AWS: Services & Architecture
by Sergey Okinchuk
Route 53API Gateway
Amazon CloudFront
Service 26

Amazon CloudFront

NetworkingCDNEdge

CloudFront is AWS's global content delivery network. It pulls content from an origin — typically S3, an ALB, or any HTTP server — caches it at hundreds of edge locations worldwide, and serves each user from the nearest one. The same network terminates TLS, routes dynamic requests, and runs small functions at the edge.

The classic shape: static assets from S3 fronted by CloudFront for speed, or an ALB-backed app accelerated for global users. It doubles as a security boundary, hiding the origin from direct internet access.

Distributions, Origins, and Behaviors

A distribution is one CloudFront deployment with a domain like d123.cloudfront.net (or your own via a Route 53 alias). It has one or more origins (S3, ALB, an HTTP server, a Lambda function URL) and behaviors — path-pattern rules routing requests to an origin with specific caching and security settings.

A typical pattern: a default behavior pointing at an ALB for dynamic content and a /static/* behavior pointing at S3 with long cache TTLs.

Caching and Origin Access

Caching is governed by TTL (how long an edge keeps a response, set via Cache-Control or distribution settings), the cache key (what makes two requests "the same" — every header, cookie, or query string you add cuts the hit rate), and invalidations (paid purges before TTL expiry).

CloudFront — Edge Cache Hit vs Origin Fetch
Userrouted to the nearest edge
CloudFront edgecache hit → served instantly; TLS, WAF, Shield
Origincache miss → fetch from S3 or ALB (free to edge)
Cacheable content is served from hundreds of edge locations; only misses reach the origin. Behaviors route by path with their own cache settings.

For S3 origins, use Origin Access Control (OAC) so the bucket allows only your distribution — the modern replacement for legacy OAI. Signed URLs and cookies gate private content like paywalled video.

Security and Edge Compute

CloudFront terminates HTTPS at the edge (certificates via ACM), supports HTTP/2 and HTTP/3, and integrates AWS WAF to block bad requests before they reach the origin. Shield Standard is free and on by default for volumetric DDoS; field-level encryption protects sensitive fields end to end.

Two ways to run code at the edge: CloudFront Functions (sub-millisecond JavaScript for header rewrites, redirects, cache-key tweaks) and Lambda@Edge (fuller Lambda, 10–30 ms, for transformations or calling other services). Try CloudFront Functions first; reach for Lambda@Edge when the function must make API calls or manipulate the body.

CloudFront vs a regional load balancer

CloudFront — globally distributed users, cacheable content, or a managed front door with edge WAF and DDoS protection.

Regional load balancer (ALB) — internal or single-Region services that do not need global reach or edge caching — simpler and cheaper.

Common Mistakes
  • Leaving an S3 origin publicly readable instead of locking it to CloudFront with Origin Access Control.
  • Adding many headers, cookies, or query strings to the cache key, collapsing the cache-hit ratio.
  • Setting cache TTLs only at CloudFront and not at the origin, so browsers and proxies never cache.
  • Gating private content with bucket policies instead of signed URLs or cookies.
  • Going to production without a WAF Web ACL and AWS-managed rule groups attached.
  • Reaching for Lambda@Edge for a header tweak that a sub-millisecond CloudFront Function handles far cheaper.
Best Practices
  • Use Origin Access Control for S3 origins so only CloudFront can read the bucket.
  • Set Cache-Control headers at the origin, not just at CloudFront.
  • Keep static and dynamic content in separate behaviors with appropriate TTLs.
  • Use signed URLs or cookies for private content.
  • Attach a WAF Web ACL with managed rule groups before production.
  • Monitor the cache-hit ratio; under 80% on cacheable content usually means a cache-key or TTL problem.
Comparable services GCP Cloud CDNAzure Azure Front Door, Azure CDN

Knowledge Check

What is a CloudFront behavior?

  • A path-pattern rule routing matching requests to an origin with its own cache and security settings
  • A scheduled job that pre-warms the edge cache on a fixed interval before any viewer requests arrive
  • The TLS certificate issued from ACM and attached once to the whole distribution for every path
  • A periodic health check the edge runs against the origin to detect failures

How should an S3 origin be secured so only CloudFront can read it?

  • Origin Access Control (OAC), with a bucket policy allowing only the distribution
  • Making the bucket fully public and relying on the long, random URL for obscurity
  • A NAT Gateway placed in front of the S3 bucket to filter inbound reads
  • A security group attached to the S3 bucket

When should you choose CloudFront Functions over Lambda@Edge?

  • For tiny, sub-millisecond header rewrites and redirects that call no other service
  • Whenever the function must call an external API over the network to enrich the request
  • Whenever you need to read or rewrite the full response body on its way back
  • Always — Lambda@Edge has been fully deprecated

What does adding cookies and query strings to the CloudFront cache key do?

  • Lowers the cache-hit ratio, since more request variations become distinct entries
  • Improves the hit ratio by letting each edge location cache far more aggressively
  • Has no effect on caching behavior at all, since the key is only ever used for logging
  • Disables TLS termination at the edge locations

You got correct