AWS CloudFront

• Global service.

• AWS CloudFront is a CDN (Content Delivery Network).

• Improves read performance, content is cached at the edge, reducing load at the origin.

• 216 Point of Presence globally (Edge Locations).

• DDoS protection (because worldwide), integration with Shield, AWS Web Application Firewall.

• Edge Locations are present outside the VPC so the origin's SG must be configured to allow inbound requests from the list of public IPs of all the edge locations.

• Supports HTTP/RTMP protocol (does not support UDP protocol).

• Geo Restriction feature.

• Improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery).

• To block a specific IP at the CloudFront level, deploy a WAF on CloudFront.

• Supports Server Name Indication (SNI) to allow SSL traffic to multiple domains.

CloudFront - Origins

S3 Bucket

• For distributing files and caching them at the edge locations.

• Origin Access Identity (OAl) or Origin Access Control (OAC) allows the S3 bucket to only be accessed by CloudFront

• OAC is replacing OIA (Origin Access Identity).

• CloudFront can be used as an ingress (to upload files to S3).

Custom Origin (HTTP)

• need to be publicly accessible on HTTP by public IPs of edge locations

  • EC2 Instance

  • ELB

  • S3 Website (may contain client-side script)

  • On-premise backend

CloudFront - Geo Restriction

• You can restrict who can access your distribution.

  • Allow list: Allow your users to access your content only if they are in one of the countries on a list of approved countries.

  • Block list: Prevent your users from accessing your content if they are in one of the countries on a list of banned countries.

• The 'country' is determined using a third-party Geo-IP database.

• Use case: Copyright Laws to control access to content.

CloudFront vs S3 Cross Region Replication

CloudFront

• • Global Edge Network

    • Files are cached for a TTL (maybe a day)

    • Great for static content that must be available everywhere)

S3 Cross Region Replication

• • Must be setup for each region you want replication to happen

    • Files are updated in near real-time

    • Read only

    • Great for dynamic content that needs to be available at low-latency in few regions

• CloudFront is a CDN, which is to cache content all around the world. Whereas S3 Cross-Region Replication is to really replicate an entire bucket into another region.

CloudFront - Pricing

• CloudFront edge locations are all around the world.

• The cost of data out per edge location varies.

CloudFront - Price Classes

• You can reduce the number of edge locations for cost reduction.

• Three price classes:

  • Price Class All: all regions - best performance

  • Price Class 200: most regions, but excludes the most expensive regions.

  • Price Class 100: only the least expensive regions.

CloudFront - Cache Invalidations

• In case you update the backend origin, CloudFront doesn't know about it and will only get the refreshed content after the TTL has expired.

• However, you can force an entire or partial cache refresh (thus bypassing the TTL) by performing a CloudFront Invalidation.

• You can invalidate all files (*) or a special path (/images/*).

AWS Global Accelerator

Unicast IP VS Anycast IP

• Unicast IP: one server holds one IP address.

• Anycast IP: all server holds the same IP address and the client is routed to the nearest one.

Global Accelerator

• Global service.

• Improves availability of the application for global users

• Leverages the private AWS network to route requests to the application (faster)

• • Supports globally distributed application endpoints

    • Does not cache anything at the edge location

    • Endpoint could be public or private (could span multiple regions)

      • Elastic IP

      • EC2 instances

      • ALB

      • NLB

    • Endpoint Weights and Traffic Dials are used in Blue-Green Deployment

    • Not affected by client's DNS caching because the 2 anycast IPs are static (traffic dials and endpoint weights changes are effective within seconds)

    • Good for

      • non-HTTP use cases:

        • Gaming (UDP)

        • IoT (MQTT)

        • Voice over IP (VoIP)

      • HTTP use cases that require static IP addresses or fast regional failover

Working

• 2 anycast public IPs (static) are created for your application globally. Requests from clients hitting these IPs will automatically be routed to the nearest edge location. The Edge locations send the traffic to your application through the private AWS network.

• Traffic dials to control the percentage of traffic that is directed to an endpoint group (an AWS region where your application is deployed)

• Endpoint weights to determine the proportion of traffic that is directed to endpoints in an endpoint group

Disaster Recovery

• Global Accelerator performs health checks for the application

• Failover in less than 1 minute for unhealthy endpoints

Security

• Only 2 static IP need to be whitelisted by the clients

• Can be integrated with AWS Shield for DDoS protection

AWS Global Accelerator VS CloudFront

• They both use the AWS global network and its edge locations around the world.

• Both services integrate with AWS Shield for DDoS protection.

• CloudFront

  • Improves performance for both cacheable content (such as images and videos).

  • Dynamic content (such as API acceleration and dynamic site delivery).

  • Content is served at the edge.

• AWS Global Accelerator

  • Improves performance for a wide range of applications over TCP or UDP.

  • Proxying packets at the edge to applications running in one or more AWS regions.

  • Good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT) or Voice over IP.

  • Good for HTTP use cases that require static IP addresses.

  • Good for HTTP use cases that required deterministic, fast regional failover.