Introduction of AWS CloudFront and its features



What is AWS CloudFront

  • Content Delivery Network (CDN)
  • Improves read performance, content is cached at the edge
  • 225+ Point of Presence globally (edge locations)
  • DDoS protection, integration with Shield, AWS Web Application Firewall
  • Can expose external HTTPS and can talk to internal HTTPS backends


What can be AWS CloudFront – Origins

  • S3 bucket:
    • For distributing files and caching them at the edge
    • Enhanced security with CloudFront Origin Access Identity (OAI)
    • CloudFront can be used as an ingress (to upload files to S3)
  • Custom Origin (HTTP)
    • Application Load Balancer
    • EC2 instance
    • S3 website (must first enable the bucket as a static S3 website)
    • Any HTTP backend you want

CloudFront Caching

  • Cache based on • Headers• Session Cookies • Query String Parameters
  • The cache lives at each CloudFront Edge Location
  • You want to maximize the cache hit rate to minimize requests on the origin
  • Control the TTL (0 seconds to 1 year), can be set by the origin using the Cache- Control header, Expires header...
  • You can invalidate part of the cache using the CreateInvalidation API

CloudFront Geo Restriction

  • You can restrict who can access your distribution
  • Whitelist: Allow your users to access your content only if they're in one of the countries on a list of approved countries.
  • Blacklist: Prevent your users from accessing your content if they're in one of the countries on a blacklist of banned countries.
  • The “country” is determined using a 3rd party Geo-IP database • Use case: Copyright Laws to control access to content

CloudFront Signed URL / Signed Cookies

  • You want to distribute paid shared content to premium users over the world
  • To Restrict Viewer Access, we can create a CloudFront Signed URL / Cookie
  • How long should the URL be valid for? Shared content (movie, music): make it short (a few minutes) Private content (private to the user): you can make it last for years
  • Signed URL = access to individual files (one signed URL per file) Signed Cookies = access to multiple files (one signed cookie for many files)

CloudFront Signed URL Process • Two types of signers:

  • Either a trusted key group (recommended) Can leverage APIs to create and rotate keys (and IAM for API security)
  • An AWS Account that contains a CloudFront Key Pair Need to manage keys using the root account and the AWS console Not recommended because you shouldn’t use the root account for this
  • In your CloudFront distribution, create one or more trusted key groups
  • You generate your own public / private key The private key is used by your applications (e.g. EC2) to sign URLs • The public key (uploaded) is used by CloudFront to verify URLs

CloudFront – Field Level Encryption

  • Protect user sensitive information through application stack
  • Adds an additional layer of security along with HTTPS
  • Sensitive information encrypted at the edge close to user
  • Uses asymmetric encryption


  • Specify set of fields in POST requests that you want to be encrypted (up to 10 fields)
  • Specify the public key to encrypt them

CloudFront - Pricing

  • CloudFront Edge locations are all around the world
  • The cost of data out per edge location varies
  • You can reduce the number of edge locations for cost reduction
  • Invalidation requests No additional charge for the first 1,000 paths requested for invalidation each month. Thereafter, $0.005 per path requested for invalidation.

    • CloudFront Three price classes:

    1. Price Class All: all regions – best performance
    2. Price Class 200: most regions, but excludes the most expensive regions
    3. Price Class 100: only the least expensive regions

    refer this for more about cloudfront pricing



  1. Go to the AWS Console
  2. Create Amazon EC2 instances
  3. Create an Application Load Balancer
  4. Create target groups with EC2 instances

result : contentloading time without using cloud front [193ms]


  1. Create a CloudFront distribution
  2. Configure your origin

  1. Configure default cache behavior
  2. Configure set cache based on selected request headers to "all"
  3. Save distribution

Result: contentloading time after using cloudfront domain:[52ms]