Introduction to AWS CloudFront
This Blog has been moved from Medium to blogs.tensult.com. All the latest content will be available there. Subscribe to our newsletter to stay updated.
Let’s start off by looking at what a CDN is and why we use one? CDN stands for Content Delivery Network. It is a very large distribution of caching servers that are located around the world. It contains content that are stored in your origin servers and routes the viewers to the best location so that they can view the content that is stored in the cache. The content can be static (content that does not change)or dynamic (content that does change) in nature. CDN adds to the scalability and performance factor of applications.
CloudFront is Amazon’s global content delivery network with massive capacity and scale. It is optimised for performance and scalability. Security features are also built in and you can configure them for optimal service. The user is in control of the service and can make changes on the fly. It includes real time reporting so that you can monitor the performance and make changes to the application or the way the CDN interfaces with your application. It has been optimised for static and dynamic objects and video delivery. To get a more basic understanding of how CloudFront functions you can click this link here.
Let’s take a look at some of the components of CloudFront.
Distributions
Distributions is the instantiation of CloudFront. It acts as a pointer to the original content that you are hosting either in an AWS or custom origin. The origins need to be specified in the distribution so that CloudFront knows where to get the content when a request comes in and we don’t have the content stored in the cache.
Origins
Origins describes the Amazon S3 bucket or HTTP server or could be a EC2 instance from which CloudFront gets the content. At least one origin should be created. To maintain security and make sure that your origin is delivering content to CloudFront there are a couple of things that you can do. You can use a OAI (Origin Access Identity) for S3 so that it will restrict access for S3 bucket to just CloudFront. Any other request not coming from CloudFront will be denied. You can use a Signed URL, such that CloudFront can use that to access the origin and origin will respond only if the content of the signed URL is valid. You can also use an Origin Custom Header that goes back from CloudFront to your origin and based on the value of the header the origin will search for the header and if it does not exist or the value is incorrect the request will be denied.
Behaviors
Behaviors is where you are able to do all the configurations. It allows you to enforce policies, change or vary the type of content being delivered depending on who’s requesting it or how long an object will stay in cache. CloudFront Distributions have one to many Behaviors, there’s always one default Behavior. You can have different Behavior in order of precedence and if in that order of precedence no condition is met, then the default Behavior will take place.
Restrictions, Errors and Tags
CloudFront allows you to restrict access based on geographical location of the requester at no additional costs. You can either white list or black list a location. This could be due to security reasons or due to the fact that you only have the rights to distribute content to a few regions. Errors allow you to return an error page when there is an error. You can cache the error page for a certain amount of time and also set the response code that should be sent.
AWS WAF (Web Application Firewall)
AWS WAF helps protect your web applications from common exploits that could affect your web application availability, security, or consume resources. It can define customisable security rules that determine which traffic to allow and deny . It is a 7 Layer Application Protection that is built into each of the CloudFront edge locations worldwide.
CloudFront Regional Edge Caches are regional caches deployed around the world and it acts as a caching tier between the edge location and the origin. Earlier, when there were no Regional Edge Caches, the CDN edge locations had to go back to the origin when they had no content in them. With Regional Edge Caches, the edge locations would go to the origins only if the Regional Edge Caches did not have the content in them. Regional Edge Caches lies between the CDN edge locations and the origins and helps reduce the load on the origin, allows you to scale the CDN without having to scale the origin and does not incur any additional costs. Regional Edge Caches have larger caches than edge location so objects will remain longer in them.
To configure CloudFront first you have to create a CloudFront distribution so that CloudFront knows where to deliver the content from. You specify origin servers ( S3 buckets or HTTP servers ) to store your objects (files). You upload the files which can be web pages, images and media files to your origin servers. Then you create the distributions so that CloudFront knows which origin servers to get the files from. You can also specify whether you want to log all requests and whether you want to enable the distribution as soon as it is created. CloudFront assigns a domain name to your distribution which you can see in the console. CloudFront will send the configuration of the distribution to all of its edge locations.
When a user requests objects on your website or application, the DNS routes the request to the nearest CloudFront edge location, which can best serve the user’s request in terms of latency. In the edge location, CloudFront will check the cache to see if the content being requested is there in the cache and returns it to the user. If the content is not there in the cache, then CloudFront will forward the request to the applicable origin server. The origin server will send the corresponding file to the CloudFront edge location which will be forwarded by CloudFront to the user and also stored in the cache in case someone else tries to request that file.
CloudFront ensures that data is distributed globally with the highest performance possible. We can protect our content by using CloudFront’s private feature to regulate who can access our content. CloudFront is one of the most easiest and highly available content delivery networks in the market.
