DevOps Shack

Amazon CloudFront: A Comprehensive Guide

1. Introduction
Amazon CloudFront is a global content delivery network (CDN) service that
securely delivers data, videos, applications, and APIs to customers with low
latency and high transfer speeds. It integrates seamlessly with other AWS
services, enabling businesses and developers to easily enhance their content
delivery performance.

Importance of Content Delivery Networks

Content Delivery Networks (CDNs) play a crucial role in today's internet
infrastructure. By caching content at edge locations close to end-users, CDNs
reduce latency, improve load times, and provide a more reliable and efficient
way to deliver content across the globe.

1
History and Evolution
Since its launch in 2008, CloudFront has continuously evolved to meet the
increasing demands for faster and more secure content delivery. Over the
years, AWS has introduced several key features, including support for dynamic
content, improved security measures, and enhanced performance capabilities.

2. Key Features
Amazon CloudFront offers a wide range of features that make it a powerful and
versatile CDN. Here are some of the key features:
• Low Latency and High Transfer Speeds: CloudFront caches content in
multiple edge locations, ensuring fast delivery to users worldwide.
• Security: CloudFront offers robust security features, including AWS
Shield, AWS Web Application Firewall (WAF), and SSL/TLS encryption, to
protect against threats and ensure secure content delivery.
• Global Distribution: With a vast network of edge locations around the
world, CloudFront delivers content to users with low latency and high
performance.
• Customizable: Users can customize content delivery behavior using
Lambda@Edge, a serverless computing feature that allows code to run
closer to users.
• Seamless Integration: CloudFront integrates seamlessly with other AWS
services such as S3, EC2, and Lambda, providing a comprehensive
solution for content delivery.

3. How Amazon CloudFront Works

CloudFront works by caching content at edge locations close to the user's
geographical location. When a user requests content, CloudFront delivers it
from the nearest edge location, reducing latency and improving load times.
Architecture
The architecture of Amazon CloudFront consists of the following components:
1. Origin: The server where the original content is stored. This can be an
Amazon S3 bucket, an EC2 instance, or a custom server.

2
 2. Edge Locations: Data centers where CloudFront caches copies of the
content. These edge locations are strategically placed around the world
to ensure low latency and high availability.
3. Distribution: A configuration setting in CloudFront that specifies the
origin and other settings for content delivery.

Request Flow
When a user requests content from a website or application, the request is
routed to the nearest CloudFront edge location. If the content is cached at the
edge location, CloudFront delivers it directly to the user. If the content is not
cached, CloudFront retrieves it from the origin, caches it at the edge location,
and then delivers it to the user.

Cache Invalidation
Cache invalidation allows users to update or remove content from CloudFront's
cache. This is useful when there are updates to the content that need to be
reflected immediately.
import boto3

# Create CloudFront client

cf = boto3.client('cloudfront')

# Create CloudFront invalidation

response = cf.create_invalidation(
DistributionId='YOUR_DISTRIBUTION_ID',
InvalidationBatch={
'Paths': {
'Quantity': 1,
'Items': ['/path/to/invalidate']
},
'CallerReference': str(time.time())

3
 }
)

4. Use Cases
Amazon CloudFront is versatile and can be used for various purposes. Here are
some common use cases:
Website Acceleration
CloudFront speeds up the delivery of both static and dynamic content, such as
HTML, CSS, JavaScript, and images, improving the overall user experience.
Video Streaming
CloudFront enhances the performance of live and on-demand video streaming
by delivering high-quality video with minimal buffering and latency.
API Acceleration
By caching API responses at edge locations, CloudFront reduces latency and
improves the performance of API-based applications.
Software Distribution
CloudFront is ideal for distributing large files such as software updates,
patches, and other downloadable content, ensuring fast and reliable delivery.
Security
CloudFront provides built-in security features to protect websites and
applications from DDoS attacks, data breaches, and other threats.

