CloudFront

CloudFront Simplified:

The AWS CDN service is called CloudFront. It serves up cached content and assets for the increased global performance of your application. The main components of CloudFront are the edge locations (cache endpoints), the origin (original source of truth to be cached such as an EC2 instance, an S3 bucket, an Elastic Load Balancer or a Route 53 config), and the distribution (the arrangement of edge locations from the origin or basically the network itself). More info on CloudFront’s features

CloudFront Key Details:

  • When content is cached, it is done for a certain time limit called the Time To Live, or TTL, which is always in seconds
  • If needed, CloudFront can serve up entire websites including dynamic, static, streaming and interactive content.
  • Requests are always routed and cached in the nearest edge location for the user, thus propagating the CDN nodes and guaranteeing best performance for future requests.
  • There are two different types of distributions:
    • Web Distribution: web sites, normal cached items, etc
    • RTMP: streaming content, adobe, etc
  • Edge locations are not just read only. They can be written to which will then return the write value back to the origin.
  • Cached content can be manually invalidated or cleared beyond the TTL, but this does incur a cost.
  • You can invalidate the distribution of certain objects or entire directories so that content is loaded directly from the origin every time. Invalidating content is also helpful when debugging if content pulled from the origin seems correct, but pulling that same content from an edge location seems incorrect.
  • You can set up a failover for the origin by creating an origin group with two origins inside. One origin will act as the primary and the other as the secondary. CloudFront will automatically switch between the two when the primary origin fails.
  • Amazon CloudFront delivers your content from each edge location and offers a Dedicated IP Custom SSL feature. SNI Custom SSL works with most modern browsers.
  • If you run PCI or HIPAA-compliant workloads and need to log usage data, you can do the following:
    • Enable CloudFront access logs.
    • Capture requests that are sent to the CloudFront API.
  • An Origin Access Identity (OAI) is used for sharing private content via CloudFront. The OAI is a virtual user that will be used to give your CloudFront distribution permission to fetch a private object from your origin (e.g. S3 bucket).

CloudFront Signed URLs and Signed Cookies:

  • CloudFront signed URLs and signed cookies provide the same basic functionality: they allow you to control who can access your content. These features exist because many companies that distribute content via the internet want to restrict access to documents, business data, media streams, or content that is intended for selected users. As an example, users who have paid a fee should be able to access private content that users on the free tier shouldn’t.
  • If you want to serve private content through CloudFront and you’re trying to decide whether to use signed URLs or signed cookies, consider the following:
    • Use signed URLs for the following cases:
      • You want to use an RTMP distribution. Signed cookies aren’t supported for RTMP distributions.
      • You want to restrict access to individual files, for example, an installation download for your application.
      • Your users are using a client (for example, a custom HTTP client) that doesn’t support cookies.
    • Use signed cookies for the following cases:
      • You want to provide access to multiple restricted files. For example, all of the files for a video in HLS format or all of the files in the paid users’ area of a website.
      • You don’t want to change your current URLs.