Amazon CloudFront is a AWS service that speeds up distribution of customer’s static and dynamic web content, such as .html, .css, .js, and image files, to users. It securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment.
- Amazon CloudFront speeds up the distribution of the content by routing each user request through the AWS backbone network to the edge location that can best serve your content.
- Amazon CloudFront is integrated with AWS – both physical locations that are directly connected to the AWS global infrastructure, as well as other AWS services.
- Amazon CloudFront works seamlessly with services including AWS Shield for DDoS mitigation, Amazon S3, Elastic Load Balancing or Amazon EC2 as origins for your applications, and Lambda@Edge to run custom code closer to customers’ users and to customize the user experience.
- Using AWS origins, customers can improve performance, reliability, and ease of use as a result of AWS’s ability to track and adjust origin routes, monitor system health, respond quickly when any issues occur, and the integration of Amazon CloudFront with other AWS services.
Amazon CloudFront Features
Amazon CloudFront, AWS Shield, AWS Web Application Firewall (WAF), and Amazon Route 53 work seamlessly together to create a flexible, layered security perimeter against multiple types of attacks including network and application layer DDoS attacks. With Amazon CloudFront, customers can deliver their content, APIs or applications via SSL/TLS, and advanced SSL features are enabled automatically.
- Using AWS Certificate Manager (ACM), customers can create a custom SSL certificate and deploy to their CloudFront distribution for free.
To deliver content to end users with lower latency, Amazon CloudFront uses a global network of 216 Points of Presence with 205 Edge Locations and 11 Regional Edge Caches in 84 cities across 42 countries. Amazon CloudFront Edge locations are located in:
- North America with Regional Edge caches being located in Virginia; Ohio; Orego.
- Europe with Regional Edge caches being located in Frankfurt, Germany; London, England.
- Asia with Regional Edge caches in Mumbai, India; Singapore; Seoul, South Korea; Tokyo, Japan.
- Australia with Regional Edge caches being in Sydney.
- South America with Regional Edge caches located in São Paulo, Brazil
- Middle East Edge location located in Dubai; Fujairah; Manama; Tel Aviv.
- Africa Edge locations located in Cape Town, South Africa; Nairobi, Kenya
- China Edge locations located in Beijing; Shenzhen; Shanghai; Zhongwei.
By using Amazon CloudFront, customers can cache their content in CloudFront’s edge locations worldwide and reduce the workload on the origin by only fetching content from the origin when needed.
- Amazon CloudFront also allows customers to set up multiple origins to enable redundancy in their backend architecture.
- Customers can use CloudFront’s native origin failover capability to automatically serve their content from a backup origin when their primary origin is unavailable.
- The origins that customers set up with origin failover can be any combination of AWS origins like EC2 instances, Amazon S3 buckets, or Media Services, or non-AWS origins like an on-premises HTTP server
With Amazon CloudFront, customers can restrict access to their content through a number of capabilities. With Signed URLs and Signed Cookies, they can support Token Authentication to restrict access to only authenticated viewers.
- Through geo-restriction capability, customers can prevent users in specific geographic locations from accessing content that they’re distributing through CloudFront.
- With Origin Access Identity (OAI) feature, you can restrict access to an Amazon S3 bucket to only be accessible from CloudFront.
Amazon CloudFront is continuously measuring internet connectivity, performance and computing to find the best way to route requests to our network; taking into account performance, load, operational status, and other factors to deliver the best experience in real-time.
- Amazon CloudFront is optimized for both, providing extensive flexibility for optimizing cache behavior, coupled with network-layer optimizations for latency and throughput.
- CloudFront supports the WebSocket protocol as well as the HTTP protocol with the following HTTP methods: GET, HEAD, POST, PUT, DELETE, OPTIONS, and PATCH.
- The content delivery network (CDN) is architected to keep objects longer in cache and to reduce cache churn.
- Techniques including tiered caching and de-duplication optimization of objects in cache help maximize cache retention.
Amazon CloudFront provides developers with a full-featured API to create, configure and maintain their CloudFront distributions. Developers also have access to a number of tools such as AWS CloudFormation, CodeDeploy, CodeCommit and AWS SDKs to configure and deploy their workloads with Amazon CloudFront.