5. Getting Started with Amazon CloudFront

Here are the steps to get started with Amazon CloudFront:
Step 1: Sign Up for AWS
If you don't already have an AWS account, you'll need to sign up at
aws.amazon.com.
Step 2: Create an S3 Bucket

4
Create an S3 bucket to store your content. You can use this bucket as the origin
for your CloudFront distribution.
Step 3: Set Up CloudFront Distribution
1. Open the CloudFront console.
2. Click on "Create Distribution."
3. Choose the "Web" option for web content.
4. Specify the S3 bucket as the origin.
5. Configure other settings such as cache behavior, security, and logging.
6. Click on "Create Distribution."
Example Code
Here’s how you can create a CloudFront distribution using the AWS SDK for
Python (Boto3):
import boto3

# Create CloudFront client

cf = boto3.client('cloudfront')

# Create CloudFront distribution

response = cf.create_distribution(
DistributionConfig={
'CallerReference': 'my-distribution-' + str(time.time()),
'Origins': {
'Quantity': 1,
'Items': [
{
'Id': '1',
'DomainName': 'mybucket.s3.amazonaws.com',

5
 'S3OriginConfig': {
'OriginAccessIdentity': ''
}
},
]
},
'DefaultCacheBehavior': {
'TargetOriginId': '1',
'ViewerProtocolPolicy': 'redirect-to-https',
'AllowedMethods': {
'Quantity': 2,
'Items': ['GET', 'HEAD'],
'CachedMethods': {
'Quantity': 2,
'Items': ['GET', 'HEAD']
}
},
'ForwardedValues': {
'QueryString': False,
'Cookies': {
'Forward': 'none'
}
},
'MinTTL': 0,
'DefaultTTL': 86400,
'MaxTTL': 31536000

6
 },
'Enabled': True
}
)

Customizing Content Delivery with Lambda@Edge

Lambda@Edge allows you to run code closer to users of your application,
which can help improve performance and reduce latency. You can use Lambda
functions to customize the content delivered by CloudFront.
import boto3

# Create Lambda client

lambda_client = boto3.client('lambda')

# Create Lambda function

response = lambda_client.create_function(
FunctionName='MyEdgeFunction',
Runtime='python3.8',
Role='arn:aws:iam::account-id:role/service-role/MyLambdaRole',
Handler='index.handler',
Code={
'S3Bucket': 'mybucket',
'S3Key': 'mycode.zip'
},
Description='My Lambda@Edge function',
Timeout=5,
MemorySize=128,

7
 Publish=True
)

5. Configuring Amazon CloudFront Distributions

Configuring Amazon CloudFront distributions involves setting up various
parameters to control how your content is delivered to end-users. Here are the
detailed steps and settings involved in configuring a CloudFront distribution.
Step 1: Creating a Distribution
1. Open the CloudFront Console: Sign in to the AWS Management Console
and open the CloudFront console.
2. Create Distribution: Click on "Create Distribution" and choose the
delivery method (Web or RTMP). For most use cases, select "Web".
3. Specify Origin Settings:
o Origin Domain Name: Enter the domain name of your origin
server (e.g., an Amazon S3 bucket, an EC2 instance, or a custom
server).
o Origin Path: Optionally, specify a directory path within your origin
that you want CloudFront to use as the starting point for requests.
o Origin ID: This is a unique identifier for the origin. CloudFront
generates a default ID, but you can also specify your own.
o Origin Access Identity (OAI): If you're using an S3 bucket as the
origin, you can set up an OAI to restrict access to your bucket only
through CloudFront.
Step 2: Configuring Default Cache Behavior Settings
1. Cache Behavior: Configure how CloudFront caches your content and
handles requests.
o Path Pattern: Specify the path pattern that this cache behavior
applies to (e.g., * for all files, /images/* for image files).
o Allowed HTTP Methods: Choose the HTTP methods that
CloudFront will accept for this cache behavior (e.g., GET, HEAD,
OPTIONS).

8
 o Viewer Protocol Policy: Choose how CloudFront should handle
viewer requests (e.g., redirect HTTP to HTTPS, allow all HTTP and
HTTPS).
o Forwarded Values: Configure which query string parameters,
headers, and cookies CloudFront should forward to the origin.
o Lambda@Edge: Attach Lambda functions to modify requests and
responses at the edge.
o TTL Settings: Specify the minimum, default, and maximum time-
to-live (TTL) values for how long CloudFront caches content.
Example Code: Creating a CloudFront Distribution
import boto3
import time

# Create CloudFront client

cf = boto3.client('cloudfront')

# Create CloudFront distribution

response = cf.create_distribution(
DistributionConfig={
'CallerReference': str(time.time()),
'Origins': {
'Quantity': 1,
'Items': [
{
'Id': 'S3-Origin',
'DomainName': 'mybucket.s3.amazonaws.com',
'S3OriginConfig': {
'OriginAccessIdentity': ''

