Amazon CloudFront
Global CDN — edge caching, origins, cache behaviours, Origin Access Control, Lambda@Edge, and CloudFront Functions.
Overview
Amazon CloudFront is a global Content Delivery Network (CDN) — it caches and delivers content from 400+ edge locations worldwide, reducing latency and offloading traffic from origin servers.
CloudFront supports static and dynamic content, live and on-demand video streaming, WebSocket connections, and API acceleration. It integrates natively with S3, ALB, EC2, API Gateway, and MediaStore as origins.
Core Concepts
| Concept | Description |
|---|---|
| Distribution | A CloudFront configuration that defines origins, cache behaviours, and edge settings |
| Origin | The source of content — S3 bucket, ALB, EC2 instance, API Gateway, or any HTTP endpoint |
| Edge Location | A data centre in the CloudFront global network that caches content close to users |
| Regional Edge Cache | A larger mid-tier cache between edge locations and the origin — reduces origin fetches |
| Cache Behaviour | Rules that match URL path patterns and define caching, headers, TTLs, and edge function triggers |
| Origin Access Control (OAC) | Restricts S3 origin access so only CloudFront can read the bucket (replaces OAI) |
| Cache Key | The combination of values (URL, headers, query strings, cookies) that uniquely identifies a cached object |
| Invalidation | Removes cached objects from edge locations before TTL expiry |
How CloudFront Works
User Request → Nearest Edge Location
│
├── Cache HIT → Return cached response (lowest latency)
│
└── Cache MISS
│
▼
Regional Edge Cache
│
├── Cache HIT → Return + cache at edge
│
└── Cache MISS
│
▼
Origin (S3, ALB, etc.)
│
▼
Response cached at Regional Edge + Edge LocationOrigin Types
| Origin | Configuration | Notes |
|---|---|---|
| S3 Bucket | S3 origin with OAC | Static content, websites, media |
| ALB / EC2 | Custom origin (HTTP/S) | Dynamic content, APIs |
| API Gateway | Custom origin | Serverless APIs |
| MediaStore / MediaPackage | Specialised origins | Live/VOD streaming |
| Custom HTTP server | Any publicly accessible HTTP/S endpoint | Third-party or on-premises origins |
| Origin Group | Primary + failover origin (automatic failover on 5xx/4xx) | High availability for origin errors |
SAA/SAP Tip: Origin Groups enable automatic origin failover. Configure a primary and secondary origin — CloudFront switches to the secondary when the primary returns configurable error codes (e.g., 502, 503, 504). This is a common HA exam pattern.
Cache Behaviours
Each distribution can have multiple cache behaviours, matched by URL path pattern (e.g., /api/*, /images/*, *).
| Setting | Description |
|---|---|
| Path Pattern | URL pattern this behaviour applies to (/api/*, *.jpg, default *) |
| Origin | Which origin to forward requests to |
| Cache Policy | Controls TTL, headers, query strings, and cookies included in the cache key |
| Origin Request Policy | Controls which headers, query strings, and cookies are forwarded to the origin |
| Viewer Protocol Policy | HTTP only, HTTPS only, or Redirect HTTP to HTTPS |
| Edge Functions | Lambda@Edge or CloudFront Functions triggers |
Security
Origin Access Control (OAC)
- Restricts S3 bucket access to CloudFront only (bucket policy references CloudFront distribution)
- Replaces the legacy Origin Access Identity (OAI) — OAC supports SSE-KMS, all S3 features
- Prevents direct S3 URL access, forcing all traffic through CloudFront
HTTPS / TLS
- Viewer ↔ CloudFront: TLS with ACM certificate (must be in
us-east-1for CloudFront) - CloudFront ↔ Origin: TLS with origin's certificate; supports SNI
- Field-Level Encryption: Encrypt specific POST form fields at the edge before forwarding to origin
Geo-Restriction
- Allowlist or Blocklist countries
- Uses a third-party geo-IP database to determine requester location
Exam Trap: ACM certificates used with CloudFront must be provisioned
in us-east-1 regardless of where the origin resides. This is a frequently
tested requirement.
