CloudFront — Concept
What it is
Amazon CloudFront = AWS's global CDN (Content Delivery Network). Caches content at 400+ edge POPs worldwide so users get low-latency, high-throughput delivery near them.
Why it exists
Serving static assets (and even dynamic API responses) from a single region introduces latency for distant users. Edge caching also offloads origin traffic, reducing cost and load.
How it works
- Create a distribution pointing to an origin (S3 bucket, ALB, EC2, MediaPackage, any HTTP server).
- DNS hands users an edge POP.
- Edge serves cached content; on miss, fetches from origin (optionally through a regional edge cache layer).
- Cache key controlled by cache policies (which headers/query strings/cookies form the key).
- Origin request policies control what is forwarded to origin.
- Response headers policies add CORS / security headers.
Origin types
- S3 bucket — most common for static sites and assets.
- S3 website endpoint — supports index/error docs (redirects, etc.).
- HTTP origin — ALB, EC2, on-prem, or any HTTPS URL.
- MediaStore / MediaPackage — video.
Security features
| Feature | What it does |
|---|
| HTTPS / TLS | Free ACM certs (must be in us-east-1 for CloudFront). |
| OAC (Origin Access Control) | Locks an S3 origin so only the CloudFront distribution can read it (replaces older OAI). |
| Signed URLs | One URL = one user; expire after time. |
| Signed Cookies | One cookie = many URLs; for whole sections of a site. |
| Geo restriction | Allow/block by country (built-in). |
| AWS WAF | Attach a WebACL to filter at edge. |
| AWS Shield | DDoS mitigation (Std free, Advanced extra). |
| Field-level encryption | Encrypt specific form fields end-to-end (PII / PCI). |
Cache vs Origin Request policies
- Cache policy — defines what makes responses different in the cache (cache key) and TTLs.
- Origin request policy — defines what to forward to the origin without affecting the cache key.
Lambda@Edge & CloudFront Functions
| Lambda@Edge | CloudFront Functions |
|---|
| Runtime | Node.js / Python | Lightweight JS |
| Where | Edge regions (4 trigger points) | Edge POPs |
| Latency | ms | sub-ms |
| Use | Complex logic, requests to other AWS services | Header rewriting, simple auth, URL redirect |
| Cost | per ms + invocations | invocations only, ~⅙ price |
TTL behavior
- Default TTL, Min TTL, Max TTL set on cache behavior.
- Origin can override via
Cache-Control headers (s-maxage, max-age).
- Invalidations flush objects manually (priced per path; first 1,000 a month free).
Pricing model (high level)
- Data transfer out to internet from edge.
- Data transfer to origin.
- HTTPS requests.
- Optional Lambda@Edge / CloudFront Functions invocations.
- Price tiered by edge region (NA/EU cheapest; SA, IN, ZA most expensive). Use Price Class All / 200 / 100 to limit POPs and cost.
When to use vs alternatives
| Use ... | Instead of ... | When ... |
|---|
| CloudFront | S3 direct | Need low latency globally, HTTPS, signed access |
| CloudFront | ALB only | Cache static or dynamic content, reduce origin load, add WAF at edge |
| Global Accelerator | CloudFront | Non-HTTP (TCP/UDP), gaming, real-time, static anycast IPs |
| S3 Transfer Acceleration | CloudFront | Uploads to S3 from far away (uses CF POPs in reverse) |
Common exam scenarios
- "Static website with global users, low cost" → S3 + CloudFront (OAC) + ACM in us-east-1.
- "Premium content, paid users only, per-user URL" → Signed URLs.
- "Premium content, paid users only, many files" → Signed Cookies.
- "Block users from country X" → Geo restriction.
- "Lock down S3 origin from public" → OAC on origin + bucket policy referencing distribution.
- "Rewrite a header at edge cheaply" → CloudFront Function.
- "Reduce upload time for large file from Asia to us-east-1" → S3 Transfer Acceleration.
Exam tip
- ACM cert for CloudFront must be in us-east-1 (only region).
- OAC has replaced OAI — prefer OAC in new designs.
- CloudFront is HTTP/HTTPS only. Need TCP/UDP at edge → Global Accelerator.
References