My AWS Certified Advanced Networking – Specialty notes – Part 3 – CloudFront

This post will deal with AWS’ distribution and content caching mechanism called CloudFront. I can tell you I had some in-depth questions about this topic, you gotta lab it up properly in order to have a chance at correctly answering them. I know I probably got only some of them right. Here’re the other posts in this series:


  • If content is there, delivered right away to consumer.
  • If not, retrieved and delivered. Content gets served by CloudFront the moment it starts to arrive from the origin. The content gets cached too for use by subsequent users. The content gets cached too for use by subsequent users.
  • The origin stores the original, definitive version.
  • Serves just about everything including media streaming using real time messaging protocol (RTMP).
  • Live streaming (apparently called Smooth Streaming in AWS lingo) wont work with IIS if that’s the software on the origin server.
  • CloudFront logs can be stored in S3 buckets (which can be from another account too, in which case is the format for name). This is charged.
  • If CloudFront is used, the distribution’s name is chosen as the origin name. This name is hard to remember. Use CNAME records for an alt name. Route53 or some other DNS service can be used. With Route53, A records can be used to redirect the website name the end users see to the actual distribution’s name.
  • Objects expire every 24 hours after which content is fetched from origin to verify changes. Default behaviour that can be changed with:
  • Cache control headers set by origin server.
  • Set min/max/default TTL for CloudFront distribution.
  • Network latency is the measure taken into account when CloudFront serves content based on requestor’s location.
  • Regional CloudFront caches are bigger than the global edge. These Regional ones are closer to users. These Regionals are also enabled by default.
  • Gotta remember multimedia content will come down via CloudFront RTMP.
  • Gotta remember live events will get streamed over CloudFormation.
  • Private Content via CloudFront:
    • Signed URLs valid for certain times and if required from certain IPs and for certain files.
    • Signed cookies which require authentication via public and private key pairs.
    • Origin Access Identities – restrict access to bucket only to special users associated with the bucket.
  • AWS Certificate Manager to automate mgmt of SSL/TLS certs. It will automatically provision, deploy and renew these certs, The certs come AWS managed CA called Amazon Trust Services. These certs MUST be requested from US East (NoVa region).
  • Objects can be invalidated by specifying the full name of a particular objects or all objects with a certain word followed by a wildcard.
  • Lambda Edge can be used to customize content that is delivered through CloudFront. This thing scales on its own based on demand. How it works is the content gets responded to at the Edge locations. Lambda Edge then executes in response to these CloudFront events. Four cases when this thing can respond.
    • Viewer request and response and origin request and response.
    • Multiple sources of origin for content are supported.
    • S3 or static websites hosted in EC2 instances.
    • Customer managed datacenters.

The last post in this series will cover DNS and Route53 in Part 4.

Leave a Comment

Your email address will not be published.