Cloudfront

Question 1

AWS Cloudfront

Answer 1

CDN - content delivery network
DDoS protection, WAF, etc.

Question 2

CF origins

Answer 2

• S3 buckets - distribute files and cache them at the edge
  
  • enhanced security with origin access identity (OAI)
  • iam role for cloudfront origin
• cloudfront used as an ingress to upload to S3
• Custom Origin (HTTP)
  
  • ALB, ec2, s3 website
    
    • ec2 instances MUST be public (if no ALB)
    • security group must allow public IPs of edge location

Question 3

Cloudfront vs cross region replication

Answer 3

• cloudfront good for static content to be displayed around the world
• s3 cross region replication must be setup for each region, near real time updates, read only, good for dynamic content

Question 4

Cloudfront caching

Answer 4

• cache based on headers, cookies, query string parameters
• cache lives at each edge location
• invalidate part of the cache using the api
• good to use separate cache for dynamic and static content

Question 5

Cloudfront Security

Answer 5

• http to https redirect, or https only - viewer protocol policy
• origin protocol policy
  
  • https only or match viewer (http → http / https → https)
  • s3 bucket websites only support http

Question 6

Cloudfront signed urls / cookies

Answer 6

• signed url - access to individual files (think PAID content)
  
  • signers
    
    • trusted key group (recommended)
      
      • create private/public RSA key, public is uploaded to CF, private is used by app
    • an aws account that contains a cloudfront key pair
      
      • requires root account credentials (not recommended)
• cookies - reusable, many files

Question 7

cloudfront signed url vs s3 pre signed url

Answer 7

• cloudfront- allow access to a path no matter origin, account wide
• s3 pre-signed - issue a request as the person who pre-signed the url
  
  • limited lifetime

Question 8

cloudfront key pairs

Answer 8

only root account can create them in the aws console
you can have only up to two active key pairs per account

Question 9

cloudfront key groups

Answer 9

Whereas, with CloudFront key groups, you can associate a higher number of public keys with your CloudFront distribution, giving you more flexibility in how you use and manage the public keys. By default, you can associate up to four key groups with a single distribution, and you can have up to five public keys in a key group.

Question 10

cloudfront parameter types

Answer 10

String – A literal string
Number – An integer or float
List<Number> – An array of integers or floats
CommaDelimitedList – An array of literal strings that are separated by commas
AWS::EC2::KeyPair::KeyName – An Amazon EC2 key pair name
AWS::EC2::SecurityGroup::Id – A security group ID
AWS::EC2::Subnet::Id – A subnet ID
AWS::EC2::VPC::Id – A VPC ID
List<AWS::EC2::VPC::Id> – An array of VPC IDs
List<AWS::EC2::SecurityGroup::Id> – An array of security group IDs
List<AWS::EC2::Subnet::Id> – An array of subnet IDs</Number>

Question 11

Cloudfront origin groups / failover

Answer 11

CloudFront routes all incoming requests to the primary origin, even when a previous request failed over to the secondary origin. CloudFront only sends requests to the secondary origin after a request to the primary origin fails.

only one primary origin

CloudFront fails over to the secondary origin only when the HTTP method of the viewer request is GET, HEAD, or OPTIONS. CloudFront does not failover when the viewer sends a different HTTP method (for example POST, PUT, and so on).