Skip to content
Gallery
7. DNS, Caching and Performance Optimization
Share
Explore
Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you're serving with CloudFront, the request is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance.
If the content is already in the edge location with the lowest latency, CloudFront delivers it immediately.
If the content is not in that edge location, CloudFront retrieves it from an origin that you've defined—such as an Amazon S3 bucket, a MediaPackage channel, or an HTTP server (for example, a web server) that you have identified as the source for the definitive version of your content.
CloudFront speeds up the distribution of your content by routing each user request through the AWS backbone network to the edge location that can best serve your content. Typically, this is a CloudFront edge server that provides the fastest delivery to the viewer. Using the AWS network dramatically reduces the number of networks that your users' requests must pass through, which improves performance. Users get lower latency—the time it takes to load the first byte of the file—and higher data transfer rates.

Overview

Web service for distributing content with low latency and high data transfer speeds.
Ideal for frequently accessed static content benefiting from edge delivery, such as website images, videos, media files, or software downloads.
Supports dynamic, static, streaming, and interactive content.

Global Service

Handles ingress for uploading objects and egress for distributing content globally.

Features and Capabilities

Provides a simple API for distributing content globally with low latency and high data transfer rates using a network of edge locations.
No need to negotiate contracts or minimum commitments to get started.
Supports using a zone apex name on CloudFront.
Supports wildcard CNAME.
Offers support for wildcard SSL certificates, Dedicated IP, Custom SSL, and SNI Custom SSL (a cheaper option).
Implements Perfect Forward Secrecy, creating a new private key for each SSL session for enhanced security.
image.png

Edge Locations and Regional Edge Caches

Edge Location (210*)

Location where content is cached, separate from AWS regions/AZs.
Requests automatically routed to the nearest edge location for optimized performance.
Not tied to Availability Zones or regions.
Can handle both read and write operations.

Regional Edge Caches (12*)

Located between origin web servers and global edge locations.
Have a larger cache compared to individual edge locations.
Objects remain in cache longer at regional edge caches.
Aim to bring content closer to users for improved performance.
Proxy methods PUT/POST/PATCH/OPTIONS/DELETE go directly to the origin from edge locations and do not pass through regional edge caches.
Dynamic content also goes straight to the origin and bypasses regional edge caches.
*Locations might vary based on new inclusion of the regions.

Additional Notes

Edge locations serve as both read and write caches, providing flexibility in caching strategies.
Diagrams illustrate the placement of regional edge caches and edge locations in relation to end users, optimizing content delivery and performance.

image.png

Example:
image.png
You can define a maximum Time To Live (TTL) and a default TTL
TTL is defined at the behavior level
This can be used to define different TTLs for different file types (e.g. png vs jpg)
After expiration, CloudFront checks the origin for any new requests (check the file is the latest version)
Headers can be used to control the cache:
Cache-Control max-age=(seconds) - specify how long before CloudFront gets the object again from the origin server
Expires – specify an expiration date and time

Origins in CloudFront

An origin is the source of the files that the Content Delivery Network (CDN) will distribute.
CloudFront maintains persistent connections with origin servers.
Files can be uploaded directly to CloudFront.
Origins can be:
Amazon S3 bucket
EC2 instance (or another custom Origin)
Elastic Load Balancer
Route 53 (including external, non-AWS origins)

When using Amazon S3 as an origin:

All objects must be stored within the bucket.
Existing buckets can be used without modification.
Newly created buckets are private by default.
Access control can be managed using bucket policies, Access Control Lists (ACLs), or CloudFront signed URLs.
Considered as AWS origins.

Custom origin server:

HTTP server, can be an EC2 instance or an on-premises/non-AWS web server.
Must specify DNS name, ports, and protocols for fetching objects.
Most CloudFront features are supported except for RTMP distributions (S3 bucket required).
Amazon CloudFront has deprecated real-time messaging protocol (RTMP) distributions on December 31, 2020.
Amazon recommends using pre-configured AMIs for web servers and Elastic Load Balancer for handling traffic across multiple EC2 instances.

S3 static website:

Enter the S3 static website hosting endpoint in the CloudFront configuration.
Objects cached for 24 hours by default, controlled through Time To Live (TTL).
Minimum expiration time is 0.
Considered as custom origins.

High availability with Origin Failover:

Set up CloudFront with origin failover for scenarios requiring high availability.
Utilizes an origin group with a primary origin and a secondary origin.
You can specify an origin group for your CloudFront origin if, for example, you want to configure origin failover for scenarios when you need high availability. Use origin failover to designate a primary origin for CloudFront plus a second origin that CloudFront automatically switches to when the primary origin returns specific HTTP status code failure responses.
CloudFront automatically switches to the secondary origin when the primary origin returns specific HTTP status code failure responses. Refer:
Compatible with Lambda@Edge functions for advanced functionality.
image.png

Distributions in CloudFront

To distribute content with CloudFront, a distribution must be created.
The distribution includes the configuration of the CDN, comprising:
Your content origin—The Amazon S3 bucket, AWS Elemental MediaPackage channel, AWS Elemental MediaStore container, Elastic Load Balancing load balancer, or HTTP server from which CloudFront gets the files to distribute. You can specify any combination of up to 25 origins for a single distribution.
Access—Whether you want access to the files to be available to everyone or restricted to some users.
Security—Whether you want to enable AWS WAF protection and require users to use HTTPS to access your content.
Cache key—Which values, if any, you want to include in the cache key. The cache key uniquely identifies each file in the cache for a given distribution.
Origin request settings—Whether you want CloudFront to include HTTP headers, cookies, or query strings in requests that it sends to your origin.
Geographic restrictions—Whether you want CloudFront to prevent users in selected countries from accessing your content.
Logs—Whether you want CloudFront to create standard logs or real-time logs that show viewer activity.

