CloudFront & AWS Global Accelerator Flashcards
What is CloudFront?
It is a CDN - Content Delivery Network
CloudFront (CDN) benefits
Improves read performance, content is cached at the edge
Improves user experience
What form of protection does CloudFront have?
Against DDoS (because world wide)
Integration with Shield, AWS Web Application Firewall
What is CloudFront Origins for S3?
Distributing files and caching them at the edge
Enhanced Security with CloudFront Origin Access Control
CloudFront can be used as an Ingress (upload files to S3)
What is CloudFront Custom origin (HTTP)
You can have the benefits of CloudFront Origins for services that use HTTP (caching distributed files at edge)
ALB
EC2 instance
S3 website (static website)
Any HTTP backend you want
CloudFront High Level (architecture)
Client sends GET /beach.jpg to CloudFront Edge Location.
IF it is NOT cached, then it forwards the request to the Origin (which has S3 or HTTP).
Then it Adds the requested objects from the Origin location into the Local Cache for the next time it gets requested.
Example for S3 as an Origin
Users will get data from the public internet at the Edge location. The Edge location would have gotten that data from the Origin (S3 bucket) which is also protected by Origin Access Control + S3 bucket policy
CloudFront vs S3 Cross Region Replication
CloudFront
global edge network
files are cached for a TTL (maybe a day)
Great for static content that must be available everywhere
S3 Cross Region Replication
Must be setup for each region you want replication to happen
files updated in near real-time
read only
great for dynamic content that needs to be available at low-latency in few regions
CloudFront ALB as an Origin
Users make requests to edge location public IP. Then edge location makes the request to the ALB which must be public and its sec group must allow edge location IPs.
Then the ALB will send the requests to the EC2 Instances which can be private, and their SG must allow access to the ALB’s Security Group
CloudFront EC2 as an Origin
Users send requests to edge location, then edge location sends request to the Security Group of the EC2 instances which must be public. The SG must allow the public IP of edge location
CloudFront GeoRestriction
Allowlist - define list of approved countries
Blocklist - define list of banned countries
Use case for CloudFront GeoRestriction
Country is determined using 3rd party Geo-IP database.
Use cases are copyright laws to control access to content
CloudFront Pricing
Cost is lower the higher the transfer data size/amount is.
Price also depends on location
How many price classes does CloudFront have?
3
Price Class All (cloudfront)
All regions - best performance
Price Class 200
most regions, but excludes the most expensive ones
Price Class 100
least expensive regions only
CloudFront - Cache Invalidation
Force an entire or partial cache refresh (bypassing TTL) by performing CloudFront Invalidation
When would you use CloudFront Invalidation?
When you update backend origin, and CloudFront doesn’t know about it. And it will only get the refreshed content after the TTL expires
How can you invalidate files or paths?
- for all files
/images/* for special path
CloudFront Cache Invalidation architecture (scenario)
You have CloudFront with 2 Edge locations (including index.html and /images/ in their cache) and your origin S3 bucket.
You update files in S3 origin bucket.
Then you invalidate /index.html & /images/* which basically removes them from the cache.
Then a user will send a request GET /index.html to CloudFront, then it will be forwarded to the Edge location. Edge Location will realise that the cache is empty, and so it will pull the data from the S3 bucket.
Unicast IP
One server holds one IP address
Anycast IP
All servers hold the same IP address and the client is routed to the nearest one
How does Global Accelerator work?
Uses AWS internal network to route to your application.
2 Anycast IP are created for your application.
The anycast IP sends traffic directly to Edge Locations, and the edge locations send the traffic to your ALB which then sends it to your application.
