DevOps

CloudFront

CloudFront function |

Overview

  • A CDN (Content Delivery Network) to cache the web content to lower the latency.

  • An service of AWS to provide edge location which is the nearest to the users.

  • CloudFront allows you to customize cache behavior based on various request headers.

    • By setting the cache behavior to cache based on the Accept-Language request header, CloudFront can store and serve language-specific versions of the website content, reducing the need to repeatedly fetch the content from the ALB for users with the same language preference.

Integration

  • S3

  • EC2

  • ELB

  • Route53

Features

Field-level encryption

Security feature allows you to encrypt sensitive data (credit card, email...) at the field level.

  1. Client-side encryption: data encrypted using public key provided by CloudFront

  2. Data sent to cloudfront

  3. CloudFront decrypt the data using private key, then forward to the server

  4. Response to client

Match Viewer

If you choose Origin Protocol Policy for Match Viewer, then CloudFront will direct exactly what policy the user is using (HTTP -> HTTP; HTTPS -> HTTPS).

If you HTTPS only then every request will go to HTTPS.

Lambda@Edge

Make sure that you're in the US-East-1 (N. Virginia). You must be in this Region to create Lambda@Edge functions.

  • service allows dev to run serverless Lambda functions on edge location.

    • To customize the content that CloudFront deliver.

  • Use cases:

    • Dynamic content: customized content for each location.

    • Security compliance: enforce security policies (blocking malicious, content filtering)

    • Performance optimization: caching frequently accessed content.

    • Change CloudFront request & response.

CloudFront function

A little javascript helper running at CloudFront edge.

If you want to use key/value pairs, you must use js-2.0 runtime instead of js-1.0.

vs Lambda@Edge

CloudFront functionLambda@Edge

Execution location

at CloudFront edge

at CloudFront edge

Use cases

Simple modification: - URL redirect - Header manipulation

More complex computing - Accessing external resources - Generating responses

Limit

lower execution limits 1ms, 2MB memory, 10KB total package

5s (viewer trigger) 30s (origin trigger)

128MB, 1MB total package

Network access

No

Yes

File system access

No

Yes

Access to the request body

No

Yes

for more detailed information, refer this article.

Signed URL

  • Just as you create a URL to share a file to your friend -> The friend does not need authenticate to access your OneDrive or Google Drive folder, but still be able to access the file only. And this link is temporary.

  • Each signed URL has its own expiration time.

  • Cons:

    • Less efficient for bulk access -> You can not manually create every file that you have.

  • Use cases:

    • Client does not support cookies.

    • Want to restrict access to single file, installation download only.

Signed cookie

  • Can grant access, expiration time to multiple resources -> more efficient than Signed URL

  • Send the required Set-Cookie headers to the viewer which will unclock the content only to them.

  • Use case:

    • video content for member-only on streamming service such as Netflix, Amazon Prime, Hulu...

    • you do not want to change the URL

Viewer Protocol Policy

to require HTTPS for communication between viewers and CloudFront, change the Viewer Protocol Policy setting to Redirect HTTP to HTTPS, or HTTPS Only

Origin shield

  • Better cache hit

  • Better network performance

  • Better origin load

Increase Catch hit

1. Increase the TTL of your objects

2. Configure the distribution to forward only the required query string parameters, cookies, or request headers for which your origin will return unique objects.

3. Remove Accept-Encoding header whenMS compression is not needed

4. Serving Media Content by using HTTP

Pricing

If you use AWS origins such as Amazon S3, Amazon EC2 or ELB, you don’t pay for any data transferred between these services and CloudFront.

Concepts

  • Edge location: location where content will be cached.

  • Origin: S3 bucket, EC2 instance, ELB....the source of the content to be delivered.

  • Distribution: collection of edge locations.

  • KeyValuestore:

Trivia

  • Unlike ELB, CloudFront has a default SSL certification. To use custom SSL certification, config it in us-east-1.

  • CloudFront is a global service that is managed from the US East (N. Virginia) region. All CloudFront configurations and certificates need to be in the same region for management purposes.

PreviousnetworkingNextCustomer gateway

Last updated