Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you're serving with CloudFront, the request is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance.
If the content is already in the edge location with the lowest latency, CloudFront delivers it immediately.
If the content is not in that edge location, CloudFront retrieves it from an origin that you've defined—such as an Amazon S3 bucket, a MediaPackage channel, or an HTTP server (for example, a web server) that you have identified as the source for the definitive version of your content.
CloudFront speeds up the distribution of your content by routing each user request through the AWS backbone network to the edge location that can best serve your content. Typically, this is a CloudFront edge server that provides the fastest delivery to the viewer. Using the AWS network dramatically reduces the number of networks that your users' requests must pass through, which improves performance. Users get lower latency—the time it takes to load the first byte of the file—and higher data transfer rates.
Overview
Web service for distributing content with low latency and high data transfer speeds.
Ideal for frequently accessed static content benefiting from edge delivery, such as website images, videos, media files, or software downloads.
Supports dynamic, static, streaming, and interactive content.
Global Service
Handles ingress for uploading objects and egress for distributing content globally.
Features and Capabilities
Provides a simple API for distributing content globally with low latency and high data transfer rates using a network of edge locations.
No need to negotiate contracts or minimum commitments to get started.
Supports using a zone apex name on CloudFront.
Supports wildcard CNAME.
Offers support for wildcard SSL certificates, Dedicated IP, Custom SSL, and SNI Custom SSL (a cheaper option).
Implements Perfect Forward Secrecy, creating a new private key for each SSL session for enhanced security.
Edge Locations and Regional Edge Caches
Edge Location (210*)
Location where content is cached, separate from AWS regions/AZs.
Requests automatically routed to the nearest edge location for optimized performance.
Not tied to Availability Zones or regions.
Can handle both read and write operations.
Regional Edge Caches (12*)
Located between origin web servers and global edge locations.
Have a larger cache compared to individual edge locations.
Objects remain in cache longer at regional edge caches.
Aim to bring content closer to users for improved performance.
Proxy methods PUT/POST/PATCH/OPTIONS/DELETE go directly to the origin from edge locations and do not pass through regional edge caches.
Dynamic content also goes straight to the origin and bypasses regional edge caches.
*Locations might vary based on new inclusion of the regions.
Additional Notes
Edge locations serve as both read and write caches, providing flexibility in caching strategies.
Diagrams illustrate the placement of regional edge caches and edge locations in relation to end users, optimizing content delivery and performance.
Example:
You can define a maximum Time To Live (TTL) and a default TTL
TTL is defined at the behavior level
This can be used to define different TTLs for different file types (e.g. png vs jpg)
After expiration, CloudFront checks the origin for any new requests (check the file is the latest version)
Headers can be used to control the cache:
Cache-Control max-age=(seconds) - specify how long before CloudFront gets the object again from the origin server
Expires – specify an expiration date and time
Origins in CloudFront
An origin is the source of the files that the Content Delivery Network (CDN) will distribute.
CloudFront maintains persistent connections with origin servers.
Existing buckets can be used without modification.
Newly created buckets are private by default.
Access control can be managed using bucket policies, Access Control Lists (ACLs), or CloudFront signed URLs.
Considered as AWS origins.
Custom origin server:
HTTP server, can be an EC2 instance or an on-premises/non-AWS web server.
Must specify DNS name, ports, and protocols for fetching objects.
Most CloudFront features are supported except for RTMP distributions (S3 bucket required).
Amazon CloudFront has deprecated real-time messaging protocol (RTMP) distributions on December 31, 2020.
Amazon recommends using pre-configured AMIs for web servers and Elastic Load Balancer for handling traffic across multiple EC2 instances.
S3 static website:
Enter the S3 static website hosting endpoint in the CloudFront configuration.
Objects cached for 24 hours by default, controlled through Time To Live (TTL).
Minimum expiration time is 0.
Considered as custom origins.
High availability with Origin Failover:
Set up CloudFront with origin failover for scenarios requiring high availability.
Utilizes an origin group with a primary origin and a secondary origin.
You can specify an origin group for your CloudFront origin if, for example, you want to configure origin failover for scenarios when you need high availability. Use origin failover to designate a primary origin for CloudFront plus a second origin that CloudFront automatically switches to when the primary origin returns specific HTTP status code failure responses.
