CloudFront
Last updated
Last updated
A CDN (Content Delivery Network) to cache the web content to lower the latency.
An service of AWS to provide edge location
which is the nearest to the users.
CloudFront allows you to customize cache behavior based on various request headers.
By setting the cache behavior to cache based on the Accept-Language request header, CloudFront can store and serve language-specific versions of the website content, reducing the need to repeatedly fetch the content from the ALB for users with the same language preference.
S3
EC2
ELB
Route53
Security feature allows you to encrypt sensitive data (credit card, email...) at the field level.
Client-side encryption: data encrypted using public key provided by CloudFront
Data sent to cloudfront
CloudFront decrypt the data using private key, then forward to the server
Response to client
If you choose Origin Protocol Policy
for Match Viewer, then CloudFront will direct exactly what policy the user is using (HTTP -> HTTP; HTTPS -> HTTPS).
If you HTTPS only
then every request will go to HTTPS.
Make sure that you're in the US-East-1 (N. Virginia). You must be in this Region to create Lambda@Edge functions.
service allows dev to run serverless Lambda functions on edge location.
To customize the content that CloudFront deliver.
Use cases:
Dynamic content: customized content for each location.
Security compliance: enforce security policies (blocking malicious, content filtering)
Performance optimization: caching frequently accessed content.
Change CloudFront request & response.
A little javascript helper running at CloudFront edge.
If you want to use key/value pairs, you must use js-2.0 runtime instead of js-1.0.
CloudFront function | Lambda@Edge | |
---|---|---|
Execution location | at CloudFront edge | at CloudFront edge |
Use cases | Simple modification: - URL redirect - Header manipulation | More complex computing - Accessing external resources - Generating responses |
Limit | lower execution limits 1ms, 2MB memory, 10KB total package | 5s (viewer trigger) 30s (origin trigger) 128MB, 1MB total package |
Network access | No | Yes |
File system access | No | Yes |
Access to the request body | No | Yes |
for more detailed information, refer this article.
Just as you create a URL to share a file to your friend -> The friend does not need authenticate to access your OneDrive or Google Drive folder, but still be able to access the file only. And this link is temporary.
Each signed URL has its own expiration time.
Cons:
Less efficient for bulk access -> You can not manually create every file that you have.
Use cases:
Client does not support cookies.
Want to restrict access to single file, installation download only.
Can grant access, expiration time to multiple resources -> more efficient than Signed URL
Send the required Set-Cookie
headers to the viewer which will unclock the content only to them.
Use case:
video content for member-only on streamming service such as Netflix, Amazon Prime, Hulu...
you do not want to change the URL
to require HTTPS for communication between viewers and CloudFront, change the Viewer Protocol Policy setting to Redirect HTTP to HTTPS
, or HTTPS Only
Better cache hit
Better network performance
Better origin load
1. Increase the TTL of your objects
2. Configure the distribution to forward only the required query string parameters, cookies, or request headers for which your origin will return unique objects.
3. Remove Accept-Encoding header whenMS compression is not needed
4. Serving Media Content by using HTTP
If you use AWS origins such as Amazon S3, Amazon EC2 or ELB, you don’t pay for any data transferred between these services and CloudFront.
Edge location: location where content will be cached.
Origin: S3 bucket, EC2 instance, ELB....the source of the content to be delivered.
Distribution: collection of edge locations.
KeyValuestore:
Unlike ELB, CloudFront has a default SSL certification. To use custom SSL certification, config it in us-east-1
.
CloudFront is a global service that is managed from the US East (N. Virginia) region. All CloudFront configurations and certificates need to be in the same region for management purposes.