Aws CloudFront

Abimuktheeswaran Chidambaram
9 min readMay 10, 2023

Amazon CloudFront is a web service that speeds up the distribution of your static and dynamic web content (websites, applications, data files, etc.) to users. CloudFront delivers your content through a worldwide network of data centers called edge location. When a user requests content, the request is routed to the edge location that provides the lowest latency (time delay), with the best performance. The maximum size of a single file that can be delivered through Amazon CloudFront is 30 GB. This limit applies to all Amazon CloudFront distributions. In this article, we see the following chapters briefly…

  1. How does Cloudfront deliver the content to users?
  2. Caching and Availablity
  3. Streaming media
  4. Configuring content with secure
  5. edge function
  6. Integration
  7. Monitoring and Logging

1. How does Cloudfront deliver the content to users?

  • The user tries to access the content of the website from the computer.
  • If the content is available in the edge location, CloudFront delivers it immediately.
  • If the content is not available in that edge location, CloudFront retrieves it from an origin (such as an Amazon S3 bucket, a MediaPackage channel, an HTTP server, or a web server) to the edge location. Then edge location delivers the content to the user also it saves the cached data.
Courtesy: AWS

2. Caching and Availablity

By using edge location, it serves the objects close to the end user. It reduces the number of requests from the origin. So thereby it reduces the load on the server and latency.

2.1 what is Regional Edge Cache and how it works?

RegionalEdgeCache is located between the origin and edge location. It has a larger cache than the edge location. It delivers the content from the regional edge cache to the user. If the content is not available in the regional edge cache, it requests the server (origin). Then the server responds to the regional edge cache, then the regional edge cache forwards the response to the edge location. It provides low latency and better performance than edge location regarding the delivery of content to users.

courtesy: AWS

2.2 Origin Access Control You can set any endpoint as the origin (s3 bucket, load balancer, VPC endpoint). when you set the S3 bucket as the origin, files will be available and accessible to everyone. To restrict public access from the origin, Origin Access Identity is a feature that is used to restrict public access & objects are accessible from CloudFront for serving private contents. So data is secure, no restriction of accessing the files in the server by bypassing the cloudfront URL, and data transfer out costs are reduced.

courtesy: storm it

2.3 Origin Shield is an additional layer to deliver the content to the end user by avoiding negativity requests. It is located between RegionalEdgeCache and Origin. It minimizes server load, maintains high availability, better cache-hit ratio, improves cache-hit ratio, reduces operating cost, and avoids negative (multiple) requests for the same content from different locations.

courtesy: AWS

2.4 How long the content stays in edge location (Expiration of content in cache)

Reducing the duration allows you to serve dynamic content. Increasing the duration means your users get better performance because your files are served directly from the edge cache. A longer duration also reduces the load on your origin. By default, each file expires after 24 hours in cache. If the file expires means CloudFront requests the file with the latest version from origin.

If the CloudFront cache has the latest version of the file, the origin returns the status code “304 not modified”. If the cloudfront cache does not have the latest version of the file, the origin returns the status code “200 ok”.

Controlling the TimeToLive policies: By Default TTL is 24 hours (86,400 seconds), the min. value of TTL is 1 second and the max. value of TTL is 1Year(31,536,000 seconds or 365 days).

2.5 Origin Group is used for high availability. To create an origin group with two origins (primary and secondary). Generally, cloudfront routes all traffic to the primary origin, if the primary origin returns failed status code then it switches to the secondary.

3. Streaming media

You must use an encoder to package video content before CloudFront can distribute the content. The packaging process creates segments that contain your audio, video, and captions content. It also describes in a specific order what segments to play and when.

Video on Demand(VOD) is a media distribution system that is recorded and edited before you view it without using traditional playback (Ex: Netflix, Disney+, Hulu, Amazon Prime). After the media is recorded and edited it is stored on a server (s3), so the viewer can access any time based on their request. AWS Elemental MediaConvert is used to convert the formats for all devices with more features than ElasticTranscoder.

Live video streaming, your video content is streamed in real-time as live events happen or is set up as a 24x7 live channel. AWS Elemental MediaLive is an encoder to compress the video for viewing devices. After your video is encoded, you can store it in AWS Elemental MediaStore and format it by using AWS Elemental MediaPackage for viewers to watch.

4. Configuring content with secure

4.1 Viewer Protocol Policy means the owner can set the protocol policy to viewers to access the content in your cloudfront. The protocol policy is HTTP (or) HTTPS (or) redirected from HTTP to HTTPS.

