AMAZON CLOUDFRONTIcon-Architecture/64/Arch_Amazon-CloudFront_64

A LOW-LATENCY CONTENT DELIVERY NETWORK

INTRODUCTION👋

CloudFront is a Content Delivery Network, a globally distributed set of servers that can store content returned by your origin servers which in turn enables fast, low latency requests to your content around the globe.

Citing AWS blog for Prime Days 2021, CloudFront "handled 70 peak hour of over 280 million HTTP requests per minute, for a total of over 600 billion HTTP requests". 🤯

DISTRIBUTIONS

A distribution is an actual instantiation of CloudFront. It's where you define all your settings, function mappings from where CloudFront can fetch the content if it's not yet stored in its edge locations.

AWS will take care of routing requests to the user's nearest edge location, so that they can retrieve content with low latencies. Amazon's CloudFront uses a network of more than 225 edge locations and 13 regional mid-tier caches on six continents and 47 different countries.

ORIGINS🏢

An origin for your content can be basically anything that is able to serve content via HTTP. If looking at AWS native services, S3 is a common choice to store content and distribute via CloudFront.

You can specify an Origin Access Identity (OAI) and add a policy to your S3 bucket so only this CloudFront distribution is able to retrieve content from this bucket.

CloudFront follows a pay-as-you-go model, like other managed services by AWS.

If you're using AWS native services for your origins, you're not paying additional fees for the data transfer between those services and CloudFront.

BENEFITS💎

Using CloudFront enables you to deliver content in an efficient, reliable & fast way:

  • Faster performance & reliability: CloudFront supports several network-layer optimizations such as TCP fast open, request collapsing, keep-alive connections & more. It also supports multiple origins, so you can easily increase redundancy for your infrastructure.
  • Security: CloudFront supports the latest version of Transport Layer Security (TLS) 1.3 to encrypt and secure traffic between clients & CloudFront. Additionally, you can rely on geo restrictions to prevent users from accessing your content from specific locations.
  • Customizable edge behaviors: you're in full control on how CloudFront caches requests, accesses your origin servers & which metadata is forwarded. With edge functions, you can intercept and adapt requests and further customize behaviour.
  • Cost effective: CloudFront is solely pay-per-use without any minimum fee. Traffic between other AWS cloud services and CloudFront is free & AWS offers a generous free tier for outgoing traffic from CloudFront each month.

CACHE BEHAVIOR

Each request receives a computed cache key. This cache key will determine if the request can be returned from the cache (cache hit - results stored in the specific edge location) or if CloudFront needs to call the origin of the distribution.

The cache key is controlled by a cache policy. You can choose between two types:

  • AWS Managed: domain name of the distribution & the requested path
  • Custom: which parts of the request should be included in the cache key, e.g. specific request headers or cookies.

CloudFront also supports Origin Shield as an additional caching layer, which helps to increase cache hit ratios and also decrease load on your origin servers. All of the requests to CloudFront's caching layer go through Origin Shield & can retrieve each object with a single origin request from Origin Shield.

LAMBDA@EDGE📐

Run general-purpose code on regional edge locations around the world:

  • do third party calls via HTTP
  • invoke other AWS services like DynamoDB or S3
  • integrate with 3rd party authorization providers

There are four different occasions for which you can attach a Lambda@Edge function:

  • Viewer Request or Response - invoked at the start or end of all requests.
  • Origin Request or Response - before or after there's a cache miss & CloudFront requests the origin.

CLOUDFRONT FUNCTIONS🛠️

The lightweight version of Lambda@Edge but with fewer capabilities, but with better latency and cheaper pricing.

Example use-cases:

  • Access Control and Authorization
  • HTTP Redirects
  • Cache Manipulation

From a location perspective, both function types are very different:

  • your Lambda@Edge function will be executed in one of AWS' 13 regional edge caches.
  • your CloudFront function on the other hand can run at each of the 225 edge locations.

There are also technical differences between CloudFront functions & Lambda@Edge functions.

PRICING💰

Additionally, monthly fee:

  • 1 TB of data transfer out
  • 10,000,000 HTTP and HTTPS Requests
  • 2,000,000 CloudFront Function invocations

MONITORING📊

CloudFront generates different types of reports which enable you to analyze how your distribution is used & by which audience.

  • Cache Statistics: requests overview by status code and method, cache hits, misses and errors.
  • Popular Objects: most requested files, including cache hit ratio for those files.
  • Top Referrers: the top sources for requests.
  • Usage: number of requests, transferred data by protocol and destination.
  • Viewers: including devices, browsers, operating systems and locations.

GEO TARGETING & RESTRICTIONS🌍

CloudFront automatically detects the origin of the client requests, which you can further use to create approval or blocking lists.

It allows users to access your content only if they are in one of the approved countries.

It blocks users from accessing if they're in one of the banned countries in your block list.

The accuracy of the mapping between IP addresses and country is 99.8%. If CloudFront is not able to determine the location, it will always serve the content which was requested.

CloudFront also got you covered for high availability by providing Origin Failovers. You can define a primary and a secondary origin group and define which HTTP codes will result in a failover to the secondary origin.

ACCESS CONTROL🔐

CloudFront supports AWS Web Application Firewall (WAF), that lets you monitor the HTTPS requests that are forwarded to CloudFront and let you control access to your content. You can attach a single WAF to one or several of your CloudFront distributions.