Amazon CloudFront

Amazon CloudFront is a content delivery network (CDN) service offered by Amazon Web Services (AWS). It enables businesses and developers to securely and efficiently deliver static and dynamic web content, including videos, images, applications, and APIs, to their users worldwide.

In this blog, we will provide key points on components, origins, HTTP headers etc about CloudFront with Amazon documentation page links.

Overview

• Improves read performance, content is cached at the edge
• Edge Locations
  1. Serve content quickly/directly to users
  2. Cache more popular content
• Regional Edge Caches
  1. Serve content to Edge Locations
  2. Cache less popular content that might suddenly find popularity
  3. Larger cache than Edge Location (objects remain longer)
  4. Improve performance, reduce the load on your origins
  5. Dynamic content doesn’t pass through it (directly to origin)

• CloudFront Components
  1. Distributions — Tells CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery
  2. Origin — Where content resides (S3 Bucket, ALB, HTTP Server, API Gateway, etc.)
  3. Cache Behaviour — Cache Configurations (eg: Object Expiration, TTL, Cache invalidations)
• Various origins with CloudFront distributions are
  1. S3 Bucket
  2. Application Load Balancer
  3. Lambda function URL
  4. Amazon EC2 or other custom origin
  5. Amazon CloudFront origin groups
• Can route to different kind of origins based on the content type and based on the path pattern

• CloudFront Origin groups helps to increase high availability and failover of origin.

• Can restrict access to S3 bucket as origin only from CloudFront Distribution using Origin Access Control (OAC)
• Can add custom HTTP headers to requests CloudFront sends to your origin.
• Add specific HTTP headers to the requests that CloudFront receives from viewers and forwards on to your origin
• Use the below steps to prevent users from directly accessing an Application Load Balancer and allow access only through CloudFront
  1. Configuring CloudFront to Add a custom headers to request
  2. Configuring an Application Load Balancer to only forward requests that contain a specific header
  3. (Optional) Require HTTPS to improve the security of this solution.
• Enhance Amazon CloudFront origin security with AWS WAF and AWS Secrets Manager

• You can use your own domain name instead of the domain assigned by CloudFront but you must have a valid SSL/TLS certificate.
• End to end encryption can be achieved by using SSL/TLS certificate at CloudFront and origin(s).
• Use of field-level encryption to protect sensitive data
• CloudFront can be used to restrict the geographic distribution of your content