Introduction of AWS CloudFront and its features

2021.08.19

What is AWS CloudFront

  • Content Delivery Network (CDN)
  • Improves read performance, content is cached at the edge
  • 225+ Point of Presence globally (edge locations)
  • DDoS protection, integration with Shield, AWS Web Application Firewall
  • Can expose external HTTPS and can talk to internal HTTPS backends

 

What can be AWS CloudFront – Origins

  • S3 bucket:
    • For distributing files and caching them at the edge
    • Enhanced security with CloudFront Origin Access Identity (OAI)
    • CloudFront can be used as an ingress (to upload files to S3)
  • Custom Origin (HTTP)
    • Application Load Balancer
    • EC2 instance
    • S3 website (must first enable the bucket as a static S3 website)
    • Any HTTP backend you want

CloudFront Caching

  • Cache based on • Headers• Session Cookies • Query String Parameters
  • The cache lives at each CloudFront Edge Location
  • You want to maximize the cache hit rate to minimize requests on the origin
  • Control the TTL (0 seconds to 1 year), can be set by the origin using the Cache- Control header, Expires header...
  • You can invalidate part of the cache using the CreateInvalidation API

CloudFront Geo Restriction

  • You can restrict who can access your distribution
  • Whitelist: Allow your users to access your content only if they're in one of the countries on a list of approved countries.
  • Blacklist: Prevent your users from accessing your content if they're in one of the countries on a blacklist of banned countries.
  • The “country” is determined using a 3rd party Geo-IP database • Use case: Copyright Laws to control access to content

CloudFront Signed URL / Signed Cookies

  • You want to distribute paid shared content to premium users over the world
  • To Restrict Viewer Access, we can create a CloudFront Signed URL / Cookie
  • How long should the URL be valid for? Shared content (movie, music): make it short (a few minutes) Private content (private to the user): you can make it last for years
  • Signed URL = access to individual files (one signed URL per file) Signed Cookies = access to multiple files (one signed cookie for many files)

CloudFront Signed URL Process • Two types of signers:

  • Either a trusted key group (recommended) Can leverage APIs to create and rotate keys (and IAM for API security)
  • An AWS Account that contains a CloudFront Key Pair Need to manage keys using the root account and the AWS console Not recommended because you shouldn’t use the root account for this
  • In your CloudFront distribution, create one or more trusted key groups
  • You generate your own public / private key The private key is used by your applications (e.g. EC2) to sign URLs • The public key (uploaded) is used by CloudFront to verify URLs

CloudFront – Field Level Encryption

  • Protect user sensitive information through application stack
  • Adds an additional layer of security along with HTTPS
  • Sensitive information encrypted at the edge close to user
  • Uses asymmetric encryption

Usage:

  • Specify set of fields in POST requests that you want to be encrypted (up to 10 fields)
  • Specify the public key to encrypt them

CloudFront - Pricing

  • CloudFront Edge locations are all around the world
  • The cost of data out per edge location varies
  • You can reduce the number of edge locations for cost reduction
  • Invalidation requests No additional charge for the first 1,000 paths requested for invalidation each month. Thereafter, $0.005 per path requested for invalidation.

    • CloudFront Three price classes:

    1. Price Class All: all regions – best performance
    2. Price Class 200: most regions, but excludes the most expensive regions
    3. Price Class 100: only the least expensive regions

    refer this for more about cloudfront pricing

     

Hands-On:

  1. Go to the AWS Console
  2. Create Amazon EC2 instances
  3. Create an Application Load Balancer
  4. Create target groups with EC2 instances

result : contentloading time without using cloud front [193ms]

cfresult

  1. Create a CloudFront distribution
  2. Configure your origin

  1. Configure default cache behavior
  2. Configure set cache based on selected request headers to "all"
  3. Save distribution

Result: contentloading time after using cloudfront domain:[52ms]

cfresultcf