Date & Time)

Question 16

How is cache invalidations performed in CloudFront?

Answer 16

Cache invalidations are performed on a distribution.

Question 17

What do CloudFront Distributions do for CloudFront?

Answer 17

CloudFront distributions tell CloudFront where we want content to be delivered from, and the details about how to track and manage content delivery.

Cache invalidations are applied to all edge locations within that distribution.

Question 18

How can we identify what specific image was used when viewing CloudFront logs in CloudWatch?

Answer 18

Versioned file names can be useful for quickly identifying what specific image was used when we view our logs in CloudWatch, and it also results in us not needed to be overly dependent on using cache invalidations.

Question 19

Does CloudFront support SSL by default?

Answer 19

CloudFront supports SSL by default via the following certificate:

*.cloudfront.net

Question 20

When can we not use the default SSL certificate in CloudFront?

Answer 20

The default SSL certificate cannot be used if we’re taking advantage of the Alternate Domain Names feature and using a DNS Provider such as Route53 to point our Alternate Domain Name at our CloudFront Distribution.

Question 21

What is SNI?

Answer 21

Server Name Identification (SNI) is an extension for the TLS protocol to indicate a hostname in the TLS handshake.

Question 22

What are CloudFront origins?

Answer 22

CloudFront origins are the location where content is stored, and from which CloudFront gets content to serve to users.

Question 23

What type of identity can be associated with CloudFront Distributions that utilize S3 Origins?

Answer 23

An Origin Access Identity (OAI) is a type of identity that can be associated with CloudFront Distributions that utilize S3 Origins.

Question 24

True/False. OAIs can be used in S3 Bucket Policies to allow access from an OAI, but implicitly deny everything else.

Answer 24

True.

Question 25

True/False. OAIs are generally used to ensure direct access to S3 objects is allowed when using private CloudFront Distributions.

Answer 25

False. OAIs are generally used to ensure NO direct access to S3 objects is allowed when using private CloudFront Distributions.

Question 26

How can CloudFront Distributions be secured that use custom origins?

Answer 26

To secure CloudFront Distributions that use custom origins, we can either require custom headers or use the publicly available IP ranges of CloudFront to create a firewall around our custom origin(s).

Question 27

What security modes can CloudFront run in?

Answer 27

1. Public — This is the default mode, and it results in open access to objects. When using this mode, content is available to any viewer.
2. Private — If this mode is configured, requests require a signed cookie or signed URL.

Question 28

What is AWS Global Accelerator?

Answer 28

AWS Global Accelerator is designed to improve global network performance by offering entry points onto the global AWS transit network as close to customers as possible via the usage of anycast IP addresses.

Question 29

What is Anycast?

Answer 29

Anycast is an IP network addressing scheme that allows multiple servers to share the same IP address, allowing for multiple physical destination servers to be logically identified by a single IP address.

Question 30

What is the difference between Global Accelerator and CloudFront?

Answer 30

One difference between Global Accelerator and CloudFront is that Global Accelerator can be used for non HTTP/HTTP applications (this means it could work with TPC/UDP applications whereas CloudFront wouldn’t be able to).

Another difference between the two is that Global Accelerator doesn’t cache content, whereas CloudFront does.

Question 31

How does Global Accelerator improve performance for customers?

Answer 31

Global Accelerator improves performance simply by moving the AWS network closer to customers.

Question 32

What is Lambda@Edge?

Answer 32

Lambda@Edge is a feature of CloudFront that allows us to run lightweight Lambda functions at CloudFront edge locations to modify traffic.

These functions can adjust the data between the Viewer & the Origin.

Question 33

What languages does Lambda@Edge currently support?

Answer 33

Lambda@Edge currently only supports Node.js and Python.

Question 34

True/False. It runs in the AWS Public Space.

Answer 34

True.

Question 35

True/False. Lambda@Edge supports Lambda Layers.

Answer 35

False. Lambda@Edge does not support Lambda Layers.