Introduction of AWS CloudFront and its features
What is AWS CloudFront
- Content Delivery Network (CDN)
- Improves read performance, content is cached at the edge
- 225+ Point of Presence globally (edge locations)
- DDoS protection, integration with Shield, AWS Web Application Firewall
- Can expose external HTTPS and can talk to internal HTTPS backends
What can be AWS CloudFront – Origins
- S3 bucket:
- For distributing files and caching them at the edge
- Enhanced security with CloudFront Origin Access Identity (OAI)
- CloudFront can be used as an ingress (to upload files to S3)
- Custom Origin (HTTP)
- Application Load Balancer
- EC2 instance
- S3 website (must first enable the bucket as a static S3 website)
- Any HTTP backend you want
CloudFront Caching
- Cache based on • Headers• Session Cookies • Query String Parameters
- The cache lives at each CloudFront Edge Location
- You want to maximize the cache hit rate to minimize requests on the origin
- Control the TTL (0 seconds to 1 year), can be set by the origin using the Cache- Control header, Expires header...
- You can invalidate part of the cache using the CreateInvalidation API
CloudFront Geo Restriction
- You can restrict who can access your distribution
- Whitelist: Allow your users to access your content only if they're in one of the countries on a list of approved countries.
- Blacklist: Prevent your users from accessing your content if they're in one of the countries on a blacklist of banned countries.
- The “country” is determined using a 3rd party Geo-IP database • Use case: Copyright Laws to control access to content
CloudFront Signed URL / Signed Cookies
- You want to distribute paid shared content to premium users over the world
- To Restrict Viewer Access, we can create a CloudFront Signed URL / Cookie
- How long should the URL be valid for? Shared content (movie, music): make it short (a few minutes) Private content (private to the user): you can make it last for years
- Signed URL = access to individual files (one signed URL per file) Signed Cookies = access to multiple files (one signed cookie for many files)
CloudFront Signed URL Process • Two types of signers:
- Either a trusted key group (recommended) Can leverage APIs to create and rotate keys (and IAM for API security)
- An AWS Account that contains a CloudFront Key Pair Need to manage keys using the root account and the AWS console Not recommended because you shouldn’t use the root account for this
- In your CloudFront distribution, create one or more trusted key groups
- You generate your own public / private key The private key is used by your applications (e.g. EC2) to sign URLs • The public key (uploaded) is used by CloudFront to verify URLs
CloudFront – Field Level Encryption
- Protect user sensitive information through application stack
- Adds an additional layer of security along with HTTPS
- Sensitive information encrypted at the edge close to user
- Uses asymmetric encryption
Usage:
- Specify set of fields in POST requests that you want to be encrypted (up to 10 fields)
- Specify the public key to encrypt them
CloudFront - Pricing
- CloudFront Edge locations are all around the world
- The cost of data out per edge location varies
- You can reduce the number of edge locations for cost reduction
-
Invalidation requests No additional charge for the first 1,000 paths requested for invalidation each month. Thereafter, $0.005 per path requested for invalidation.
• CloudFront Three price classes:
- Price Class All: all regions – best performance
- Price Class 200: most regions, but excludes the most expensive regions
- Price Class 100: only the least expensive regions
refer this for more about cloudfront pricing
Hands-On:
- Go to the AWS Console
- Create Amazon EC2 instances
- Create an Application Load Balancer
- Create target groups with EC2 instances
result : contentloading time without using cloud front [193ms]
- Create a CloudFront distribution
- Configure your origin
- Configure default cache behavior
- Configure set cache based on selected request headers to "all"
- Save distribution
Result: contentloading time after using cloudfront domain:[52ms]
%2520100vw%252C%2520640px%2522%2520%252F%253E){kind=link}
%2520100vw%252C%2520640px%2522%2520%252F%253E){kind=link}