Edge Functions
| Feature | CloudFront Functions | Lambda@Edge |
|---|---|---|
| Runtime | JavaScript only | Node.js, Python |
| Execution location | 400+ edge locations (PoPs) | Regional edge caches |
| Max execution time | < 1 ms | 5 s (viewer) / 30 s (origin) |
| Max memory | 2 MB | 128–10,240 MB |
| Network access | No | Yes |
| Triggers | Viewer request / response only | Viewer request/response + Origin request/response |
| Use case | Header manipulation, URL rewrites, cache key normalisation | Auth, A/B testing, image transformation, origin selection |
| Cost | Lower (per invocation) | Higher (Lambda pricing) |
Signed URLs and Signed Cookies
| Method | Use Case | Scope |
|---|---|---|
| Signed URL | Restrict access to a single file | One URL per resource |
| Signed Cookie | Restrict access to multiple files or an entire path | Set once, applies to all URLs |
Both use either a trusted key group (recommended) or a CloudFront key pair (legacy, root account only) for signing.
Common Use Cases
- Static website acceleration — Serve S3-hosted static sites globally with low latency and TLS.
- API acceleration — Cache API responses at the edge; reduce load on ALB/API Gateway origins.
- Video streaming — Deliver live and on-demand video using MediaStore/MediaPackage origins.
- Security layer — Combine with AWS WAF for rate limiting and bot protection at the edge.
- Dynamic content — Even uncacheable content benefits from persistent connections and TCP optimisation to the origin.
- Geo-restricted content — Enforce geographic content licensing with allowlist/blocklist.
SAA/SAP Exam Tips
SAA/SAP Tip: CloudFront + S3 with OAC is the standard pattern for serving static content globally. The bucket can remain private — CloudFront handles all public access.
Exam Trap: CloudFront cache invalidations are charged per path. For
frequent content updates, use versioned file names (e.g., app.v2.js)
instead of invalidating — this is both faster and cheaper.
SAA/SAP Tip: For "reduce latency for global users" or "improve performance for static/dynamic content delivery," CloudFront is almost always the answer. It benefits even dynamic, uncacheable content through TCP connection reuse and route optimisation.
Cross-Cloud Equivalents
| Provider | Service / Solution | Notes |
|---|---|---|
| AWS | Amazon CloudFront | Baseline |
| Azure | Azure CDN / Azure Front Door | Front Door adds WAF, load balancing, and routing |
| GCP | Cloud CDN | Integrated with Google Cloud Load Balancing |
| On-Premises | Cloudflare, Akamai, Fastly | Third-party CDN providers |
Pricing Model
| Dimension | Unit | Notes |
|---|---|---|
| Data transfer out (edge) | Per GB | Tiered pricing; varies by region |
| HTTP/S requests | Per 10,000 | Higher rate for HTTPS |
| Invalidation requests | Per path | First 1,000 paths/month free; $0.005 per path after |
| Edge functions | Per invocation | CloudFront Functions cheaper than Lambda@Edge |
| Origin Shield | Per request | Optional additional caching layer |
| Dedicated IP SSL | Per month | Only if non-SNI clients must be supported |
Related Services / See Also
- Amazon S3 — common static content origin for CloudFront
- Elastic Load Balancing — dynamic content origin behind CloudFront
- Amazon Route 53 — DNS routing to CloudFront distributions
- AWS WAF and Shield — web application firewall at CloudFront edge
- AWS Lambda — Lambda@Edge for edge compute
AWS X-Ray
Distributed tracing — analyse and debug production applications by tracing requests as they travel through microservices, APIs, and AWS resources.
AWS Direct Connect and Site-to-Site VPN
Hybrid connectivity — dedicated private connections vs encrypted tunnels, covering VGW, Transit Gateway, DX Gateway, and failover patterns.