Skip to content
Gallery
7. DNS, Caching and Performance Optimization
Amazon Route 53
Amazon Cloudfront
AWS Global Accelerator
Share
Explore
Amazon Cloudfront

icon picker
Misc

Last edited 430 days ago by Kirtan Chavda.

AWS WAF (Web Application Firewall)

Functionality:
Web application firewall provided by AWS.
Monitors HTTP and HTTPS requests forwarded to CloudFront.
Controls access to content based on defined conditions.
Web Access Control List (Web ACL):
Defines conditions to shield access to content.
Conditions include:
Origin IP address.
Values in query strings.
Response Handling:
CloudFront responds to requests with either:
The requested content.
HTTP 403 status code (forbidden), based on AWS WAF rules.
Custom Error Pages:
CloudFront can be configured to deliver a custom error page in case of forbidden access.
Association with Distribution:
Relevant CloudFront distribution needs to be associated with the configured web ACL to enforce access controls.

Security

PCI DSS Compliance:
CloudFront is PCI DSS compliant but caching credit card information at edge locations is not recommended.
HIPAA Compliance:
HIPAA compliant and classified as a HIPAA eligible service, ensuring it meets healthcare data security standards.
DDoS Protection:
CloudFront provides DDoS protection by distributing traffic across multiple edge locations and filtering requests. It ensures that only valid HTTP(S) requests are forwarded to backend hosts. Geo-blocking can also be employed to prevent requests from specific geographic locations.

Domain Names

CloudFront Domain Names:
CloudFront automatically generates domain names like a232323.cloudfront.net.
Alias Records:
Alternate domain names can be added using an alias record in Route 53.
CNAME for Other Service Providers:
When using other service providers, CNAME records are used. However, zone apex cannot be used with CNAME.
Moving Domain Names:
Subdomains:
Subdomains can be moved between distributions by the user.
Root Domain:
For the root domain, AWS support needs to be engaged for assistance in moving domain names between distributions.

High Availability with CloudFront

Caching Content:
CloudFront caches content at Edge Locations globally.
Cached objects reduce requests to the origin server, decreasing load and latency.
Origin Failover:
CloudFront supports origin failover for high availability scenarios. Refer:
Optimizing high availability with CloudFront origin failover - Amazon CloudFront
Requirements:
Distribution with at least two origins.
Creation of an origin group including two origins, with one designated as primary.
Cache behavior configured to use the origin group.
Setup Process:
Distribution Configuration:
Ensure the distribution has multiple origins.
Origin Group Creation:
Create an origin group containing the origins, with one designated as primary.
Cache Behavior Configuration:
Configure cache behavior to utilize the origin group for failover.
Benefits:
Ensures redundancy and availability in case of origin failure.
Enhances reliability of content delivery, minimising downtime and ensuring continuous service availability.

Monitoring and Reporting in CloudFront

Operational Metrics:
CloudFront console provides access to operational metrics for distributions and Lambda@Edge functions.
Default Metrics (No Additional Cost):
Requests:
Total number of viewer requests received by CloudFront.
Bytes Downloaded:
Total bytes downloaded by viewers for GET, HEAD, and OPTIONS requests.
Bytes Uploaded:
Total bytes uploaded to origin with CloudFront, via POST and PUT requests.
4xx Error Rate:
Percentage of viewer requests resulting in a 4xx HTTP status code.
5xx Error Rate:
Percentage of viewer requests resulting in a 5xx HTTP status code.
Total Error Rate:
Percentage of viewer requests resulting in either a 4xx or 5xx HTTP status code.
Additional Metrics (Extra Cost):
These metrics need to be enabled separately for each distribution:
Cache Hit Rate:
Percentage of cacheable requests served from CloudFront cache.
Origin Latency:
Total time from when CloudFront receives a request until it starts providing a response to the network from origin, excluding cache hits.
Error Rate by Status Code:
Percentage of viewer requests resulting in specific HTTP status codes within the 4xx or 5xx range: 401, 403, 404, 502, 503, and 504.

Logging and Auditing in CloudFront

S3 Access Logs:
S3 buckets can be configured to generate access logs and cookie logs, capturing all requests made to the S3 bucket.
Analysis with Amazon Athena:
Access logs stored in S3 can be analysed using Amazon Athena, allowing for detailed examination of access patterns and behaviours.
Integration with CloudTrail:
CloudFront is integrated with AWS CloudTrail, a service that records API calls and related events made within AWS.
Logging to S3:
CloudTrail logs are saved to the specified S3 bucket.
Comprehensive Logging:
CloudTrail captures information about all requests, regardless of the method used (e.g., console, API, SDKs, CLI).
Log Details:
CloudTrail logs provide details such as request information, source IP address, and user identity.
Viewing CloudFront Requests in CloudTrail:
To view CloudFront requests in CloudTrail logs, an existing CloudTrail trail must be updated to include global services. This ensures that CloudFront-related events are captured and logged appropriately.

Charges for CloudFront

Reserved Capacity Option:
Option available for reserved capacity over 12 months or longer.
Starts at 10TB of data transfer in a single region.
Pay for:
Data Transfer Out to Internet: Charges incurred for data transfer from CloudFront to end users.
Data Transfer Out to Origin: Charges incurred for data transfer from CloudFront to origin server.
Number of HTTP/HTTPS Requests: Charges based on the total number of HTTP/HTTPS requests.
Invalidation Requests: Charges for invalidation requests to remove objects from cache.
Dedicated IP Custom SSL: Charges for using dedicated IP custom SSL.
Field Level Encryption Requests: Charges for field level encryption requests.
No Charges for:
Data Transfer between AWS Regions and CloudFront: No charges for data transfer between AWS regions and CloudFront.
Regional Edge Cache: No charges for utilising the regional edge cache.
AWS ACM SSL/TLS Certificates: No charges for using AWS ACM SSL/TLS certificates.
Shared CloudFront Certificates: No charges for utilising shared CloudFront certificates.
AWS WAF (Web Application Firewall)
Security
Domain Names
High Availability with CloudFront
Monitoring and Reporting in CloudFront
Logging and Auditing in CloudFront
Charges for CloudFront
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.