AWS CloudFront
This is part of a blog series giving a high level overview of the different services examined on the AWS Solution Architect Associate exam, to view the whole series click here.
CloudFront Terminology
Edge Location → Location where content will be cached (different to an AWS Region). They are not just read, you can also write to them.
Origin → Location where all the files THAT the CDN will distribute are stored — can be an S3 Bucket, EC2, ELB etc.
Distribution → Name of the CDN, which consists of a collection of edge locations.
There are two types:
- Web Distributions which are used for websites
- RTMP Distributions which are used for streaming media
Invalidations → these can be files or subfolders that you can select to not be on the edge locations. Useful when you need to remove a file from an edge cache before it expires
Versioning → can be used to serve a different version of a file under a different name.
CloudFront Summary
- It is a global service
- Is a Content Delivery Network (CDN)
- Securely delivers web applications, data, videos and other web content over a system of distributed servers to users based on their geographic location, with low latency and high transfer speeds.
- Can be used for your whole website and can work with any AWS origin e.g. S3, EC2 ELB etc.
- Requests to content are automatically routed to nearest geographical edge location for best possible performance.
- Objects are cached for the Time To Live (TTL).
- Can integrate with AWS Shied, Web Application Firewall and Route 53 to advance security.
- Is possible to clear cached objects, however you will incur a charge.
- If requested resources does not exist on CloudFront— it will query the original server and then cache it on the edge location
Restricting Access to CloudFront
- You can restrict S3 access so that it is only accessible through CloudFront and not directly through the S3 URL.
- You can restrict access using signed URLs or Signed Cookies. (1 File = 1 URL, but 1 Cookie = multiple files)
Features of a signed url
- The signed url (key pair) is account wide & managed by the root user.
- Has an associated policy statement (JSON) specifying restrictions on the URL.
- Contains additional information e.g. expiration date/time.
- Can have different origins and can utilise caching features.
