CloudFront

avatar
Created by
Ivan

Cards (12)

  • Amazon CloudFront
    • Improves read performance, content is cached at the edge
    • Improves users experience
    • 600+ Point of Presence globally (edge locations)
    • DDoS protection (because worldwide), integration with Shield, AWS Web Application Firewall
  • CloudFront – Origins
    S3 bucket
    • For distributing files and caching them at the edge
    • Enhanced security with CloudFront Origin Access Control (OAC)
    • OAC is replacing Origin Access Identity (OAI)
    • CloudFront can be used as an ingress (to upload files to S3)
    Custom Origin (HTTP)
    • Application Load Balancer
    • EC2 instance
    • S3 website (must first enable the bucket as a static S3 website)
    • Any HTTP backend you want
  • What two CloudFront Origins are there?
    S3 bucket and Custom Origin (HTTP)
  • CloudFront - Lambda@Edge.
    • Lambda@Edge gives you that capability to run Lambda functions closer to your viewers.
    • They can be Node.js or Python.
    • You can process data using Lambda at points:
    A) Viewer Request
    B) Origin Request
    C) Origin Response
    D) Viewer Response
  • CloudFront Server Name Indication (SNI)
    • Allows multiple certificates share the same IP with SNI
  • CloudFront SSL/TLS
    A user issues a request to CloudFront secured with SSL/TLS. Then CF makes a secure connection to the origin. This is done using two protocols:
    • Viewer protocol - the protocol between the viewer (client) and CloudFront, controlled by the Viewer Protocol Policy.
    • Origin Protocol - On the backend; where CloudFront is then talking to the origin.
    A) Viewer
    B) Origin
  • CloudFront SSL/TLS - Which region must an ACM cert ALWAYS be issued from?
    us-east-1 - CloudFront is a Global service and MUST be a Public cert
  • CloudFront Security
    It's not just about the bucket policy (that restricts access to only your OAI - Origin Access Identity - your CloudFront user) you've also got to take into account ACLs as well.
  • CloudFront Signed Cookies
    Similar to Signed URLs
    • Use signed cookies when you don’t want to change URLs
    • Can also be used when you want to provide access to multiple restricted files (Signed URLs are for individual files)
  • OAI (Origin Access Identity) is a special type of user in CloudFront, meaning only the (CloudFront) user can access the origin S3 bucket.
  • CloudFront Signed URLs - what two scenarios should Signed URLs be used?
    1. Individual files, and, 2) Clients that don’t support cookies
  • CloudFront vs S3 Cross Region Replication
    CloudFront:
    • Global Edge network
    • Files are cached for a TTL* (maybe a day)
    • Great for static content that must be available everywhere
    Cross Region Replication:
    • Must be setup for each region you want replication to happen
    • Files are updated in near real-time
    • Read only
    • Great for dynamic content that needs to be available at low-latency in few regions
    *Time To Live