4.2 Configure using signed URLs and signed cookies

Authorized users only access the content from the cloudfront edge location instead of the origin by using signed URLs and signed cookies. signed URLs and signed cookies allow you to control who can access your content. You must use the RSA-SHA1 algorithm for signing URLs or cookies.

A signed URL is used to restrict access to individual files. It means delivering content to authorized users privately and securely without using credentials with limited permission. It contains authentication information (signature) in their query strings. signed URL includes additional information like expiration date and time.

Signed Cookies are used to provide access to multiple restricted files without changing the current URL.

Pre-signed URL means allowing the unauthorized user to access the object for a limited period. The owner only sets the time and permits the user to access the object.

geographic restrictions (or) geo-blocking means restricting the content for specific users on a location basis. To use geographic restrictions use the following options, and they are cloudfront geographic restriction feature to restrict access to all the files at the country level and use third party geo-location service to restrict access to all the files at the country level, zip or postal code level, latitude level, and longitude level. Note: If cloudfront can’t determine the user’s location, then it serves the user-requested file.

geographic restriction

Field Level Encryption is used to upload sensitive data from end users to web servers. It uses asymmetric encryption. You provide public key and sensitive information to cloudfront, so your information is automatically encrypted. The authenticated user has the secret key ( private key) to decrypt it.

Invalidation means removing an old file from CloudFront edge caches before it expires, CloudFront invalidation ensures that users receive the latest content when they request it.

5. edge function

You can write your code to customize how your CloudFront distributions process HTTP requests and responses called edge function. The code runs close to your viewers (users) to minimize latency, and you don’t have to manage servers or other infrastructure. CloudFront provides two ways to write and manage edge functions:

CloudFront Functions — With CloudFront Functions, you can write lightweight functions in JavaScript for high-scale, latency-sensitive CDN customizations. The CloudFront Functions runtime environment offers submillisecond startup times, and the ability to handle 10,000,000 requests per second. The event sources are viewer requests and viewer responses. CloudFront Functions is a native feature of CloudFront, which means you can build, test, and deploy your code entirely within CloudFront.

Lambda@Edge — Lambda@Edge is an extension of AWS Lambda that offers powerful and flexible computing for complex functions in Node.js or Python and full application logic closer to your viewers. It takes several milliseconds or more to complete. It can handle 10,000 requests per second per region. The event sources are origin request, origin response, viewer request, and viewer response. You publish them to a single AWS Region, but when you associate the function with a CloudFront distribution, Lambda@Edge automatically replicates your code around the world.

6. Integration:

Integrate with Route 53. The cloudfront URL looks like Alternatively, you can set the custom domain like by using Route53. It is a scalable DNS service.

Integrate with AWS Certificate Manager is a service that is used to provide, deploy, and manage certificates (public and private SSL / TSL certificates). certificates used for secure connection of websites and applications. You can import your certificate provided by 3rd party using AWS console, API, CLI, etc. You are responsible for monitoring the expiration and renewal of 3rd party certificates. you can use AWS CloudWatch metrics for monitoring certificates. Certificates issued through ACM are valid for 13 months (395 days). Here is a sample image

For more information about AmazonCertificateManager click here. Here is a deployment architecture.

Integrate with AWS WAF a web application firewall that helps to protect your web applications from malicious, vulnerability attacks by configuring rules based on IP addresses, HTTP headers, and custom URI strings before reach the server. Managing the resources by taking actions on request, if the request meets the criteria. AWS WAF (Web Application Firewall) protects the application layer.

Integrate with AWS Shield Standard to protect against DDOS attacks against Layer 3 and Layer 4. It is free of cost. AWS Shield Advanced has the same features as Shield Standard with some additional features such as AWS WAF, real-time monitoring and metrics, etc. It protects the infrastructure of the OSI model. It is a paid service.

7. Monitoring and Logging

Monitoring is an important part of maintaining the availability and performance of CloudFront and your AWS solutions.

You can use Cloudwatch alarms to watch the metric over a specific period. If the metric exceeds a given threshold, a notification is sent to Amazon SNS topic (or) Amazon AutoScaling policy.

You can use CloudTrail logs to track the API actions made by the user, role, (or) service in cloudfront. Also, you can get the logs via standard logs and real-time logs via the CloudFront console. These logs are saved in the s3 bucket.

Pricing of CloudFront charges for storing the data in origin and data transfers out from its edge locations, along with HTTP or HTTPS requests. You can get these estimations using this link.

click here to learn more

Thanks for reading!

Last Updated: 07-Jan-2024