Amazon CloudFront fundamentals — AWS Solutions Architect Associate Certification

Chapter 9: AWS CloudFront and Global Accelerator fundamentals that will appear in the AWS Solutions Architect Associate Exam.

CDN services will allow us to distribute our applications globally. AWS has two different services to improve the performance of our applications: Amazon CloudFront and AWS Global Accelerator. We'll see them in detail in this new AWS Solutions Architect Associate Course chapter!

1. Introduction to Content Delivery Networks (CDNs)
2. AWS CloudFront
3. AWS Global Accelerator
4. Typical CloudFront Questions

CloudFront for the AWS Solutions Architect Associate Certification.

Remember that all the chapters from the course can be found in the following link.

CONTENT DELIVERY NETWORKS (CDN)

To understand what Amazon CloudFront is, we first need to understand the concept of CDN. So, what is a CDN?

A Content Delivery Network (CDN) is a geographically distributed network of proxy servers and their data centers to provide high availability and performance by distributing the service spatially relative to end-users. Let’s imagine that we have an application that contains a video of 500MB that the users have to download. If the servers are in the US, users from this region can access this content fast, but what about Indian users? It’s just a matter of distance; it will get worse.

Downloading a video without a CDN.

Thanks to a CDN, we can distribute this video globally so that users in each region can access it through the server with the lowest latency.

Downloading a video using a CDN.

AWS CLOUDFRONT

With the concept of CDN in mind, let’s talk about CloudFront. Amazon CloudFront is a fast Content Delivery Network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds. CloudFront automatically maps network conditions and intelligently routes your user’s traffic to the most performant AWS edge location to serve up cached or dynamic content. With CloudFront, you can improve your read performance as content is cached at the edge.

We explained the Edge Locations in the first chapter of this course, and they are used for just that, for CloudFront. As we saw, there are more than 225 different Edge Locations.

AWS Edge Locations.

It also offers the most advanced security capabilities, like level encryption, HTTPS, and protection against multiple types of attacks like DDoS attacks.

You can also restrict access to your content based on the geographic location of your viewers. With the CloudFront Geo Restriction feature, you can choose the countries where you want Amazon CloudFront to deliver your content.

CLOUDFRONT ORIGINS

You can specify different origins for CloudFront:

• S3 bucket → You can distribute files and cache them. The previous video example would be this case. You can have your video in S3 and cache it in different Edge Locations closer to your clients, which will distribute this content. You need to use Origin Access Identity (OAI) so that CloudFront can access S3 content and allow it in the bucket policy.

AWS CloudFront with S3 bucket Location using Origin Access Identity (OAI).

• HTTP Custom Origin → You can also cache custom HTTP origins such as an Amazon EC2 instance, Load Balancers, S3 websites, or your HTTP web server.

CLOUDFRONT SIGNED URLs / COOKIES

Thanks to Signed URLs, you can have more control over access to your content. A signed URL includes additional information, for example, expiration date and time, making the content only accessible to specific users, for example, premium users. We need to differentiate between Signed URLs and cookies:

• Signed URL → You can access a specific URL. You need an URL per object.
• Cookies → It gives access to multiple objects.

AWS GLOBAL ACCELERATOR

AWS Global Accelerator is a networking service that improves the performance of your users’ traffic by up to 60% using Amazon Web Services’ global network infrastructure.

Unlike CloudFront, AWS Global Accelerator does not cache content but allows us to connect faster to our applications reducing the latency. In this diagram, we can see the differences. Typically, to connect to an application over the public internet, we would have several hops adding a lot of latency. With AWS Global Accelerator, we connect directly to an Edge Location, which will route us directly to our service.

How AWS Global Accelerator works.

Therefore, CloudFront uses Edge Locations to cache content, while Global Accelerator uses Edge Locations to find an optimal pathway to the nearest regional endpoint. This concept has to be clear in this chapter.

TYPICAL EXAM QUESTIONS

A web application is deployed in multiple regions behind an Application Load Balancer. We need routing to the closest region and automatic failover, and traffic should traverse the AWS global network for consistent performance. How can this be achieved?

1. Place an EC2 Proxy in front of the ALB and configure automatic failover
2. Configure AWS Global Accelerator and configure the ALBs as targets
3. Create alias records for each ALB and configure a latency-based routing policy
4. Use a CloudFront distribution with multiple custom origins in each region and configure it for high availability

Solution: 2. AWS Global Accelerator is a networking service that improves the performance of your users’ traffic by up to 60% using Amazon Web Services’ global network infrastructure. It allows us to connect faster to our applications reducing the latency by directly connecting to an Edge Location, which will route directly to our service.

What advantage from this list does Amazon CloudFront provide?

1. A private network link to the AWS cloud
2. Automated deployment of resources
3. Provides serverless compute services
4. Reduced latency

Solution: 4. Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data to customers globally with low latency. CloudFront uses a global network of edge locations worldwide to serve content with low latency.

An organization wants to share regular updates using static web pages. The pages are expected to generate a large number of views from around the world. The files are stored in an Amazon S3 bucket. Which action should we take to accomplish this goal, designing an efficient and effective solution?

1. Create EC2 instances around the world, and host this website in every instance
2. Use cross-Region replication to all Regions
3. Use the geo proximity feature of AWS S3.
4. Use Amazon CloudFront with the S3 bucket as its origin

Solution: 4. Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data to customers globally with low latency. CloudFront uses a global network of edge locations worldwide to serve content with low latency. You can use an Amazon S3 bucket as its origin to provide a global CDN, which caches content closer to the end users, thus reducing latency.

Creating EC2 instances worldwide would be costly and require a lot of management. Cross-Region replication would also be expensive and wouldn’t necessarily reduce latency. Finally, S3 doesn’t have any geo-proximity feature, that’s why these options are incorrect.

A company shares some videos stored in an Amazon S3 bucket via CloudFront. We want to restrict access to the private content so that only users from specific IP addresses can access the videos. Also, ensuring direct access via the Amazon S3 bucket shouldn’t be possible. How can this be achieved?

1. Configure CloudFront to require users to access the files using signed cookies, create an origin access identity (OAI) and instruct users to log in with the OAI.
2. Configure CloudFront to require users to access the files using a signed URL, create an origin access identity (OAI) and restrict access to the files in the Amazon S3 bucket to the OAI.
3. Configure CloudFront to require users to access the files using signed cookies, and move the files to an encrypted EBS volume.
4. Configure CloudFront to require users to access the files using a signed URL, and configure the S3 bucket as a website endpoint.

Solution: 2. This answer provides two layers of security. The first one is using Signed URLs, which you can use to restrict content access to specific users. The second one is the Origin Access Identity (OAI), which can be used to restrict access to your S3 content by allowing CloudFront to access your objects while preventing others from accessing them. So you can access these objects using CloudFront, but you cannot access them directly with an Amazon S3 Object URL.

More Questions?

• Do you want more than 500 AWS practice questions?
• Access to a real exam simulator to thoroughly prepare for the exam.
• You can download all of the AWS questions on PDF.

All of this and more at FullCertified!

FullCertified | Snowflake, AWS, and Azure Practice Exams

Thanks for Reading!

And that’s it for the CloudFront chapter. If you like my work and want to support me…

1. The BEST way is to follow me on Medium here.
2. Feel free to clap if this post is helpful for you! :)