Cloud Front is a Content Delivery Network (CDN) – lower latency, higher transfer speed, and reduced server load. It has built-in DDoS (distributed denial of service) attack protection.
- CloudFront is a global service.
- The domain name is created when a distribution is created and is used to view contents in a browser.
- Objects are cached for the life of the Time to Live (TTL). – 24 hours by default
- You can invalidate (clear) cached contents manually with some costs.
- You can use CloudFront Groups (the primary origin and the second origin) for origin failover.
- Origin is the server or service that hosts the content such as S3 bucket or Web Server – an EC2 instance, an Elastic Load Balancer, or Route 53.
- Distribution is a CloudFront configuration of a specific implementation. It is the name that is given to the specific CDN.
- Edge Location is the location where the content is cached – local infrastructure.
- Regional Edge Cache: edge locations <- regional cache <- origin
Distribution and Caching
- Distribution Types:
- Web Distribution: Web Sites, HTTP/HTTPS
- RTMP Distribution: Adobe Real-Time Messaging Protocol – media streaming/flash multi-media content.
- Caching Process
- Create a distribution and point at one or more origins. A distribution has a DNS address.
- Access to the DNS address is redirected to the closest edge location.
- If the edge location has a cached copy, it is delivered (cache-hit).
- If it is not cached, the edge location attempts to download it from a regional cache or the origin (origin fetch). When an edge location receives data, it forwards data to a client and caches the data.
CloudFront Signed URLs and Signed Cookies
Both signed URLs and signed cookies control who can access content.
- A policy is attached to an URL or a cookie.
- Expiration, IP ranges, and trusted signers
- Use OAI to restrict direct access to S3.
- Use Signed URLs for
- RTMP distributions (signed cookies do not support RTMP distributions)
- Individual files such as an installation package (1 URL is for 1 file)
- Clients who do not support cookies
- Use Signed cookies for
- Multiple files (1 cookie can be used for multiple files)
- When you do not want to change the current URLs
- You can send the required “Set-Cookie” headers only to the allowed users.
- By using Lambda@Edge with CloudFront, you can customize the content that CloudFront delivers, executing the functions in AWS locations closer to the viewer.
- The functions run in response to CloudFront events:
- Viewer Request: after CloudFront receives a request from a viewer
- Origin Request: before CloudFront forward the request to the origin
- Origin Response: after CloudFront receives the response from the origin
- Viewer Response: before CloudFront sends the response to the viewer
Origin Access Identity (OAI)
Origin Access Identity (OAI) is a virtual identity that can be associated with a distribution. An S3 bucket can then be restricted to allow this OAI to access it – all other identities can be denied.
- OAI appends code to a bucket policy to access the target bucket.
- By default, CloudFront is publicly accessible.
- Private distributions link to the trusted signers. (each access requires a signed URL or cookie)
- Private distributions can be bypassed by going straight to the origin.
- It works only with S3, not in the site in EC2 instances.
Geo Restriction (Geo Blocking)
Geo restriction is used to prevent users in specific geographic locations from accessing content that you’re distributing through a CloudFront web distribution.
- CloudFront geo restriction is used to restrict access to all of the files that are associated with a distribution and to restrict access at the country level.
- Third-party geolocation service can be used to restrict access to a subset of the files that are associated with a distribution or to restrict access at a finer granularity than the country level.