☁️
AWS Solutions Architect Associate SAA-C03 Study Notes/
πŸ”Ά
Amazon CloudFront
πŸ”Ά

Amazon CloudFront

  • Content Delivery Network (CDN) service from AWS.
  • Distributes content globally to reduce latency and improve end-user experience.
  • Improves read performance by caching content at AWS edge locations closer to users.
  • Provides global scale with 216+ Points of Presence (PoPs), including edge locations and regional edge caches.
  • Enhances availability and resilience through distributed architecture.
  • Offers built-in DDoS protection thanks to global distribution and native integration with AWS Shield and AWS WAF for security.

How It Works

CloudFront delivers content through a network of edge locations that cache responses from your origin (e.g., S3 bucket, EC2 instance, Application Load Balancer, or external HTTP server). When a user requests an object:
  1. The request is routed to the nearest edge location based on latency.
  1. If the content is already cached there (cache hit), it is returned immediately.
  1. If not cached (cache miss), CloudFront retrieves it from the origin, caches it at the edge, and then serves it to the user.
This reduces the load on the origin and speeds up future requests.

Edge Network Structure

  • Edge Locations (blue dots): Smaller, globally distributed servers that cache and deliver content directly to users.
  • Multiple Edge Locations (purple circles): Areas with a high concentration of edge servers for high-demand regions.
  • Regional Edge Caches (orange rings): Larger, strategically placed caches that sit between edge locations and the origin. They store content for longer periods and reduce origin fetches when an object is not found in a local edge location.

Key Benefits

  • Reduced Latency: Content is delivered from the nearest physical location to the user.
  • Scalability: Can handle sudden traffic spikes without affecting origin performance.
  • Security: Integrated with AWS Shield (standard protection included) and AWS WAF for application-level security.
  • Cost Optimization: Offloads requests from origin servers, reducing compute and storage costs.
  • Customizable Caching: Supports fine-grained TTL (Time-to-Live) and cache invalidation.
  • HTTPS Everywhere: Native SSL/TLS encryption, free SSL certificates via AWS Certificate Manager.
Β 
🟒
CloudFront – Origins
🟑
CloudFront – High-Level Flow
🟒
CloudFront – S3 as an Origin
🟑
CloudFront – ALB or EC2 as an Origin (VPC Origins)
🟑
CloudFront – ALB or EC2 as an Origin (Public Network)
🟒
CloudFront – Geo Restriction
🟑
CloudFront – Pricing
🟑
CloudFront – Cache Invalidations
Β 
Additional Notes:
Amazon CloudFront can route to multiple origins based on the content type
You can configure a single Amazon CloudFront web distribution to serve different types of requests from multiple origins. For example, if you are building a website that serves static content from an Amazon Simple Storage Service (Amazon S3) bucket and dynamic content from a load balancer, you can serve both types of content from a Amazon CloudFront web distribution.
Use an origin group with primary and secondary origins to configure Amazon CloudFront for high-availability and failover
You can set up Amazon CloudFront with origin failover for scenarios that require high availability. To get started, you create an origin group with two origins: a primary and a secondary. If the primary origin is unavailable or returns specific HTTP response status codes that indicate a failure, CloudFront automatically switches to the secondary origin.
To set up origin failover, you must have a distribution with at least two origins. Next, you create an origin group for your distribution that includes two origins, setting one as the primary. Finally, you create or update a cache behavior to use the origin group.
Use field level encryption in Amazon CloudFront to protect sensitive data for specific content
Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack. This encryption ensures that only applications that need the dataβ€”and have the credentials to decrypt itβ€”are able to do so.
To use field-level encryption, when you configure your Amazon CloudFront distribution, specify the set of fields in POST requests that you want to be encrypted, and the public key to use to encrypt them. You can encrypt up to 10 data fields in a request. (You can’t encrypt all of the data in a request with field-level encryption; you must specify individual fields to encrypt.)
Β 
Request a public certificate from AWS Certificate Manager (ACM) in the us-east-1 Region and associate it with the CloudFront distribution
CloudFront only supports ACM certificates that are created in the us-east-1 (N. Virginia) Region. Even if the content resides in a different Region (like eu-west-2), a public certificate for HTTPS on a custom domain name must originate from us-east-1. This certificate is used to secure content access through CloudFront over HTTPS.
Set up Amazon S3 to accept uploads from CloudFront by enabling origin access control (OAC)
Origin Access Control (OAC) is the recommended method for granting CloudFront permission to upload to (write into) an S3 bucket securely. OAC supersedes the older Origin Access Identity (OAI) approach and supports both read and write operations. This allows you to restrict direct access to the S3 bucket and ensure that only CloudFront can act as a secure intermediary for uploads.