CloudFront & AWS Global Accelerator

Question 1

What is CloudFront?

Answer 1

It is a CDN - Content Delivery Network

Question 2

CloudFront (CDN) benefits

Answer 2

Improves read performance, content is cached at the edge

Improves user experience

Question 3

What form of protection does CloudFront have?

Answer 3

Against DDoS (because world wide)

Integration with Shield, AWS Web Application Firewall

Question 4

What is CloudFront Origins for S3?

Answer 4

Distributing files and caching them at the edge

Enhanced Security with CloudFront Origin Access Control

CloudFront can be used as an Ingress (upload files to S3)

Question 5

What is CloudFront Custom origin (HTTP)

Answer 5

You can have the benefits of CloudFront Origins for services that use HTTP (caching distributed files at edge)

ALB
EC2 instance
S3 website (static website)
Any HTTP backend you want

Question 6

CloudFront High Level (architecture)

Answer 6

Client sends GET /beach.jpg to CloudFront Edge Location.

IF it is NOT cached, then it forwards the request to the Origin (which has S3 or HTTP).

Then it Adds the requested objects from the Origin location into the Local Cache for the next time it gets requested.

Question 7

Example for S3 as an Origin

Answer 7

Users will get data from the public internet at the Edge location. The Edge location would have gotten that data from the Origin (S3 bucket) which is also protected by Origin Access Control + S3 bucket policy

Question 8

CloudFront vs S3 Cross Region Replication

Answer 8

CloudFront
global edge network
files are cached for a TTL (maybe a day)
Great for static content that must be available everywhere

S3 Cross Region Replication
Must be setup for each region you want replication to happen
files updated in near real-time
read only
great for dynamic content that needs to be available at low-latency in few regions

Question 9

CloudFront ALB as an Origin

Answer 9

Users make requests to edge location public IP. Then edge location makes the request to the ALB which must be public and its sec group must allow edge location IPs.

Then the ALB will send the requests to the EC2 Instances which can be private, and their SG must allow access to the ALB’s Security Group

Question 10

CloudFront EC2 as an Origin

Answer 10

Users send requests to edge location, then edge location sends request to the Security Group of the EC2 instances which must be public. The SG must allow the public IP of edge location

Question 11

CloudFront GeoRestriction

Answer 11

Allowlist - define list of approved countries

Blocklist - define list of banned countries

Question 12

Use case for CloudFront GeoRestriction

Answer 12

Country is determined using 3rd party Geo-IP database.

Use cases are copyright laws to control access to content

Question 13

CloudFront Pricing

Answer 13

Cost is lower the higher the transfer data size/amount is.

Price also depends on location

Question 14

How many price classes does CloudFront have?

Answer 14

3

Question 15

Price Class All (cloudfront)

Answer 15

All regions - best performance

Question 16

Price Class 200

Answer 16

most regions, but excludes the most expensive ones

Question 17

Price Class 100

Answer 17

least expensive regions only

Question 18

CloudFront - Cache Invalidation

Answer 18

Force an entire or partial cache refresh (bypassing TTL) by performing CloudFront Invalidation

Question 19

When would you use CloudFront Invalidation?

Answer 19

When you update backend origin, and CloudFront doesn’t know about it. And it will only get the refreshed content after the TTL expires

Question 20

How can you invalidate files or paths?

Answer 20

• for all files
  /images/* for special path

Question 21

CloudFront Cache Invalidation architecture (scenario)

Answer 21

You have CloudFront with 2 Edge locations (including index.html and /images/ in their cache) and your origin S3 bucket.

You update files in S3 origin bucket.
Then you invalidate /index.html & /images/* which basically removes them from the cache.

Then a user will send a request GET /index.html to CloudFront, then it will be forwarded to the Edge location. Edge Location will realise that the cache is empty, and so it will pull the data from the S3 bucket.

Question 22

Unicast IP

Answer 22

One server holds one IP address

Question 23

Anycast IP

Answer 23

All servers hold the same IP address and the client is routed to the nearest one

Question 24

How does Global Accelerator work?

Answer 24

Uses AWS internal network to route to your application.

2 Anycast IP are created for your application.

The anycast IP sends traffic directly to Edge Locations, and the edge locations send the traffic to your ALB which then sends it to your application.

Question 25

What happens without a Global Accelerator?

Answer 25

You hop many IPs creating latency and instability by the time you reach the application.

With the global accelerator, you jump to the nearest Edge Location and from there you jump directly to the public ALB or application using the internal AWS network

Question 26

What does Global Accelerator work with?

Answer 26

Elastic IP
EC2 instances
ALB
NLB
Public or private

Question 27

Why does Global Accelerator have consistent performance?

Answer 27

Intelligent routing to lowest latency and fast regional failover
no issues with client cache (IP doesnt change)
Internal AWS network

Question 28

Does Global Accelerator offer Health Checks for apps?

Answer 28

Yes
Helps make your app global (failover less than 1 minute for unhealthy)
Great for Disaster Recovery (because of health checks)

Question 29

What security measures does Global Accelerator have?

Answer 29

only 2 external IP need to be whitelisted
DDoS protection thanks to AWS Shield

Question 30

AWS Global Accelerator vs CloudFront

Answer 30

Both use AWS global network and edge locations
Both integrate with AWS Shield for DDoS protection

Question 31

When do you use CloudFront

Answer 31

improve performance for cacheable content (images videos
Dynamic content (API acceleration and dynamic site delivery)
Content is served at the edge (hopefully always)

Question 32

When do you use Global Accelerator

Answer 32

improve performance for a wide range of apps over TCP or UDP
Proxying packets at the edge to apps running in one or more AWS regions
Good fit for non-HTTP use cases, such as gaming (UDP), IOT (MQTT) or VoIP
Good for HTTP use cases that require static IP addresses
Good for HTTP use cases that require deterministic, fast regional failover