AWS CloudFront

-

 AWS CloudFront




AWS CloudFront - 
  • AWS Content Delivery Network (CDN) service that delivers data, videos, applications, and APIs to users globally with low latency and high transfer speeds
  • 216 points of presence globally (edge location)
  • Integrates with other AWS services products to give developers and businesses easy way to distribute contents to end-users with low latency, high data transfer speed and no minimum usage commitments
  • DDOS protection, integration with shield, AWS WAF (Web Application Firewall)

Content Delivery Security - 
  • CloudFront can distribute content securely over SSL/TLS by creating an HTTPS or WebSocket SSL/TLS connection with the viewer 
  • Supports HTTP/2, WebSocket, and all versions SSL/TLS 
  • Provides multiple SSL/TLS certificates to enhance security using server name indication (SNI)

CloudFront Origins - 

CloudFront can fetch content from various AWS resources like S3 bucket, ELB or EC2
  • S3 Bucket - 
  • For distributing files and caching them at the edge 
  • Enhanced security with CloudFront Origin Access Control (OAC)
  • OAC is replacing Origin Access Identity (OAI)
  • CloudFront can be used as an ingress (to upload files to S3)
  • Custom Origin (HTTP) - 
  • Application Load Balancer 
  • EC2
  • S3 website (must first enables the bucket as a static S3 website)
  • Any HTTP backend you want 

How CloudFront works - 




CloudFront S3 as an Origin - 




CloudFront vs S3 Cross Region Replication - 
  • CloudFront - 
  • Global edge network 
  • File are cached for TTL (Time To Leave)
  • Great for static content that must be availabe everywhere 
  • S3 Cross Region Replication - 
  • Must be setup for each region you want replication to happen 
  • Files are updated in near real time 
  • Read only 
  • Great for dynamic content that needs to be available at low-latency in few regions 


CloudFront - ALB or EC2 as an Origin - 







CloudFront Geo Restriction - 
  • You can restrict who can access your distribution 
  • Allowlist: Allow your users to access your content only if they are in one of the countries on a list of approved countries 
  • Blocklist: Prevent your users  from accessing your content if they are in one of the countries on a list of banned countries
  • The "country" is determined using a 3rd party Geo-IP database
  • Use case - Copyright laws to control access to content 

CloudFront - Pricing - 
  • CloudFront edge location are all around the world 
  • The cost of data out per edge location varies
  • Price Class All : all regions - best performance
  • Price Class 200 : most regoins, but excludes the most expensive regoins
  • Price Class 100 : Only the least expensive regoins 


CloudFront - Cache Invalidations - 
  • In case you update the back-end origin, CloudFront doesn't know about it and will get the refreshed content after the TTL has expired 
  • However, you can force an entire or partial cache refresh (thus by passing the TTL) by performing a CloudFront Invalidation
  • You can invalidate all files (*) or a special path (/images/*)

Best Practices of CloudFront - 
  • Versioning - Use version numbers or adding date-time in file or directory names 
  • Optimize the default cache behaviour - Ensure that the default cache behaviour is is set to handle the majority of requests
  • Use CloudFront compression feature - Compress content to reduce the amount of data transffered
  • Security content - Use signed URLs or signed cookies for restricted contents 
  • Monitoring and logging - Regularly monitor CloudFront metrics and set up alarms in cloudwatch also enable access logs to track users requests 



 

Comments

Post a Comment

Popular posts from this blog

AWS Instance Store

-
Image
 AWS Instance Store  AWS Instance Store -  Hardware storage directly attached to EC2 instance amd cannot be detached and attached to another instance  Highest IOPS for any available storage Ephemiral Storage (Loses data when instance is terminated, stopped or hibernated) Good to buffer/cache/scratch data/temporary content  AMI created from an instance does not its instance store volume preserved  You can specify the instance store volumes to an instance when you launch the instance. You can't attach instance store volumes to an instance after you’ve launched it. Raid -  Raid 0  Improve performance of a storage volume by distributing reads and write in a stripes across attached volumes  If you add a storage volume you get the straight addition of throughput and iops For high performance applications Raid 1   Improve data availability by mirroring in multiple volumes For critical applications
Read more

AWS Identity and Access Management

-
Image
  IAM Introduction to IAM -  AWS identity and management is a web service that helps you to securely control access to AWS resources You use IAM to control who is authenticated and authorized to use resources IAM allows you to create and manage AWS users and groups , and use permissions to allow or deny their access to AWS resources IAM is a fundamental part of AWS security, as it allows you to implement the principle of least privilege , ensuring that users and applications have only the permissions they need to perform their tasks IAM also provides features such as multi-factor authentication (MFA) , password policies, and access keys to enhance the security of your AWS environment Features of IAM -  IAM User  -   IAM allows you to create and manage users in your AWS account Each IAM user has a unique name and security credentials, which are used to authenticate and authorize their access to AWS resources IAM users have security credentials that are us...
Read more

Elastic Block Storage (EBS)

-
Image
 Elastic Block Storage (EBS) Elastic Block Storage (EBS) -  AWS Elastic Block Storage is a web service that provides block level storage volumes for use with amazon EC2 instances Amazon EBS volumes are highly available and reliable storage volumes that can be attached to any running instance and used like hard drive Amazon EBS allows you to create storage volumes and attach them to EC2 instances   It is used for various databses (both relational and non relational) as well as a wide range of application such as software testing and development  EBS provides a high performance option for many use cases it is directly attached to the instance Features of EBS  -  Amazon Elastic Block Storage  Region and availability zones are multiple physical location for your resources such as instances and EBS volumes Using security groups, you can specify the protocols, ports and source IP ranges that can reach your instances Elastic IP addresses are static IPv4 ...
Read more