CloudFront is the AWS CDN Content Delivery Service
ddos protection against webserver attacks
web application firewalls WAF and Shield
improved web content read service through edge region caching (currently 216 edge locations globally, number steadily increasing) ie content caching
can use both https for external traffic and also forward https traffic internally – latter not usually possible due to TLS certificate limitations
can be used for:
s3 buckets CF origin access identity or CF OAI
– this is an IAM role used for CloudFront connections to S3.
two ways to upload content to S3:
you can use CF to upload files to S3 – ie ingress traffic
other option is to use Custom Origin http
can use ALB
can use EC2 Instance
can use S3 website – must enable the bucket as a static web instance
any http backend eg on premises webserver
two different architectures are possible acc to whether you have an ALB or not with CF.
if EC2 is the origin, (origin means your website content original site) then the security group for the EC2 must allow public access
ie the edge location sites to access the EC2 instance
if an ALB is attached, then the ALB security group MUST be public – but the EC2 instance can in this case be private access, ie need not give public access. in this case your ALB is your “origin”.
these are two different architectures – be sure to understand for the exam!
the edge location always serves cached content originally from your S3 site ie your “origin”.
so, web users send request to your CDN CF IP at the edge location – if the content is not already present on the CF Edge Location then it forwards the request to your S3 bucket and sends the result back to the edge location of your CF ip…
it traverses the security group, so the ip of the ec2 instances ie the origin, must be public and allow public ip of the edge location
CF Geo Restriction
You can whitelist or blacklist users from specific countries, eg for copyright etc reasons.
What is the difference between CF and S3 Cross Region Replication?
a global edge network
caches for a short TTL
good for static content
S3 Cross Region Replication:
must be set up for each region you want to replicate
files updated in near real-time
good for dynamic content that needs to be available at low-latency in a few regions