Global Content Delivery and Optimization Flashcards
CloudFront
content delivery network improves the delivery of the content to viewers using caching and a global network
Cloud Front Origin
the source location of your content
can be S3 origin or a custom origin (anything publicly routable)
CloudFront Distribution
The configuration unit of Cloudfront
CloudFront Edge Location
local cache of you data
CloudFront Regional Edge Cache
Larger version of an edge location. Provides another layer of caching.
Is CloudFront capable of read and write caching ?
No only does read caching uploads goes directly to origin
CloudFront Behaviors
control much of the TTL, protocol and privacy settings within CloudFront
How may behaviors can a distribution have?
a distribution can have many behaviors and one default behavior
How do behaviors work ?
for any request that are incoming to an edge location they are pattern matched against any behaviors for that distribution using the path pattern
CloudFront TTL
defined in the behavior default 24hr validity
you can also set min TTL and max TTL
Per Object TTL Values
if you don’t specify an object TTL the default one attached in the behavior is used
origin can direct Cloudfront to used object specific TTL Values via headers
What are some of the headers that can be used to set an object TTL values ?
origin header: cache-control max-age(seconds)
Origin Header: cache-control s-maxage(seconds)
Origin Header: Expires (Date & Time)
Invalidation
performed on a distribution
applies to all edge Location.. takes time
Done by pattern matching Example:
/images/whiskers1.jpg - invalidates 1 item
/Images/*- invalidates all items in the images path
Version names in with Invalidations
Versioning can help if your performing to many invalidations you can upload an item with a new version which wouldn’t require a invalidation
you would just point your application to the new object version
How are you charged for invalidations ?
cost the same no matter how many objects are invalidated
should be though of as a way to correct errors
AWS Certificate Manager
Allows you to create renew and deploy certificates to supported AWS services like cloudFront or application load balancers (Not EC2)
you create a certificate and ACM manages the automatic renews
HTTPS
HTTP - simple and insecure
HTTPS- SSL/TLS Layer of Encryption added to HTTP
Data is encrypted in-transit
certificates prove identity
signed by a trusted authority
Is SSL always supported in CloudFront ?
cloud front Default Domain Name(CNAME)
SSL supported by default if using CNAME .. *.cloudfront.net
Explain the process of using your a custom CNAME name with your CloudFront Distribution ?
allowed using the Alternate Domain Names feature
once the names are added and active you can point that custom name at your CloudFront Distribution using a DNS provider like Route53
CloudFront SNI mode
historically every SSL enabled site need it’s own IP
Encryption starts at the TCP connection Host header happens after that - Layer 7 // Application
SNI is a TLS extension, allowing a host to be included
to operate in SNI mode it’s free
CloudFront Without SNI mode
old browsers don’t support SNI CF charges extra for dedicated IP
600 per month per distribution
Origin Access identity
Allows you to give CloudFront a virtual identity to access the S3 Origin
only available with S3 Origin
Origin Protocol policy For origins
for s3 origin the protocol is match by default
for custom s3 origin the protocol can be HTTP, HTTPS, and Match Viewer
S3 using OAI
only available through a s3 origin
An OAI is a type of identity
it can be associated with CloudFront distributions CloudFront ‘becomes ’ that OAI
OAI can be used in s3 Bucket Policies
Deny all But one or more OAI’s
What is the benefit of associating an OAI with a distribution?
once OAI is associated with the distribution accesses are From the OAI
(Origin Access identity)
How would you secure Custom Origins ?
create a custom header
you can require an custom Header and enable HTTPS for both sides the viewer and origin securing your header because HTTPS is an encrypted tunnel
you can also create a custom firewall to prevent any IPs that don’t match AWS CloudFront
Lambda@Edge
you can run lightweight lambda at edge Locations
adjust data between the viewer & origin
currently supports Nde.js and python
Run in the AWS public space(Not VPC)
Lambda@Edge Limits
viewer side → Memory of 128 MB and function time out of 5 Seconds
Origin side → Memory same as normal Lambda function and function time out of 5 Seconds
Lambda@Edge Use cases
A/B testing - viewer request
migration Between s3 origin - origin Request
Different Object Based on Device - origin Request
content By country- origin request
Global Accelerator
Moves the AWS network Closer to customers:
Traffic initially uses public internet & enters a Global Accelerator Edge Location
Connections enter at edge … using any cast IPS:
Anycast IP’s allow a single IP to be in multiple Locations. Routing moves traffic to the closest location
Transit over AWS backbone to it’s locations:
From the edge, data transits globally across the AWS global backbone network. Less hops, directly under AWS control, significantly better performance
What’s the difference between CloudFront and Global Accelerator
Global Accelerator can be used for non HTTP/s (TCP/UDP)
When would you use CloudFront ?
if you need caching or content delivery or manipulation of that delivery
When would you use Global Accelerator?
If you want TCP or UDP network optimization
Explain the process of using your a custom CNAME name with your CloudFront Distribution if using HTTPS ?
if using HTTPS you you need a certificate applied to the distribution matching that name
the way to do that is to generate or import an certificate in ACM in use-east-1 because CloudFront is a regional service