AWS CloudFront and Global Accelerator - Quick Notes

AWS CloudFront

AWS CloudFront is a service that speeds up distribution of a clients static or dynamic web content to their users. CloudFront delivers the content through a worldwide network of data centers referred to as the Edge Locations. When a user requests content that is served via CloudFront, the request is routed to the nearest Edge Location that provides the lowest latency.

The following is the summary of the various features/capabilities of CloudFront:

• Is a Content Delivery Network (CDN)

• Is a GLOBAL service

• Improves read performance for a global user-base since the content is cached at the edge locations

• There is an associated Time-to-Live (TTL) with the cached content. The default TTL is 24 hours

• One can associate different TTLs for different file content types

• An Origin is the source of the content, which could be an S3 Bucket or a Custom backend

• The following are some of the features/capabilities of S3 bucket as an origin:

  • For distributing static files

  • To enhance security and ensure only CloudFront can access the S3 bucket, use CloudFront Origin Access Control in addition to setting the S3 bucket policy

  • CloudFront can be used as a way to send data into an S3 bucket (ingress) to upload data

• The following are some of the features/capabilities of custom backend as an origin:

  • Application Load Balancer (ALB) which MUST be public, but the backend EC2 Instance(s) can be private

  • EC2 Instance(s) MUST be public

  • S3 static Website

  • Any HTTP backend

• If the content is not cached in a edge location, it pulls the desired content from the origin using the AWS global network (without going through the Internet)

• When a CloudFront distribution is created, it gets a public access endpoint that can be used by the users

• One can configure CloudFront Behavior to go to a specific origin based on a path pattern, such as, an S3 origin for image files (images/*) and to an EC2 Instance origin for other web content. A default origin is for all other cases

• The following are some of the features/capabilities of CloudFront Signed URLs:

  • Provides more control over access to content

  • One can specify the beginning and expiration date and time, IP addresses

  • Can be used for individual restricted files and client that DO NOT support cookies

• The following are some of the features/capabilities of CloudFront Signed Cookies:

  • Used when we DO NOT want to change the URLs to the restricted files

  • Can be used for MULTIPLE restricted files

• The following are some of the features/capabilities of CloudFront Geo Restriction:

  • One can restrict who can access the content based on the country

  • A country is determined using a third-party Geo-IP database

  • The Allowlist is used to allow users to access the content if they are in one of the countries on a list of approved countries

  • The Blocklist is used to prevent users to access the content if they are in one of the countries on a list of banned countries

  • Useful in cases where there are Copyright Laws on accessing some content

• The following are some of the features/capabilities of CloudFront Pricing Classes:

  • Cost of data out (in GB) from the edge locations varies based on the Region of the location

  • One can reduce the number of edge locations to optimize cost

  • Price Class All includes all the Regions and all locations and hence the most expensive

  • Price Class 200 includes most locations, but excludes locations in the Region that are most expensive

  • Price Class 100 includes only locations in Regions that are least expensive

• The following are some of the features/capabilities of CloudFront Cache Invalidations:

  • By default, the content from the origin is refreshed only after the cache TTL has expired

  • In some use-cases, when we may want the users to see the latest content, in which case, one can force a full or partial cache refresh by performing CloudFront Invalidation

  • One can invalidate all the files with a "*" or only some files using a path pattern "/docs/*"

• The following are some of the features/capabilities of CloudFront SSL/TLS:

  • Can be issued from AWS Certificate Manager (ACM) from the us-east-1 (for global use)

  • Can be issued by a trusted third-party CA authority

  • The default domain name of the CloudFront can be changed using the Route 53 CNAME record

  • S3 origin has its own TLS certificate which CANNOT be changed

  • Custom backend origin can use a third-party issued or an ACM issued TLS certificate

  • Origin certificates MUST be public certificates

AWS Global Accelerator

AWS Global Accelerator is a service which allows one to create accelerators to improve the performance of applications for both local and global users.

The following is the summary of the various features/capabilities of Global Accelerator:

• Allows one to leverages the AWS global network to route to the customer application for predictable performance

• End users connect to the edge location and from there the traffic is routed through the the reliable, low-latency AWS global network (without going through the public Internet)

• For an application, there needs to be TWO static anycast IP addresses associated in Route 53

• Works with Elastic IP, EC2 Instances, ALB, NLB, and can either be public or private

• Intelligent routing to the lowest latency endpoint and fast regional failover

• Supports Health Checks on the deployed application

• Only two external IPs to be whitelisted by the end clients

• Provides automatic DDoS protection through AWS Shield

References

Official AWS CloudFront Documentation

Official AWS Global Accelerator Documentation

© PolarSPARC