Global Content Delivery and Optimization

Question 1

CloudFront

Answer 1

content delivery network improves the delivery of the content to viewers using caching and a global network

Question 2

Cloud Front Origin

Answer 2

the source location of your content

can be S3 origin or a custom origin (anything publicly routable)

Question 3

CloudFront Distribution

Answer 3

The configuration unit of Cloudfront

Question 4

CloudFront Edge Location

Answer 4

local cache of you data

Question 5

CloudFront Regional Edge Cache

Answer 5

Larger version of an edge location. Provides another layer of caching.

Question 6

Is CloudFront capable of read and write caching ?

Answer 6

No only does read caching uploads goes directly to origin

Question 7

CloudFront Behaviors

Answer 7

control much of the TTL, protocol and privacy settings within CloudFront

Question 8

How may behaviors can a distribution have?

Answer 8

a distribution can have many behaviors and one default behavior

Question 9

How do behaviors work ?

Answer 9

for any request that are incoming to an edge location they are pattern matched against any behaviors for that distribution using the path pattern

Question 10

CloudFront TTL

Answer 10

defined in the behavior default 24hr validity

you can also set min TTL and max TTL

Question 11

Per Object TTL Values

Answer 11

if you don’t specify an object TTL the default one attached in the behavior is used

origin can direct Cloudfront to used object specific TTL Values via headers

Question 12

What are some of the headers that can be used to set an object TTL values ?

Answer 12

origin header: cache-control max-age(seconds)

Origin Header: cache-control s-maxage(seconds)

Origin Header: Expires (Date & Time)

Question 13

Invalidation

Answer 13

performed on a distribution

applies to all edge Location.. takes time

Done by pattern matching Example:

/images/whiskers1.jpg - invalidates 1 item

/Images/*- invalidates all items in the images path

Question 14

Version names in with Invalidations

Answer 14

Versioning can help if your performing to many invalidations you can upload an item with a new version which wouldn’t require a invalidation

you would just point your application to the new object version

Question 15

How are you charged for invalidations ?

Answer 15

cost the same no matter how many objects are invalidated

should be though of as a way to correct errors

Question 16

AWS Certificate Manager

Answer 16

Allows you to create renew and deploy certificates to supported AWS services like cloudFront or application load balancers (Not EC2)

you create a certificate and ACM manages the automatic renews

Question 17

HTTPS

Answer 17

HTTP - simple and insecure

HTTPS- SSL/TLS Layer of Encryption added to HTTP

Data is encrypted in-transit

certificates prove identity

signed by a trusted authority

Question 18

Is SSL always supported in CloudFront ?

Answer 18

cloud front Default Domain Name(CNAME)

SSL supported by default if using CNAME .. *.cloudfront.net

Question 19

Explain the process of using your a custom CNAME name with your CloudFront Distribution ?

Answer 19

allowed using the Alternate Domain Names feature

once the names are added and active you can point that custom name at your CloudFront Distribution using a DNS provider like Route53

Question 20

CloudFront SNI mode

Answer 20

historically every SSL enabled site need it’s own IP

Encryption starts at the TCP connection Host header happens after that - Layer 7 // Application

SNI is a TLS extension, allowing a host to be included

to operate in SNI mode it’s free

Question 21

CloudFront Without SNI mode

Answer 21

old browsers don’t support SNI CF charges extra for dedicated IP

600 per month per distribution

Question 22

Origin Access identity

Answer 22

Allows you to give CloudFront a virtual identity to access the S3 Origin

only available with S3 Origin

Question 23

Origin Protocol policy For origins

Answer 23

for s3 origin the protocol is match by default

for custom s3 origin the protocol can be HTTP, HTTPS, and Match Viewer

Question 24

S3 using OAI

Answer 24

only available through a s3 origin

An OAI is a type of identity

it can be associated with CloudFront distributions CloudFront ‘becomes ’ that OAI

OAI can be used in s3 Bucket Policies

Deny all But one or more OAI’s

Question 25

What is the benefit of associating an OAI with a distribution?

Answer 25

once OAI is associated with the distribution accesses are From the OAI

(Origin Access identity)

Question 26

How would you secure Custom Origins ?

Answer 26

create a custom header

you can require an custom Header and enable HTTPS for both sides the viewer and origin securing your header because HTTPS is an encrypted tunnel

you can also create a custom firewall to prevent any IPs that don’t match AWS CloudFront

Question 27

Lambda@Edge

Answer 27

you can run lightweight lambda at edge Locations

adjust data between the viewer & origin

currently supports Nde.js and python

Run in the AWS public space(Not VPC)

Question 28

Lambda@Edge Limits

Answer 28

viewer side → Memory of 128 MB and function time out of 5 Seconds

Origin side → Memory same as normal Lambda function and function time out of 5 Seconds

Question 29

Lambda@Edge Use cases

Answer 29

A/B testing - viewer request

migration Between s3 origin - origin Request

Different Object Based on Device - origin Request

content By country- origin request

Question 30

Global Accelerator

Answer 30

Moves the AWS network Closer to customers:

Traffic initially uses public internet & enters a Global Accelerator Edge Location

Connections enter at edge … using any cast IPS:

Anycast IP’s allow a single IP to be in multiple Locations. Routing moves traffic to the closest location

Transit over AWS backbone to it’s locations:

From the edge, data transits globally across the AWS global backbone network. Less hops, directly under AWS control, significantly better performance

Question 31

What’s the difference between CloudFront and Global Accelerator

Answer 31

Global Accelerator can be used for non HTTP/s (TCP/UDP)

Question 32

When would you use CloudFront ?

Answer 32

if you need caching or content delivery or manipulation of that delivery

Question 33

When would you use Global Accelerator?

Answer 33

If you want TCP or UDP network optimization

Question 34

Explain the process of using your a custom CNAME name with your CloudFront Distribution if using HTTPS ?

Answer 34

if using HTTPS you you need a certificate applied to the distribution matching that name

the way to do that is to generate or import an certificate in ACM in use-east-1 because CloudFront is a regional service