Tags Archives: cloudfront

AWS CloudFront

CloudFront is the AWS CDN Content Delivery Service

 

CF offers:

 

ddos protection against webserver attacks
web application firewalls WAF and Shield
improved web content read service through edge region caching (currently 216 edge locations globally, number steadily increasing) ie content caching

 

can use both https for external traffic and also forward https traffic internally – latter not usually possible due to TLS certificate limitations

 

can be used for:

 

s3 buckets CF origin access identity or CF OAI

 

– this is an IAM role used for CloudFront connections to S3.

 

 

two ways to upload content to S3:

 

first,

you can  use CF to upload files to S3 – ie ingress traffic

 

secondly,
other option is to use Custom Origin http

 

can use ALB
can use EC2 Instance
can use S3 website – must enable the bucket as a static web instance
any http backend eg on premises webserver

 

two different architectures are possible acc to whether you have an ALB or not with CF.

 

if EC2 is the origin, (origin means your website content original site) then the security group for the EC2 must allow public access

 

ie the edge location sites to access the EC2 instance

 

if an ALB is attached, then the ALB security group MUST be public – but the EC2 instance can in this case be private access, ie need not give public access. in this case your ALB is your “origin”. 

 

 

these are two different architectures – be sure to understand for the exam!

 

 

 

the edge location always serves cached content originally from your S3 site ie your “origin”.

 

 

so, web users send request to your CDN CF IP at the edge location – if the content is not already present on the CF Edge Location then it forwards the request to your S3 bucket and sends the result back to the edge location of your CF ip… 

 

 

it traverses the security group, so the ip of the ec2 instances ie the origin, must be public and allow public ip of the edge location

 

 

 

CF Geo Restriction

 

You can whitelist or blacklist users from specific countries, eg for copyright etc reasons.

 

What is the difference between CF and S3 Cross Region Replication?

 

CF:

 

a global edge network

caches for a short TTL
good for static content

 

S3 Cross Region Replication:

 

must be set up for each region you want to replicate

 

files updated in near real-time

 

read only

 

good for dynamic content that needs to be available at low-latency in a few regions

 

 

Continue Reading