9
 }
},
]
},
'DefaultCacheBehavior': {
'TargetOriginId': 'S3-Origin',
'ViewerProtocolPolicy': 'redirect-to-https',
'AllowedMethods': {
'Quantity': 7,
'Items': ['GET', 'HEAD', 'POST', 'PUT', 'PATCH', 'OPTIONS', 'DELETE'],
'CachedMethods': {
'Quantity': 2,
'Items': ['GET', 'HEAD']
}
},
'ForwardedValues': {
'QueryString': True,
'Cookies': {
'Forward': 'all'
},
'Headers': {
'Quantity': 1,
'Items': ['*']
}
},
'MinTTL': 0,

10
 'DefaultTTL': 86400,
'MaxTTL': 31536000,
},
'Comment': 'My CloudFront Distribution',
'Enabled': True
}
)

Step 3: Setting Up Additional Cache Behaviors

If you need more specific cache behaviors for different types of content, you
can create multiple cache behaviors within the same distribution.
1. Add Cache Behavior: In the CloudFront console, click on "Behaviors"
under your distribution settings and add a new cache behavior.
2. Specify Path Pattern: Define the path pattern that this cache behavior
will apply to (e.g., /static/*).
3. Configure Cache Settings: Set the allowed HTTP methods, viewer
protocol policy, forwarded values, and TTL settings as needed.
4. Associate Lambda@Edge Functions: Attach Lambda functions to process
requests and responses for this specific cache behavior.
Example Code: Adding a Cache Behavior
import boto3

# Create CloudFront client

cf = boto3.client('cloudfront')

# Get the distribution config

dist_id = 'YOUR_DISTRIBUTION_ID'
response = cf.get_distribution_config(Id=dist_id)

11
config = response['DistributionConfig']

# Add a new cache behavior

config['CacheBehaviors']['Quantity'] += 1
config['CacheBehaviors']['Items'].append({
'PathPattern': '/images/*',
'TargetOriginId': 'S3-Origin',
'ViewerProtocolPolicy': 'redirect-to-https',
'AllowedMethods': {
'Quantity': 2,
'Items': ['GET', 'HEAD'],
'CachedMethods': {
'Quantity': 2,
'Items': ['GET', 'HEAD']
}
},
'ForwardedValues': {
'QueryString': False,
'Cookies': {
'Forward': 'none'
}
},
'MinTTL': 0,
'DefaultTTL': 86400,
'MaxTTL': 31536000,
})

12
# Submit the updated configuration
response = cf.update_distribution(
DistributionConfig=config,
Id=dist_id,
IfMatch=response['ETag']
)

Step 4: Configuring Error Pages and Security Settings

1. Custom Error Pages: Define custom error pages to be returned for
specific HTTP status codes.
o Add Custom Error Responses: In the CloudFront console, navigate
to the "Error Pages" tab and add custom error responses for
different status codes (e.g., 404 Not Found, 500 Internal Server
Error).
o Specify Error Caching TTL: Set the TTL for error responses to
control how long CloudFront caches the error pages.
2. Security Settings: Enhance the security of your CloudFront distribution
by configuring SSL/TLS certificates, AWS WAF, and geo-restrictions.
o SSL/TLS Certificates: Use AWS Certificate Manager (ACM) to
manage SSL/TLS certificates for secure data transmission.
o AWS WAF: Attach AWS WAF to your CloudFront distribution to
protect against common web exploits and attacks.
o Geo Restrictions: Set up geo-restrictions to control which
countries or regions can access your content.
Example Code: Configuring Custom Error Responses
import boto3

# Create CloudFront client

13
cf = boto3.client('cloudfront')

# Get the distribution config

dist_id = 'YOUR_DISTRIBUTION_ID'
response = cf.get_distribution_config(Id=dist_id)
config = response['DistributionConfig']

# Add custom error responses

config['CustomErrorResponses'] = {
'Quantity': 1,
'Items': [
{
'ErrorCode': 404,
'ResponsePagePath': '/error-pages/404.html',
'ResponseCode': '404',
'ErrorCachingMinTTL': 300
},
]
}

# Submit the updated configuration

response = cf.update_distribution(
DistributionConfig=config,
Id=dist_id,
IfMatch=response['ETag']
)

