Amazon CloudFront

What is Amazon CloudFront ?

CloudFront is a content delivery network (CDN) provided by AWS that helps deliver content, including web pages, videos, images, and other static or dynamic assets, to users with low latency and high transfer speeds.

Features:

Content is cached at edge locations, which are distributed globally
DDoS protection: distributing the traffic across its network and integrating with AWS Shield
Support a variety of origins: S3 bucket origin + custom origin

CloudFront Origins

S3 Bucket origin:

Distributing files and caching on edge locations
Security with Origin Access Control (OAC), Origin Access Identify (OAI)
Ingress for uploading files to S3

Custom origin:

HTTP servers
Load balancer
EC2 instances: dynamic content that is generated by an application running on EC2 instances
S3 websites

S3 Cross Region Replication vs CloudFront

	S3 Cross Region Replication	CloudFront
Purpose	Designed for replicating data between S3 bucket in different AWS regions.

CloudFront Geo Restriction

Geo Restriction helps to restrict or allow access to your content based on the geographical location of the viewer’s IP address.

Whitelisting: allow users to access
Blacklisting: deny access

The country is determined using 3rd party Geo-IP database

Notes:

CloudFront returns an HTTP 403 Forbidden when accessing denied

Changes to Geo Restriction settings may take some time to propagate

Price Classes

Price Class All (all regions) > Price Class 200 (most regions) > Price Class 100 (only least expensive regions)

Cache Invalidations

Cache Invalidation allow to remove or refresh content from the cache before the TTL expires. This help to update the content on your back-end origin, and the changes will be reflected immediately.

Allow to invalidate multiple files: all files (*) or a specific path (/images/)

Notes:
Invalidations are not instantaneous - there might be some delay, and it’s not intended for real-time updates.

AWS Global Accelerator

Global Accelerator is a service using static IP addresses (anycast) to route traffic over the AWS global network to improve the availability and performance.

It allows to direct user’s traffic to optimal AWS endpoints based on factors like health, geography, and routing policies.

💡

It’s particularly useful for applications that have a global user base, improving the reliability and responsiveness.

Unicast IP & Anycast IP

Unicast IP: one server holds one IP address
Anycast IP: all servers hold the same IP address and the client is routed to the nearest one

How it works

A pair of two static Anycast IP addresses per region are created for your application, and it will send traffic directly to Edge locations. Then, the edge location send the traffic to your application.

Features

Here are some features of Global Accelerator:

Consistent performance - Intelligent routing to lowest latency and fast regional failover
No issue with client cache (fixed IP)
Internal AWS network
Health checks Make app global (failover less than 1 minute) Disaster recovery
Security only 2 external IP need to be whitelisted DDoS protection (AWS Shield)

Global Accelerator vs CloudFront

Similarities:

Both use AWS global network and edge locations.
Both integrate with AWS Shield.

CloudFront

Improve performance for both cacheable content ( images & videos )
Dynamic Content: API acceleration & dynamic site delivery
Content is served at the edge

Global Accelerator

Improve performance for a wide range of application over TCP or UDP
Proxying packets at the edge to application running among AWS Regions
Non-HTTP use cases: Gaming (UDP), IoT (MQTT), or Voice over IP
HTTP use cases: static IP addresses, fast regional failover

Amazon CloudFront