1. What is CloudFront?

Amazon CloudFront is a Content Delivery Network (CDN) that caches content at 400+ Edge Locations worldwide. It delivers data, videos, applications, and APIs with low latency and high transfer speeds.

Core Concept

CloudFront caches content close to your users. When a user in Tokyo requests your website hosted in us-east-1, CloudFront serves it from the nearest Edge Location in Tokyo (cache hit = fast). On the first request (cache miss), CloudFront fetches from origin, caches, then serves. Subsequent requests are served from cache.

2. Key Concepts


  1. Origin: The source of the content. Can be: S3 bucket, ALB, EC2 instance, API Gateway, custom HTTP server, MediaStore, MediaPackage.
  2. Distribution: A CloudFront configuration that defines origins, cache behavior, and edge location settings. One distribution = one CloudFront domain (d111.cloudfront.net).
  3. Edge Location: A CDN endpoint that caches content. 400+ locations globally. Not the same as AWS Regions or AZs.
  4. Regional Edge Cache: A larger cache between Edge Locations and the origin. For less popular content. Reduces origin fetches.
  5. TTL (Time to Live): How long an object stays in the cache before CloudFront fetches a new copy from origin. Default: 24 hours. Configurable per path.

3. Origins

Origin Access Control (OAC)

  1. Replaces the older Origin Access Identity (OAI)
  2. Restricts S3 bucket access to ONLY CloudFront (users cannot access S3 directly)
  3. S3 bucket policy grants access to the CloudFront distribution
  4. Supports SSE-KMS encrypted objects (OAI did not)
  5. Always use OAC for S3 origins (not OAI, which is legacy)

4. Cache Behaviors

  1. Define how CloudFront handles requests based on URL path patterns
  2. Default behavior (*) applies to all requests not matching other patterns
  3. Pattern examples: /images/*, /api/*, *.js, /static/*
  4. Each behavior can have: different origin, different TTL, different caching policy, different viewer protocol
  5. Example: /api/* → ALB origin (no cache), /images/* → S3 origin (cache 1 day)

5. CloudFront Security


HTTPS

  1. Viewer → CloudFront: enforce HTTPS (redirect HTTP to HTTPS or HTTPS only)
  2. CloudFront → Origin: HTTPS or match viewer protocol
  3. Uses ACM certificates (must be in us-east-1 for CloudFront)
  4. Supports SNI (Server Name Indication) for multiple domains on one distribution


Geo-Restriction

  1. Allowlist: only allow access from specified countries
  2. Denylist: block access from specified countries
  3. Uses a third-party GeoIP database to determine user’s country


Signed URLs & Signed Cookies

  1. Both use a trusted key group (CloudFront key pair) or trusted signer
  2. Include: expiration, allowed IP ranges, and the file/path


AWS WAF Integration

  1. Deploy AWS WAF (Web Application Firewall) in front of CloudFront
  2. Filter requests by: IP, country, request rate, SQL injection, XSS, custom rules
  3. WAF rules are evaluated BEFORE CloudFront caching


Field-Level Encryption

  1. Encrypt specific fields in POST requests at the Edge Location using a public key
  2. Only your application server (with the private key) can decrypt
  3. Data stays encrypted through CloudFront → ALB → application
  4. Use for: protecting sensitive form data (credit card numbers, PII)

6. CloudFront Functions vs Lambda@Edge

7. Cache Invalidation

  1. Force CloudFront to remove cached objects before TTL expires
  2. Invalidate specific paths: /images/logo.png, /css/*, or /* (everything)
  3. First 1,000 invalidation paths per month are free; $0.005 per path after
  4. Alternative: use versioned file names (app-v2.js) — no invalidation needed, always fresh

8. CloudFront Price Classes

  1. Control which Edge Locations CloudFront uses (to reduce cost)
  2. Price Class All: All Edge Locations worldwide. Best performance. Highest cost.
  3. Price Class 200: Most Regions (excludes the most expensive locations).
  4. Price Class 100: Least expensive Regions only (North America, Europe). Lowest cost.

Exam Tip

CloudFront: "Reduce latency for global users" = CloudFront. "Restrict S3 direct access" = OAC (not OAI). "Signed URL" = one file. "Signed Cookie" = many files. "Country restriction" = Geo-Restriction. ACM cert for CF = must be in us-east-1. "Lightweight edge logic" = CloudFront Functions. "Complex edge logic" = Lambda@Edge. Cache invalidation costs money; versioned filenames are free.