updated: 22nd of December 2023
published: 16th of May 2023
CloudFront is a fully managed content delivery network that caches content in locations physically close to the users.
A CloudFront Distribution is collection of configurations that define the deployment.
Edge locations are the distributed points-of-presence that store content in a local cache and are closest to the users.
A Regional Edge Cache is a larger version of an Edge Location. Regional Edge Caches act as an intermediate caching layer between the Origin and the Edge Locations.
Behaviours define which content is cached and also the caching parameters.
CloudFront Behaviours have the following characteristics.
An Origin is the source location of the content. An Origin can either be an S3 Origin or a Custom Origin.
The Time-to-Live value specifies how long content is cached before it is considered stale and needs to be refreshed.
The following points describe TTL.
Cache invalidations allow you to manually expire objects from CloudFront.
The following points describe Invalidations.
The AWS Certificate Manager (ACM) service, is a fully managed, Regionally resilient, service that enables the use of Digital Certificates for web based services. Digital Certificates allow for the use of Transport Layer Security (TLS) encryption over the HTTPS protocol.
ACM has the following characteristics.
CloudFront distributions support SSL by default using the *.cloudfront.net wildcard certificate that matches all CloudFront distributions.
Altername domain names can be used by leverageing CNAMEs, however domain ownership must be verified using a matching certificate.
Certificates can be Generated by ACM or imported to ACM by an administrator.
Subject Name Indication (SNI) is an extention to the TLS protocol which allows multiple website domains to be hosted on a single IP address.
SNI was added as an extension to TLS in 2003, however some older (ancient) browsers do not support SNI.
Origin Access Identity (OAI) is a legacy method of controlling access to S3 from CloudFront. It is used to prevent users from bypassing CloudFront and accessing S3 directly.
OAI is an identity that be assiciated with a CloudFront distribution. The OAI is then granted access to the S3 bucket via a Bucket Policy.
Origin Access Control (OAC) is the current method of controlling access to S3 from CloudFront. The following features are supported which are not available with OAI without a workaround.
To secure a Custom Origin there are a couple of options.
Cloudfront can be configured to add a custom header the request. In the case of a S3 origin, a bucket policy can be used to restrict traffic to only requests with the custom header.
A Network Security Group (NSG) or Firewall can be used to restrict traffic to the Custom Origin based on the published IP address of CloudFront.
Geo Restrictions can be used to restrict access to content based on a users location on the planet earth. There are 2 options for Geo Restrictions with CloudFront.
CloudFront Geo Restrictions are applied globally to the distribution. The following points describe CloudFront Geo Restrictions.
3rd Party Geo Location allows for Geo Restriction that is applied per behaviour. The following points describe 3rd Party Geo Location.
CloudFront has 2 options for object visibility. Public or Private. Visibility can be configured with a single behaviour for the entire distribution (Either Public or Private). OR multiple behaviours with each being Public or Private.
Public objects are available to anyone with the URL. This is the default configuration for CloudFront distributions.
Private objects are only available to users who have been granted access to the object. This is configured via a signed URL or signed cookie. The following points describe access to private objects.
Field-Level Encryption allows for the encryption of specific fields of application data within a request. Field-Level Encryption uses a public/private key pair. Sensitive fields are encrypted using using the public key at the Edge Location. The private key is used to decrypt the data at the Origin.
Lambda@Edge is an extension of AWS Lambda that lets you deploy Python and Node.js functions at Amazon CloudFront edge locations. Lambda@Edge functions can be executed in the following 4 scenarios.
The following diagram shows an example CloudFront architecture.
The following points describe the above diagram.
https://learn.cantrill.io/courses/1231680
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Expiration.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Invalidation.html
https://www.cloudflare.com/learning/ssl/what-is-sni/
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html
https://docs.aws.amazon.com/lambda/latest/dg/lambda-edge.html