14
6. Configuring Amazon CloudFront Distributions
Amazon CloudFront allows you to configure various aspects of content delivery
through its distribution settings. Here are some key configuration options:
Distribution Settings
• Origin Settings: Define the source of the content, such as an S3 bucket,
EC2 instance, or a custom server.
• Default Cache Behavior: Control how CloudFront caches and serves your
content, including cache expiration, allowed HTTP methods, and viewer
protocol policies.
• Error Pages: Customize the responses for HTTP errors, such as 404 Not
Found or 500 Internal Server Error.
• Geo Restrictions: Restrict content delivery to specific geographic
locations or countries.
• Logging: Enable CloudFront access logs to monitor and analyze traffic to
your distribution.
Example Code
Here’s how you can update a CloudFront distribution using the AWS SDK for
Python (Boto3):
import boto3

# Create CloudFront client

cf = boto3.client('cloudfront')

# Get distribution config

dist_id = 'YOUR_DISTRIBUTION_ID'
response = cf.get_distribution_config(Id=dist_id)
config = response['DistributionConfig']
15
# Update distribution config
config['DefaultCacheBehavior']['ViewerProtocolPolicy'] = 'redirect-to-https'
config['Comment'] = 'Updated distribution configuration'

# Submit the updated configuration

response = cf.update_distribution(
DistributionConfig=config,
Id=dist_id,
IfMatch=response['ETag']
)

Using AWS Management Console

1. Open the CloudFront console.
2. Select the distribution
continew, complete it
...Continuing...
2. Select the distribution you want to update.
3. Click on the “Distribution Settings” tab.
4. Modify the settings as needed.
5. Click on “Save Changes” to apply the updates.
Advanced Settings
• Origin Groups: Use origin groups for high availability by specifying
primary and backup origins.
• Lambda@Edge: Customize your content delivery by running Lambda
functions at CloudFront edge locations.

16
 • Field-Level Encryption: Encrypt specific fields of your data to enhance
security.

7. Amazon CloudFront Pricing

Amazon CloudFront pricing is based on several factors, including data transfer,
HTTP/HTTPS requests, and additional features such as cache invalidation and
Lambda@Edge usage. Pricing varies by region and is calculated on a pay-as-
you-go basis.
Data Transfer
• Data Transfer Out: Charges are based on the volume of data transferred
from CloudFront edge locations to end-users. The cost decreases with
higher usage levels.
HTTP/HTTPS Requests
• Request Charges: Charges are based on the number of HTTP and HTTPS
requests made to your CloudFront distribution.
Additional Features
• Invalidation Requests: Charges apply for invalidating cached content.
• Lambda@Edge: Charges are based on the number of requests and the
duration of Lambda@Edge function execution.
• Field-Level Encryption: Charges apply for field-level encryption requests.
Example Pricing Calculation
Let’s assume you have the following usage:
• 1 TB of data transfer out per month
• 1 million HTTP/HTTPS requests
• 10 cache invalidation requests
• 1 million Lambda@Edge function executions with an average duration of
1 ms
You can use the AWS Pricing Calculator to estimate your monthly costs based
on this usage.

8. Security and Compliance

17
Amazon CloudFront includes several security features to protect your content
and ensure compliance with industry standards.
AWS Shield
AWS Shield is a managed Distributed Denial of Service (DDoS) protection
service that safeguards your web applications running on AWS. It provides
protection against common DDoS attacks, ensuring the availability and
reliability of your CloudFront distributions.
AWS WAF
AWS Web Application Firewall (WAF) helps protect your web applications from
common web exploits that could affect application availability, compromise
security, or consume excessive resources. You can create custom rules to filter
specific traffic patterns.
SSL/TLS Encryption
CloudFront supports SSL/TLS encryption to ensure secure data transmission
between clients and CloudFront edge locations. You can use AWS Certificate
Manager (ACM) to create and manage SSL/TLS certificates.
Access Controls
CloudFront provides various access control mechanisms to restrict access to
your content:
• Signed URLs and Signed Cookies: Restrict access to specific users by
using signed URLs or signed cookies.
• Geo Restrictions: Restrict content delivery to specific geographic
locations or countries.
Compliance
CloudFront complies with various industry standards and certifications,
including:
• PCI DSS: Payment Card Industry Data Security Standard
• SOC 1, SOC 2, and SOC 3: System and Organization Controls
• HIPAA: Health Insurance Portability and Accountability Act
• ISO 27001: Information Security Management System