With built-in device detection, CloudFront can detect the device type such as Desktop, Tablet, Smart TV, or Mobile device, and pass that information in the form of new HTTP Headers to customers application to easily adapt content variants or other responses.
- Amazon CloudFront can also detect the country-level location of the requesting user for further customization of the response.
- Using Lambda@Edge customers can respond to requests at the lowest latency across AWS locations globally.
- For web or mobile requests, the compute request from AWS client users can be delivered closer to them.
CloudFront Content Delivery
How Regional Caches Work
Regional edge caches are CloudFront locations that are deployed globally, and located between AWS customers origin server and the POPs—global edge locations that serve content directly to viewers.
- Regional edge caches have a larger cache than an individual POP, so objects remain in the cache longer at the nearest regional edge cache location. Which keeps most of the customers content closer to their viewers.
- When a viewer makes a request on the website or through the application, DNS routes the request to the POP that can best serve the user’s request.
- The regional edge cache location of the CloudFront again checks its cache for the requested files. If the files are in the cache, CloudFront forwards the files to the POP that requested them. As soon as the first byte arrives from the regional edge cache location, CloudFront begins to forward the files to the user.
- CloudFront adds the files to the cache in the POP for the next time someone requests those files.
Once AWS customers configure CloudFront to deliver their content, when users request customers files before it gets to the end users here’s what happens:
- A user accesses the website or application and requests one or more files, such as an image file and an HTML file. Then
- DNS routes the request to the CloudFront POP (edge location) that can best serve the request to the nearest CloudFront POP in terms of latency, and routes the request to that edge location. After that
- In the POP, CloudFront checks its cache for the requested files. If the files are in the cache, CloudFront returns them to the user.
Regional Edge Caches
CloudFront points of presence (POPs), that is an edge location make sure that popular content can be served quickly to viewers. CloudFront also has regional edge caches that bring more of the content closer to the viewers, even when the content is not popular enough to stay at a POP. Regional edge caches help with all types of content, particularly content that tends to become less popular over time.
- Regional edge caches help with all types of content, particularly content that tends to become less popular over time. Examples include user-generated content, such as video, photos, or artwork; e-commerce assets such as product photos and videos; and news and event-related content that might suddenly find new popularity.
CloudFront Use Cases
Using CloudFront can help you accomplish a variety of goals. This section lists just a few, together with links to more information, to give you an idea of the possibilities.
ECS Cluster Auto Scaling
Serve Video On Demand or Live Streaming Video
CloudFront offers several options for streaming your media to global viewers—both pre-recorded files and live events.
- For video on demand (VOD) streaming, using CloudFront, customers can stream video in common formats such as MPEG DASH, Apple HLS, Microsoft Smooth Streaming, and CMAF, to any device.
- For broadcasting a live stream, they can cache media fragments at the edge, so that multiple requests for the manifest file that delivers the fragments in the right order can be combined, to reduce the load on the origin server.
Customize at the Edge
Running serverless code at the edge opens up a number of possibilities for customizing the content and experience for viewers, at reduced latency.
- AWS clients can return a custom error message when their origin server is down for maintenance, so viewers don’t get a generic HTTP error message.
- They can use a function to help authorize users and control access to their content, before CloudFront forwards a request to their origin.
- Using Lambda@Edge with CloudFront enables a variety of ways to customize the content that CloudFront delivers.
Accelerate Static Website
- A simple approach for storing and delivering static content is to use an Amazon S3 bucket.
- Using S3 together with CloudFront has a number of advantages, including the option to use Origin Access Identity (OAI) to easily restrict access to your S3 content.
Encrypt Specific Fields
While configuring the HTTPS with CloudFront, AWS clients already have secure end-to-end connections to origin servers. When they add field-level encryption, they can protect specific data throughout system processing in addition to HTTPS security, so that only certain applications at the origin can see the data.
- To set up field-level encryption, customers need to add a public key to CloudFront, and then specify the set of fields that they want to be encrypted with the key.
Using Lambda@Edge enables customers to configure their CloudFront distribution to serve private content from their own custom origin, as an option to using signed URLs or signed cookies.
- Customers can use several techniques to restrict access to their origin exclusively to CloudFront, including using whitelisting CloudFront IPs in the firewall and using a custom header to carry a shared secret.