AWS Study Guide: Amazon CloudFront

Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds. It is a cornerstone of the AWS Networking and Content Delivery domain for the SAA-C03 exam.

The Real-World Analogy

Imagine you run a famous bakery in Paris (the Origin). People all over the world love your bread, but by the time a loaf reaches Tokyo, it’s stale and the shipping is expensive. To fix this, you set up small kiosks (Edge Locations) in major cities like Tokyo, New York, and London. You ship your bread to these kiosks once a day. When a local customer wants bread, they get it fresh and fast from their local kiosk instead of waiting for a shipment from Paris.

Topics Covered:

Summary of key subtopics covered in this guide:

  • Core Infrastructure (Edge Locations & Regional Caches)
  • Origin Types & Security (OAC/OAI)
  • Cache Behaviors & TTL Management
  • Security Integrations (WAF, Shield, SSL)
  • Edge Computing (Lambda@Edge vs. CloudFront Functions)
  • Cost Optimization & Price Classes

Core Concepts & Architecture

CloudFront operates through a global network of data centers called Edge Locations. When a user requests content, the request is routed to the edge location that provides the lowest latency.

  • Distribution: The configuration unit of CloudFront (Web distribution).
  • Origin: The source of the files (S3 Bucket, EC2 Instance, ALB, or an On-premises server).
  • Regional Edge Cache: Sits between the Edge Location and the Origin to reduce the burden on the origin and improve cache hit ratios.

CloudFront vs. Global Accelerator

Feature Amazon CloudFront AWS Global Accelerator
Primary Purpose Caching content (Static/Dynamic) to reduce latency. Improving availability and performance for non-HTTP protocols (TCP/UDP).
Method Caches data at the edge. Proxies packets to the optimal endpoint via Anycast IP.
Use Case Images, Videos, APIs, Websites. Gaming (UDP), VoIP, IoT, Multi-region failover.
Edge Storage Yes (Caches content). No (Does not cache).

Security & Access Control

Securing your content is a major SAA-C03 focus. You must know how to protect the origin and the data in transit.

  • Origin Access Control (OAC): The modern way to restrict access to S3 origins so users cannot bypass CloudFront. (Replaces the older Origin Access Identity – OAI).
  • Field-Level Encryption: Encrypts specific data fields (like credit card numbers) at the edge before the request reaches your stack.
  • Signed URLs/Cookies: Used for private content (e.g., paid premium video). Use URLs for individual files and Cookies for multiple files.
  • AWS WAF: Protects against SQL injection and Cross-Site Scripting (XSS) at the CloudFront level.

Edge Computing: Functions vs. Lambda@Edge

For the exam, distinguish between these two based on complexity and execution time.

  • CloudFront Functions: Lightweight JavaScript. Best for header manipulation, URL redirects, and cache key normalization. Scale to millions of requests with sub-millisecond execution.
  • Lambda@Edge: Full Node.js/Python environment. Best for complex logic, network calls to external APIs, and image processing.

Exam Tips and Gotchas

  • OAC is the Answer: If the question asks how to prevent users from accessing an S3 bucket directly, choose Origin Access Control (OAC).
  • Cache Invalidation: If you update a file and need it to show immediately, you must perform an Invalidation (which costs money) or use versioned filenames.
  • Price Classes: You can reduce costs by limiting CloudFront to specific geographic regions (Price Class 100 = US/Europe only).
  • Error Pages: CloudFront can serve custom HTML pages (stored in S3) when the origin returns a 4XX or 5XX error.
  • Protocol Policy: You can enforce Redirect HTTP to HTTPS at the cache behavior level.

Decision Matrix / If–Then Guide

If the requirement is… Then choose…
Global users accessing static S3 content with low latency CloudFront + S3 Origin
Blocking specific countries from accessing content CloudFront Geo-Restriction
Faster dynamic content upload/download for global users CloudFront (Dynamic Content Acceleration)
Cost-effective header manipulation (e.g., adding security headers) CloudFront Functions
Providing access to premium content for authorized users only Signed URLs or Signed Cookies

Amazon CloudFront Visual Architecture

Origin (S3/ALB) CloudFront Distribution Edge (London) Edge (Tokyo) User A User B
Service Ecosystem

Key Integrations

  • S3: Static asset hosting via OAC.
  • Route 53: Alias records for custom domains.
  • ACM: Provision SSL/TLS certificates for free.
  • Shield: Standard DDoS protection included.
Performance & Scaling

Optimization

Use Cache Behaviors to handle different paths (e.g., /images/* vs /api/*) with different TTLs.

CloudFront Functions provide ultra-low latency logic for request manipulation.

Cost Optimization

Savings

  • Price Classes: Choose 100, 200, or All to control spend.
  • Origin Shield: Centralized cache layer to minimize origin fetch costs.
  • Free Tier: Includes 1TB of data transfer out per month.
Production Use Case: A global media company uses CloudFront to stream HLS video. They use Lambda@Edge to authorize user tokens from a DynamoDB table and Signed Cookies to allow access to a full season of content after a single login.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top