VPC Security and Control
Basic Networking Concepts
Introduction to AWS PrivateLink
DNS & Content Delivery on AWS
The course is part of this learning path
This section of the Solution Architect Associate learning path introduces you to the core networking concepts and services relevant to the SAA-C03 exam. We start with an introduction to the AWS Virtual Private Network (VPC) and networking services. We then understand the options available and learn how to select and apply AWS networking services to meet specific design scenarios relevant to the Solution Architect Associate exam.
Want more? Try a lab playground or do a Lab Challenge!
- Get a foundational understanding of VPCs, their security, and connectivity
- Understand the basics of networking including Elastic IP addresses, Elastic Network Interfaces, networking with EC2, VPC endpoints, and AWS Global Accelerator
- Learn about the DNS and content delivery services Amazon Route 53 and Amazon CloudFront
In this section, we will review the purpose of Amazon CloudFront and its key features. The main role of CloudFront is caching of content. Caching allows us to store our content closer to the users that need it. If you have a website hosted in the EU-West-2 region, but a lot of your customers are in the US or Australia, they will have higher latency when compared to the users in the UK. But if we cache content closer to them, on 8-west edge locations in the US and Australia, their latency will be reduced. Amazon CloudFront allows customers to distribute content with low latency and high speed. Amazon CloudFront is a pay-as-you-use service. And when using CloudFront, files are delivered to end-users via a global network of edge locations.
CloudFront works with both static and dynamic content. For example, static content stored in Amazon S3 buckets. These static stores hold the definitive version of files. Dynamic content stored on Amazon EC2 or served up using Lambda functions. This content is generated on the compute resource and distributed through Amazon CloudFront. When working with CloudFront, you first create a CloudFront distribution. During this process, you identify one or more origins for the content that this distribution will serve the clients. You also configure options that control protocols that can be used such as HTTP or HTTPS; cache time to lives; custom headers; a price class, where its use all edge locations or a subset of locations; AWS WAF web ACL associations; alternate domain names; custom SSL certificates, and more. When creating a CloudFront distribution, you're assigned a domain name.
For example, 1234.cloudfront.net. Although you can use this domain name, most customers of Amazon CloudFront will add an alternate domain name to their distribution. A name such as cloudacademy.com is the mat to the CloudFront assigned name using DNS. In the following demonstration, we already have an Internet application load balancer load balancing traffic to our website. We will create a CloudFront distribution to cache our website content globally. We are in the CloudFront distribution center dashboard. To create a distribution, we select Create distribution. We then select our origin domain. The origin can be an AWS origin or we just type in the domain name of the origin that we wish CloudFront into cache. If I click in the 'Choose origin' domain box, we can see a list of valid ADS origins, including S3 buckets and our application load balancer.
I'm going to select the application load balancer. With the load balancer selected, you then get to choose protocol information and port information that the distribution will use when connecting to the load balancer. If I scroll down a little bit, we get to choose an origin name. We can accept the default name for the origin or choose a name that's more meaningful for us. There is a lot of optional information we can select. A lot of these settings are discussed later on in this course. If I scroll down a little bit, we can find settings that allow us to configure cache behavior. If I scroll down a little bit more, we find the pricing class. The pricing class allows us to choose groupings of edge locations that our distribution will use to cache content. We can choose to associate our WAF ACL with our distribution, and we can select an alternate domain name for our distribution.
Most deployments will use an alternate domain name, so that we can use our own nice friendly DNS names instead of having to rely on the CloudFront DNS name. If you choose to use an alternate domain name, you'll also need to select a digital certificate. The digital certificate can be imported from your own certificate stars, or we can search certificate from Amazon certificate manager. If I scroll down a bit more, we can enable standard logging file distribution, so that we can log viewer requests into an S3 bucket. You can also turn on or off support for IPv6. If you're happy with our choices, select Create distribution. Once you've selected distribution, you should see a message saying that your distribution is being deployed.
Although we often discuss CloudFront as a single cache, actually CloudFront has three cache in layers. Cloudfront distributions, these exist over 300 Amazon edge locations globally. Regional edge caches, and at the time of writing there are 13 regional edge caches. And AWS Origin shield, an additional cache in layer between your regional edge caches and the origins. Origin shield is not enabled by default. You must enable it for each origin in the distributions you create. By having multiple cache layers, you can cache more content for longer. Using regional caches and origin shield, you get better cache hit ratios. Because more of your content is cached, there is a much better chance that the content your customers need will be retrieved from cache. Reduced origin load: With more content being served from cache, less requests are sent to origins.
And when using origin shield, requests for the same object not in cache are consolidated, so only a single request is sent to the origin. Better network performance: Using multiple layers, content can stay on the AWS Lola into network for longer. CloudFront has a long list of security features. These include CloudFront use of SSDs, which are encrypted protecting your data at rest. We can use signed URLs and cookies to restrict access to content that is intended for specific users. We can use AWS WAF to create web ACLs to restrict access to content, and we can use geo restrictions to prevent users in certain regions from accessing content. For more information on AWS WAF, please refer to our existing class content here. Amazon CloudFront itself integrates with identity and access management, which we can use to control administrative access to CloudFront. And CloudFront can be monitored through integration with: Amazon CloudWatch alarms, AWS CloudTrail Logs, and CloudFront real-time IAM standard logs.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.