Global Content Delivery and Optimization Flashcards
CloudFront
content delivery network improves the delivery of the content to viewers using caching and a global network
Cloud Front Origin
the source location of your content
can be S3 origin or a custom origin (anything publicly routable)
CloudFront Distribution
The configuration unit of Cloudfront
CloudFront Edge Location
local cache of you data
CloudFront Regional Edge Cache
Larger version of an edge location. Provides another layer of caching.
Is CloudFront capable of read and write caching ?
No only does read caching uploads goes directly to origin
CloudFront Behaviors
control much of the TTL, protocol and privacy settings within CloudFront
How may behaviors can a distribution have?
a distribution can have many behaviors and one default behavior
How do behaviors work ?
for any request that are incoming to an edge location they are pattern matched against any behaviors for that distribution using the path pattern
CloudFront TTL
defined in the behavior default 24hr validity
you can also set min TTL and max TTL
Per Object TTL Values
if you don’t specify an object TTL the default one attached in the behavior is used
origin can direct Cloudfront to used object specific TTL Values via headers
What are some of the headers that can be used to set an object TTL values ?
origin header: cache-control max-age(seconds)
Origin Header: cache-control s-maxage(seconds)
Origin Header: Expires (Date & Time)
Invalidation
performed on a distribution
applies to all edge Location.. takes time
Done by pattern matching Example:
/images/whiskers1.jpg - invalidates 1 item
/Images/*- invalidates all items in the images path
Version names in with Invalidations
Versioning can help if your performing to many invalidations you can upload an item with a new version which wouldn’t require a invalidation
you would just point your application to the new object version
How are you charged for invalidations ?
cost the same no matter how many objects are invalidated
should be though of as a way to correct errors
AWS Certificate Manager
Allows you to create renew and deploy certificates to supported AWS services like cloudFront or application load balancers (Not EC2)
you create a certificate and ACM manages the automatic renews
HTTPS
HTTP - simple and insecure
HTTPS- SSL/TLS Layer of Encryption added to HTTP
Data is encrypted in-transit
certificates prove identity
signed by a trusted authority
Is SSL always supported in CloudFront ?
cloud front Default Domain Name(CNAME)
SSL supported by default if using CNAME .. *.cloudfront.net
Explain the process of using your a custom CNAME name with your CloudFront Distribution ?
allowed using the Alternate Domain Names feature
once the names are added and active you can point that custom name at your CloudFront Distribution using a DNS provider like Route53
CloudFront SNI mode
historically every SSL enabled site need it’s own IP
Encryption starts at the TCP connection Host header happens after that - Layer 7 // Application
SNI is a TLS extension, allowing a host to be included
to operate in SNI mode it’s free
CloudFront Without SNI mode
old browsers don’t support SNI CF charges extra for dedicated IP
600 per month per distribution
Origin Access identity
Allows you to give CloudFront a virtual identity to access the S3 Origin
only available with S3 Origin
Origin Protocol policy For origins
for s3 origin the protocol is match by default
for custom s3 origin the protocol can be HTTP, HTTPS, and Match Viewer
S3 using OAI
only available through a s3 origin
An OAI is a type of identity
it can be associated with CloudFront distributions CloudFront ‘becomes ’ that OAI
OAI can be used in s3 Bucket Policies
Deny all But one or more OAI’s