CloudFront automatically switches to the secondary origin when the primary origin returns specific HTTP status code failure responses. Refer:
Compatible with Lambda@Edge functions for advanced functionality.
Distributions in CloudFront
To distribute content with CloudFront, a distribution must be created.
The distribution includes the configuration of the CDN, comprising:
Your content origin—The Amazon S3 bucket, AWS Elemental MediaPackage channel, AWS Elemental MediaStore container, Elastic Load Balancing load balancer, or HTTP server from which CloudFront gets the files to distribute. You can specify any combination of up to 25 origins for a single distribution.
Access—Whether you want access to the files to be available to everyone or restricted to some users.
Security—Whether you want to enable AWS WAF protection and require users to use HTTPS to access your content.
Cache key—Which values, if any, you want to include in the cache key. The cache key uniquely identifies each file in the cache for a given distribution.
Origin request settings—Whether you want CloudFront to include HTTP headers, cookies, or query strings in requests that it sends to your origin.
Geographic restrictions—Whether you want CloudFront to prevent users in selected countries from accessing your content.
Logs—Whether you want CloudFront to create standard logs or real-time logs that show viewer activity.
Two Types of Distributions
Web Distribution:
Static and dynamic download content, such as HTML, CSS, JavaScript, and image files, using HTTP or HTTPS.
Allows adding, updating, or deleting objects, and submitting data from web forms.
Video on demand in different formats, such as Apple HTTP Live Streaming (HLS) and Microsoft Smooth Streaming. For more information, see
A live event, such as a meeting, conference, or concert, in real time. For live streaming, you can create the distribution automatically by using an AWS CloudFormation stack. For more information, see
Amazon CloudFront has deprecated real-time messaging protocol (RTMP) distributions from December 31, 2020.
Distributes streaming media files using Adobe Flash Media Server’s RTMP protocol.
Allows playing a media file before it finishes downloading from a CloudFront edge location.
Requires files to be stored in an S3 bucket.
Access Logging and Analytics
S3 buckets can be configured to create access and cookie logs logging all requests.
Amazon Athena can be used to analyse access logs.
Integration with CloudTrail
CloudFront is integrated with CloudTrail for logging and monitoring.
CloudTrail saves logs to the specified S3 bucket.
Captures information about all requests made using CloudFront.
Provides details like request source IP address, requester identity, etc.
CloudFront provides several options for reporting, monitoring, and logging your CloudFront resources:
You can view and download reports to see usage and activity for your CloudFront distributions, including billing reports, cache statistics, popular content, and top referrers.
You can monitor and track CloudFront, including your
, directly in the CloudFront console or by using Amazon CloudWatch. CloudFront sends various metrics to CloudWatch for distributions and edge functions, both Lambda@Edge and CloudFront Functions.
You can view logs for the viewer requests that your CloudFront distributions receive with standard logs or real-time logs. In addition to viewer request logs, you can use
CloudWatch Logs to get logs for your edge functions, both Lambda@Edge and CloudFront Functions.
AWS CloudTrail to get logs of the CloudFront API activity in your AWS account.
You can track configuration changes to your CloudFront resources using AWS Config.
A good cache hit ratio indicates more requests are served from the cache, reducing the load on origin servers and improving performance.
Methods for Improving Cache Hit Ratio:
Use Cache-Control max-age Directive:
Increase the time objects remain in the cache by setting appropriate max-age directives in Cache-Control headers.
Use Origin Shield:
Deploy an Origin Shield to cache frequently requested content at a central location, reducing the load on origin servers and improving cache hit ratio.
Forward Only Necessary Query String Parameters:
Forward only the query string parameters for which your origin will return unique objects, avoiding unnecessary caching of variations of the same content.
Configure CloudFront to Forward Specified Cookies:
Configure CloudFront to forward only specified cookies instead of forwarding all cookies, reducing cache variations based on cookie values.
Configure CloudFront to Forward and Cache Based on Specified Headers:
Configure CloudFront to forward and cache based on only specified headers instead of forwarding and caching based on all headers, minimising cache variations.
Restrictions
Blacklists and whitelists can be used for geographic restrictions.
Only one option (blacklist or whitelist) can be used at a time.
Two options available for geo-restriction:
CloudFront Geo-Restriction Feature:
Restricts access to all files in a distribution at the country level.
Third-Party Geo-Location Service:
Provides finer granularity at the country level, allowing restriction of access to a subset of files in a distribution.