Two Types of Distributions

Web Distribution:
Static and dynamic download content, such as HTML, CSS, JavaScript, and image files, using HTTP or HTTPS.
Allows adding, updating, or deleting objects, and submitting data from web forms.
Video on demand in different formats, such as Apple HTTP Live Streaming (HLS) and Microsoft Smooth Streaming. For more information, see .
A live event, such as a meeting, conference, or concert, in real time. For live streaming, you can create the distribution automatically by using an AWS CloudFormation stack. For more information, see .
RTMP Distribution: (Discontinued)
info
Amazon CloudFront has deprecated real-time messaging protocol (RTMP) distributions from December 31, 2020.
Distributes streaming media files using Adobe Flash Media Server’s RTMP protocol.
Allows playing a media file before it finishes downloading from a CloudFront edge location.
Requires files to be stored in an S3 bucket.

Access Logging and Analytics

S3 buckets can be configured to create access and cookie logs logging all requests.
Amazon Athena can be used to analyse access logs.

Integration with CloudTrail

CloudFront is integrated with CloudTrail for logging and monitoring.
CloudTrail saves logs to the specified S3 bucket.
Captures information about all requests made using CloudFront.
Provides details like request source IP address, requester identity, etc.

CloudFront provides several options for reporting, monitoring, and logging your CloudFront resources:
You can view and download reports to see usage and activity for your CloudFront distributions, including billing reports, cache statistics, popular content, and top referrers.
You can monitor and track CloudFront, including your , directly in the CloudFront console or by using Amazon CloudWatch. CloudFront sends various metrics to CloudWatch for distributions and edge functions, both Lambda@Edge and CloudFront Functions.
You can view logs for the viewer requests that your CloudFront distributions receive with standard logs or real-time logs. In addition to viewer request logs, you can use
CloudWatch Logs to get logs for your edge functions, both Lambda@Edge and CloudFront Functions.
AWS CloudTrail to get logs of the CloudFront API activity in your AWS account.
You can track configuration changes to your CloudFront resources using AWS Config.

Deletion of Distributions

To delete a distribution, it must first be disabled, which can take up to 15 minutes.
image.png

Cache Behavior in CloudFront

Allows configuring various CloudFront functionalities for a specific URL path pattern.
For each cache behavior, configure:
Path pattern (e.g., /images/.jpg, /images.php).
Origin for forwarding requests (if multiple origins).
Whether to forward query strings.
Whether to require signed URLs.
Allowed HTTP methods.
Minimum cache retention time.
Default cache behavior allows only /* path pattern.
image.png

Access Restriction Methods

Restrict access using signed cookies or URLs.
Restrict access to S3 bucket objects.
Use Origin Access Identity (OAI) to restrict direct S3 bucket access, forcing connection via CloudFront.

Viewer Protocol Policy

Configure viewer protocol:
HTTP and HTTPS.
Redirect HTTP to HTTPS.
HTTPS only.
Define allowed HTTP methods based on requirements.
GET, HEAD.
GET, HEAD, OPTIONS.
GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE.

Field-Level Encryption

Adds an extra security layer on HTTPS to protect specific data visible only to specific applications.
Encrypts sensitive user-submitted information at the edge, remaining encrypted throughout processing.

Origin Policy

HTTPS only.
Match viewer protocol – CloudFront matches protocol with custom origin.
Use match viewer only with Redirect HTTP to HTTPS or HTTPS only viewer protocol policies.
Objects cached once, even if requested via HTTP and HTTPS.

Object Invalidation

Remove objects from cache by invalidating them.
Invalidation submission cannot be canceled.
Cannot invalidate media files in Microsoft Smooth Streaming format when Smooth Streaming enabled for corresponding cache behavior.
Objects cached for Time To Live (TTL), default 24 hours, maximum 1 year.
Only caches GET requests (not PUT, POST, PATCH, DELETE).
Dynamic content is cached; consider frequency of file changes when setting TTL.
Invalidation can immediately revoke cached objects but is chargeable.
Deletions propagate across distribution.

Cache Hit Ratio

A good cache hit ratio indicates more requests are served from the cache, reducing the load on origin servers and improving performance.
Methods for Improving Cache Hit Ratio:
Use Cache-Control max-age Directive:
Increase the time objects remain in the cache by setting appropriate max-age directives in Cache-Control headers.
Use Origin Shield:
Deploy an Origin Shield to cache frequently requested content at a central location, reducing the load on origin servers and improving cache hit ratio.
Forward Only Necessary Query String Parameters:
Forward only the query string parameters for which your origin will return unique objects, avoiding unnecessary caching of variations of the same content.
Configure CloudFront to Forward Specified Cookies:
Configure CloudFront to forward only specified cookies instead of forwarding all cookies, reducing cache variations based on cookie values.
Configure CloudFront to Forward and Cache Based on Specified Headers:
Configure CloudFront to forward and cache based on only specified headers instead of forwarding and caching based on all headers, minimising cache variations.

Restrictions

Blacklists and whitelists can be used for geographic restrictions.
Only one option (blacklist or whitelist) can be used at a time.
Two options available for geo-restriction:
CloudFront Geo-Restriction Feature:
Restricts access to all files in a distribution at the country level.
Third-Party Geo-Location Service:
Provides finer granularity at the country level, allowing restriction of access to a subset of files in a distribution.



Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.