sveska

AWS CloudFront

CloudFront

  • Content Delivery Network CDN, improve read performance as content is cached, Edge cached (as presented globally).
  • DDoS protection , intergration with AWS web app firewall, Shield. Can expose external https and can talk to internal https backends
  • Origins: S3 bucket - for distributinf files and caching them on the edge. Enhanced security with Origin Access Identity. Can be used as ingres to upload. Custom origin (HTTP)- ALB, EC2 instance, S3 website(static), any http backend
  • Edge location forwards to origin or reads from cache- like high level picture.
  • For ALB or EC2 instance allow publib ip of edge locations. Setup of of security groups of network.
  • GeoRestriction- Whitelist,Blacklist

  • ClodFront vs S3 CrossRegionReplication: -Cloud is global edge network. files are cached for TTL(maybe a day). Great for static for availabile everywhere. -S3 is available for each region to replicate. files are updated real time. read only. great for dynamic content with low latency in few regions

  • DNS needs to propagate changes, so it uses domain name from cloud fron and not s3 url
  • https://stackoverflow.com/questions/38735306/aws-cloudfront-redirecting-to-s3-bucket
  • OAI allows only cloudfront user to access files.
  • To make public files on S3, first update bucket to be possible to make files public.

Caching

  • cache based on headers, sessions, query params. Cache lives at each location. Controled by TTL
  • Separate caching of dynamic and static content.
  • part of cache can be invalidated by CreateInvalidation API

    Security

  • GeoRestriction
  • HTTPS : viewer protocol policy, origin protocol policy
  • Signed URL/cookies. adding policy for expiration and ip ranges, trusted signers
  • CloudFront Signed Url vs S3 Pre-signed URL: CloudFront signed allow acces to a path no matter the origin. Account wide key-pair, filter by ip,date,expiration. Uses cache. S3 Pre-signed url - issues request as the person who pre-signed url. uses the iam key of signing iam. limited lifetime.

Questions

  • CloudFront Signed URL are commonly used to distribute paid content through dynamic CloudFront Signed URL generation.
  • S3 CRR allows you to replicate the data from one bucket in a region to another bucket in another region