How Can We Help?

AWS CloudFront

You are here:
< All Topics

CloudFront is the AWS CDN Content Delivery Service


CF offers:


ddos protection against webserver attacks
web application firewalls WAF and Shield
improved web content read service through edge region caching (currently 216 edge locations globally, number steadily increasing) ie content caching


can use both https for external traffic and also forward https traffic internally – latter not usually possible due to TLS certificate limitations


can be used for:


s3 buckets CF origin access identity or CF OAI


– this is an IAM role used for CloudFront connections to S3.



two ways to upload content to S3:



you can  use CF to upload files to S3 – ie ingress traffic


other option is to use Custom Origin http


can use ALB
can use EC2 Instance
can use S3 website – must enable the bucket as a static web instance
any http backend eg on premises webserver


two different architectures are possible acc to whether you have an ALB or not with CF.


if EC2 is the origin, (origin means your website content original site) then the security group for the EC2 must allow public access


ie the edge location sites to access the EC2 instance


if an ALB is attached, then the ALB security group MUST be public – but the EC2 instance can in this case be private access, ie need not give public access. in this case your ALB is your “origin”. 



these are two different architectures – be sure to understand for the exam!




the edge location always serves cached content originally from your S3 site ie your “origin”.



so, web users send request to your CDN CF IP at the edge location – if the content is not already present on the CF Edge Location then it forwards the request to your S3 bucket and sends the result back to the edge location of your CF ip… 



it traverses the security group, so the ip of the ec2 instances ie the origin, must be public and allow public ip of the edge location




CF Geo Restriction


You can whitelist or blacklist users from specific countries, eg for copyright etc reasons.


What is the difference between CF and S3 Cross Region Replication?




a global edge network

caches for a short TTL
good for static content


S3 Cross Region Replication:


must be set up for each region you want to replicate


files updated in near real-time


read only


good for dynamic content that needs to be available at low-latency in a few regions



Table of Contents