1. Home
  2. Training Library
  3. Networking, Connectivity, and Content Delivery (SAP-C02)

Working With Amazon CloudFront


Course Introduction
VPC Fundamentals
What is a VPC?
PREVIEW16m 20s
VPC Security and Control
VPC Connectivity
VPC Sharing using the AWS Resource Access Manager
Understanding Direct Connect, Implementation and Configuration
Why Direct Connect?
5m 25s
Understanding AWS Direct Connect - Connectivity Options

The course is part of this learning path

Working With Amazon CloudFront
3h 20m

This section of the AWS Certified Solutions Architect - Professional learning path introduces you to the core networking concepts and services relevant to the SAP-C02 exam. We start with an introduction to the AWS Virtual Private Network (VPC) and networking services. We then understand the options available and learn how to select and apply AWS networking, DNS, and content delivery services to meet specific design scenarios relevant to the AWS Certified Solutions Architect - Professional exam. 

Want more? Try a Lab Playground or do a Lab Challenge

Learning Objectives

  • Get a foundational understanding of VPCs, their security, and connectivity
  • Learn about VPC sharing using the AWS Resource Access Manager
  • Discover inter-regional and intra-regional communication patterns in AWS
  • Learn about AWS Direct Connect, along with its implementation, configuration, and connectivity options
  • Understand routing in AWS, including static and dynamic routing
  • Understand the basics of networking, including Elastic IP addresses, Elastic Network Interfaces, networking with EC2, VPC endpoints, and AWS Global Accelerator
  • Learn about the DNS and content delivery services Amazon Route 53 and Amazon CloudFront

In this section, we will review the purpose of Amazon CloudFront and its key features. The main role of CloudFront is caching of content. Caching allows us to store our content closer to the users that need it. If you have a website hosted in the EU-West-2 region, but a lot of your customers are in the US or Australia, they will have higher latency when compared to the users in the UK. But if we cache content closer to them, on 8-west edge locations in the US and Australia, their latency will be reduced. Amazon CloudFront allows customers to distribute content with low latency and high speed. Amazon CloudFront is a pay-as-you-use service. And when using CloudFront, files are delivered to end-users via a global network of edge locations. 

CloudFront works with both static and dynamic content. For example, static content stored in Amazon S3 buckets. These static stores hold the definitive version of files. Dynamic content stored on Amazon EC2 or served up using Lambda functions. This content is generated on the compute resource and distributed through Amazon CloudFront. When working with CloudFront, you first create a CloudFront distribution. During this process, you identify one or more origins for the content that this distribution will serve the clients. You also configure options that control protocols that can be used such as HTTP or HTTPS; cache time to lives; custom headers; a price class, where its use all edge locations or a subset of locations; AWS WAF web ACL associations; alternate domain names; custom SSL certificates, and more. When creating a CloudFront distribution, you're assigned a domain name.

 For example, 1234.cloudfront.net. Although you can use this domain name, most customers of Amazon CloudFront will add an alternate domain name to their distribution. A name such as cloudacademy.com is the mat to the CloudFront assigned name using DNS. In the following demonstration, we already have an Internet application load balancer load balancing traffic to our website. We will create a CloudFront distribution to cache our website content globally. We are in the CloudFront distribution center dashboard. To create a distribution, we select Create distribution. We then select our origin domain. The origin can be an AWS origin or we just type in the domain name of the origin that we wish CloudFront into cache. If I click in the 'Choose origin' domain box, we can see a list of valid ADS origins, including S3 buckets and our application load balancer. 

I'm going to select the application load balancer. With the load balancer selected, you then get to choose protocol information and port information that the distribution will use when connecting to the load balancer. If I scroll down a little bit, we get to choose an origin name. We can accept the default name for the origin or choose a name that's more meaningful for us. There is a lot of optional information we can select. A lot of these settings are discussed later on in this course. If I scroll down a little bit, we can find settings that allow us to configure cache behavior. If I scroll down a little bit more, we find the pricing class. The pricing class allows us to choose groupings of edge locations that our distribution will use to cache content. We can choose to associate our WAF ACL with our distribution, and we can select an alternate domain name for our distribution. 

Most deployments will use an alternate domain name, so that we can use our own nice friendly DNS names instead of having to rely on the CloudFront DNS name. If you choose to use an alternate domain name, you'll also need to select a digital certificate. The digital certificate can be imported from your own certificate stars, or we can search certificate from Amazon certificate manager. If I scroll down a bit more, we can enable standard logging file distribution, so that we can log viewer requests into an S3 bucket. You can also turn on or off support for IPv6. If you're happy with our choices, select Create distribution. Once you've selected distribution, you should see a message saying that your distribution is being deployed. 

Although we often discuss CloudFront as a single cache, actually CloudFront has three cache in layers. Cloudfront distributions, these exist over 300 Amazon edge locations globally. Regional edge caches, and at the time of writing there are 13 regional edge caches. And AWS Origin shield, an additional cache in layer between your regional edge caches and the origins. Origin shield is not enabled by default. You must enable it for each origin in the distributions you create. By having multiple cache layers, you can cache more content for longer. Using regional caches and origin shield, you get better cache hit ratios. Because more of your content is cached, there is a much better chance that the content your customers need will be retrieved from cache. Reduced origin load: With more content being served from cache, less requests are sent to origins. 

And when using origin shield, requests for the same object not in cache are consolidated, so only a single request is sent to the origin. Better network performance: Using multiple layers, content can stay on the AWS Lola into network for longer. CloudFront has a long list of security features. These include CloudFront use of SSDs, which are encrypted protecting your data at rest. We can use signed URLs and cookies to restrict access to content that is intended for specific users. We can use AWS WAF to create web ACLs to restrict access to content, and we can use geo restrictions to prevent users in certain regions from accessing content. For more information on AWS WAF, please refer to our existing class content here. Amazon CloudFront itself integrates with identity and access management, which we can use to control administrative access to CloudFront. And CloudFront can be monitored through integration with: Amazon CloudWatch alarms, AWS CloudTrail Logs, and CloudFront real-time IAM standard logs.


About the Author
Learning Paths

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.