18
9. Integration with Other AWS Services
Amazon CloudFront integrates seamlessly with various AWS services, providing
a comprehensive solution for content delivery.
Amazon S3
You can use Amazon S3 as the origin for your CloudFront distribution. S3 stores
your content and CloudFront delivers it to users with low latency and high
transfer speeds.
AWS Lambda and Lambda@Edge
Lambda@Edge allows you to run Lambda functions at CloudFront edge
locations to customize content delivery. You can use Lambda functions to
modify HTTP headers, generate dynamic content, and perform other
customizations.
Amazon EC2
You can use Amazon EC2 instances as the origin for your CloudFront
distribution. EC2 provides scalable computing resources, allowing you to host
dynamic content and applications.
Amazon Route 53
Amazon Route 53 is a highly available and scalable domain name system (DNS)
web service. You can use Route 53 to route traffic to your CloudFront
distributions, ensuring reliable and efficient content delivery.
AWS WAF
Integrate AWS WAF with CloudFront to protect your web applications from
common web exploits and attacks. You can create custom rules to filter specific
traffic patterns.
AWS Certificate Manager (ACM)
ACM allows you to create, manage, and deploy SSL/TLS certificates for your
CloudFront distributions. You can use ACM certificates to secure your content
and enhance user trust.

10. Performance Optimization

Optimizing the performance of your CloudFront distributions involves various
strategies, including caching, compression, and monitoring.
19
Caching Strategies
• Time-to-Live (TTL): Set appropriate TTL values for different types of
content. Shorter TTLs ensure content is updated frequently, while longer
TTLs reduce the number of requests to the origin.
• Cache Invalidation: Invalidate cached content when updates are
required. Use invalidation sparingly to minimize costs.
Compression
• Gzip Compression: Enable Gzip compression to reduce the size of your
content and improve transfer speeds.
• Brotli Compression: Use Brotli compression for better compression
ratios and faster delivery.
Monitoring and Analytics
• CloudFront Access Logs: Enable CloudFront access logs to monitor and
analyze traffic to your distributions. Use AWS CloudWatch to track key
metrics and set up alarms for critical events.
• AWS CloudWatch: Monitor CloudFront metrics such as cache hit rate,
origin latency, and HTTP status codes.

11. Troubleshooting and Best Practices

Troubleshooting common issues and following best practices can help ensure
the smooth operation of your CloudFront distributions.
Common Issues
• Slow Performance: Check cache hit ratios and origin latency. Ensure
content is properly cached at edge locations.
• Configuration Errors: Verify origin settings, cache behavior, and
distribution configurations. Use AWS CloudFormation for consistent and
repeatable deployments.
• Security Warnings: Ensure proper SSL/TLS settings and access controls.
Regularly review and update security configurations.

20
Best Practices
• Use Multiple Origins: Distribute content across multiple origins for high
availability and fault tolerance.
• Enable Logging: Use CloudFront access logs for monitoring and
troubleshooting. Analyze logs to identify and address performance
issues.
• Monitor Performance: Use AWS CloudWatch to monitor key metrics and
set up alarms for critical events. Regularly review and optimize cache
behavior.

12. Case Studies

Exploring real-world examples of companies using Amazon CloudFront can
provide valuable insights into its capabilities and benefits.
Example 1: Video Streaming Service
A video streaming service uses CloudFront to deliver high-quality video content
to users worldwide. By caching content at edge locations, CloudFront reduces
buffering and latency, ensuring a smooth viewing experience.
Example 2: E-commerce Platform
An e-commerce platform uses CloudFront to accelerate the delivery of web
pages and static content. CloudFront's caching and security features enhance
the platform's performance and protect against threats.
Example 3: API-Based Application
An API-based application uses CloudFront to cache API responses and reduce
latency for users. CloudFront's integration with AWS Lambda allows the
application to customize content delivery and improve performance.

13. Conclusion
Amazon CloudFront is a powerful and flexible CDN that can significantly
improve the performance, security, and scalability of your web applications. By
leveraging its robust features and integrations, you can deliver content faster
and more securely to users around the world. Whether you’re looking to
accelerate your website, enhance video streaming, secure your applications, or

21
optimize API performance, CloudFront provides a comprehensive solution
tailored to your needs.

22