Where can we cache in our AWS applications?
EXTERNAL: We can cache data that’s going to be returned to our
users (e.g., images, videos, and static content)
INTERNAL: Caching is an important tool we can use to speed up our databases. The less we talk to the database, the better.
What are Caching Solutions in AWS?
- CloudFront
- ElastiCache
- DAX
- Global Accelerator
What Is CloudFront?
CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally. It helps reduce latency and provide higher transfer speeds using AWS edge
locations.
Supports only public SSL certificated not self-signed.
CloudFront Settings
- Security: Defaults to HTTPS connections with the ability to add custom SSL certificate
- Global Distribution: You can’t pick specific countries — just general areas of the globe
- Endpoint Support: Can be used to front AWS endpoints along with nonAWS applications
- Expiring Content: You can force an expiration of content from the cache if you can’t wait for the TTL
4 CloudFront facts
- Speedy: CloudFront’s main purpose is to cache content at the edge
locations to speed up the delivery of data. Does not support write caching. - On-Site Support: This CDN works for both AWS and on-site architecture.
- Blocking Connections: It can be used to block individual countries, but the WAF is a better tool for it
- All the Locations: You cannot pick specific edge locations for your distributions.
What Is ElastiCache?
ElastiCache is a managed version of 2 open-source technologies: Memcached and Redis.
Neither of these tools is specific to AWS, but by using ElastiCache you avoid a lot of common issues you might encounter.
It can front just about any database, but really excels being placed in front of RDS.
Memcached vs. Redis
Memcached:
* Simple database caching solution. Simple data structures(string)
* Not a database by itself
* No failover or Multi-AZ support
* No backups
* multithreaded by design
Redis:
* Supported as a caching solution. Advanced data structures(i.e. sorted sets)
* Functions as a standalone database
* Failover and Multi-AZ support
* Supports backups
* transactions
DynamoDB Accelerator (DAX)
- In-Memory Cache:
DAX can reduce DynamoDB response times from milliseconds to microseconds. - Location, Location, Location:
This cache is highly available and lives inside the VPC you specify. - You’re in Control:
You determine the node size and count for the cluster, TTL for the data, and maintenance windows for changes and updates.
specific to DynamoDB
What Is Global Accelerator?
Global Accelerator is a networking service that sends your users’ traffic through AWS’s global network infrastructure. It can increase
performance and help deal with IP caching(uses 2 anycast ips).
- It does not cache anything!
- Can be used for non http/https (TCP/UDP) - **Difference from CloudFront). Network product.
What is CloudFront behavior?
- A rule within a CloudFront Distribution.
- Defines how CloudFront handles specific types of requests.
- Specifies how to process requests for different paths or files.
What is the purpose of implementing Viewer Access Restriction in AWS CloudFront?
- Requires viewers to use CloudFront signed URLs or signed cookies.
- Enhances content security by allowing access only through authorized means.
- Helps protect your content from unauthorized access and distribution.
“CloudFront behavior”
Describe caching in Amazon CloudFront.
- Cache Control Headers: Cache-Control max-age(seconds), Cache-Control s-maxage(seconds), Expires (Date & Time). Set per object through custom domain or S3 object metadata.
- Control Limits: Custom cache settings can be limited by Minimum TTL and Maximum TTL. The default TTL is 24 hours. Defines how long objects should be cached by CDNs, like Amazon CloudFront.
What is cache invalidation in Cloudfront?
Cache invalidation removes outdated content from CloudFront edge locations, ensuring users receive the latest version. It can be done using paths or an invalidation batch file. Costs are incurred for each invalidation request. Utilize versioned file names if possible to avoid unnecessary invalidations.
What is Origin Protocol Policy in CloudFront?
The Origin Protocol Policy specifies the protocol that CloudFront uses to connect to your origin server. There are three possible values for the Origin Protocol Policy:
- HTTP only(forced by S3 origin): CloudFront always uses HTTP to connect to your origin server. This option is mandatory when using an Amazon S3 bucket as the origin, as S3 doesn’t support HTTPS connections for static website hosting endpoints.
- HTTPS only: CloudFront always uses HTTPS to connect to your origin server. This option requires your origin server to support HTTPS.
- Match viewer: CloudFront uses the same protocol that the viewer used to connect to CloudFront to connect to your origin server. However, if you use this option with an S3 origin, it will effectively behave as ‘HTTP only’ since S3 doesn’t support HTTPS.
HTTPS only is the most secure option, but it requires your origin server to support HTTPS. If your origin server does not support HTTPS, you must use HTTP only or Match viewer.
Match viewer is the most flexible option, but it can introduce a slight performance penalty. If you are concerned about performance, you should use HTTPS only or HTTP only.
How can you Restrict Access to S3 Origins in CloudFront?
- Origin Access Control (OAC): (recommended) Implement OAC to verify the authenticity of requests from CloudFront to your S3 origin. The CloudFront distribution gets access to S3.
- Origin Access Identity (OAI): Create an OAI to act as an intermediary between CloudFront and your S3 origin.
Overrides Custom headers by default. But can be configured differently.
CloudFront origin access identity (OAI) provides similar functionality as origin access control (OAC), but it doesn’t work for all scenarios. This is why we recommend using OAC instead. Specifically, OAI doesn’t support:
Amazon S3 buckets in all AWS Regions, including opt-in Regions
Amazon S3 server-side encryption with AWS KMS (SSE-KMS)
Dynamic requests (PUT, POST, or DELETE) to Amazon S3
New AWS Regions launched after December 2022
How can you Restrict Access to Custom Origins in CloudFront?
- Custom headers: origin protocol policy should be https only to be safe.
- Adding a firewall at the custom origin and configuring it to accept requests only from the edge location’s IPs.
What is the difference between public and private behaviors in CloudFront?
- public: Open access to objects.
- private: Requests require a Signed Cookie or URL.
Where are Trusted Signers and Trusted Key Groups used in CloudFront?
- Both are used to create private behaviors in CloudFront distributions.
- Trusted Signers restrict access with AWS account private keys(legacy).
- Trusted Key Groups offer flexible content protection with policies(recommended).
What is the difference between Signed URLs and Signed Cookies in CloudFront?
- Signed URLs: Provide access to a specific resource using a signed URL that includes the expiration time. Ideal for granting temporary, time-limited access.
- Signed Cookies: Use cookies to control access, providing more flexibility for secure content delivery with fine-grained control over user sessions. ( not all clients support cookies)
What is Lambda@Edge?
Lambda@Edge is a feature of Amazon Web Services (AWS) that allows you to run serverless functions at the edge locations of the AWS CloudFront content delivery network. These functions can be used to customize and enhance the content delivery, security, and user experience of your web applications.
What are some common ways to use Lambda@Edge in CloudFront?
- A/B testing.
- Generating an HTTP redirect (generated response).
- Different objects based on the device,
- Adding a header based on a query string parameter.
- Redirecting unauthenticated users to a sign-in page.
Can CloudFront cache dynamic content?
Amazon CloudFront primarily caches and serves static content but can cache dynamic content selectively through custom cache behaviors, Lambda@Edge functions, and custom headers configuration.
