CloudFront

Question 1

What is CloudFront (from a high level)?

Answer 1

CDN - Content Delivery Network, with 216 global points of access.

Question 2

What are some benefits of using CloudFront?

Answer 2

• Improves read performances as content is cached at the edge (i.e., edge locations)
• DDoS protection, integration with Shield, AWS Web Application Firewall

Question 3

What origins does CloudFront offer?

Answer 3

S3 bucket
-> For distributing files and caching them at the edge
-> Enhanced security with CloudFront Origin Access Control (OAC)
-> CloudFront can be used as an ingress (to upload files to S3)

Custom Origin (HTTP)
-> ALB
-> EC2 instance
-> S3 website
(-> Any HTTP backend you want)

Question 4

What is the difference between CloudFront and S3 Cross Region Replication?

Answer 4

CloudFront
- Global Edge network
- Files are cached for a TTL
- Great for static content that must be available everywhere

S3 Cross Region Replication
- Must be setup for each region you want replication to happen
- Files are update in near real-time
- Read only
- Great for dynamic content that needs to be available at low latency in few regions

Question 5

What is a strategy for maximizing cache hits?

Answer 5

Separate out static and dynamic distributions
e.g.,
Static requests
- Simple request with no headers/session caching rules is forwarded to S3
Dynamic requests
- Cache based on correct headers and cookie, forwarded to ALB and EC2

Question 6

What do you have to do when uploading a new version of a file to S3 in order to get the new version through CloudFront, and why?

Answer 6

• Create an invalidation on the object path
  This will invalidate the cache and force CloudFront to fetch the latest version again.

Question 7

What would prevent CloudFront from fetching information from an EC2 instance?

Answer 7

The instance is private, and so CloudFront cannot fetch data from it (as it is a public CDN).

Question 8

How can you allow CloudFront to interact with EC2 instances?

Answer 8

• Allow public IP of edge locations within the instance
• Use a public ALB with a security group, and allow the security group of the ALB to the EC2 instance.

Question 9

What is CloudFront Geo Restriction, and what is the use case?

Answer 9

• Restrict access based on location with a blocklist/allowlist
• Country is determined using a 3rd party Geo-IP database
  Use case: Copyright Laws to control access to content.

Question 10

What is the difference between Signed URL for CloudFront vs S3

Answer 10

CloudFront:
- Allow access to a path, no matter the origin
- Account wide key-pair; only the root can manage it
- Can filter by IP, path, date, expiration
- Can leverage caching features

S3:
- Issue a request as the person who pre-signed the URL
- Uses the IAM key of the signing IAM principal
- Limited lifetime

Question 11

How can you sign CloudFront URLs?

Answer 11

• Use a trusted key group
• Use an AWS account that contains a CloudFront Key Pair

Question 12

Why is one method of signing URLs preferred over the other

Answer 12

• Trusted key group creates and rotates keys (and IAM for API security)
• Using a Key Pair requires managing the keys using the root account and the AWS console (should not be using root account for this)

Question 13

How can you allow EC2 instances to create signed URLs?

Answer 13

Use a trusted key group
- Generate a public/private key
- The private key is used by your applications to sign URLs
- The public key (uploaded) is used by CloudFront to verify URLs

Question 14

How is CloudFront priced?

Answer 14

• Cost is of data out per edge location
• This cost varies based on location
• Price classes can offer cost reduction by restricting number of regions available:
  -> Price Class All - all regions, best performance, most expensive
  -> Price Class 200 - most regions but excludes most expensive regions
  -> Price Class 100 - only the least expensive regions

Question 14

How does CloudFront Multiple Origin work?

Answer 14

Route to different kinds of origins based on content type
- Based on path pattern
e.g.,
/images/* - set the cache behaviour to access content through an ALB
/* - set the cache behaviour to access content through S3 bucket

Question 15

What is the function and purpose of CloudFront Origin Groups?

Answer 15

Increase high-availability and do failover
- One primary and one secondary origin (failover to secondary)

Question 16

How can you achieve Region Level High Availability/Disaster Recovery?

Answer 16

Use S3 + CloudFront Origin Groups
- 2 buckets, A and B, in different regions, with replication from A to B
- A is primary origin, B is failover

Question 17

What is Field Level Encryption?

Answer 17

Encryption of data at Edge Location using the public key.
- Specify up to 10 fields on a POST request that you would like to be encrypted
- Specify the public key to be used
- Data is decrypted at web server using the private key.

Question 18

You have a static website hosted on an S3 bucket. You have created a CloudFront Distribution that points to your S3 bucket to better serve your requests and improve performance. After a while, you noticed that users can still access your website directly from the S3 bucket. You want to enforce users to access the website only through CloudFront. How would you achieve that?

Answer 18

Configure your CloudFront Distribution and create an Origin Access Control, then update your S3 Bucket Policy to only accept requests from your CloudFront Distribution.

Question 19

A website is hosted on a set of EC2 instances fronted by an Application Load Balancer. You have created a CloudFront Distribution and set up its origin to point to your ALB. What should you use to provide access to hundreds of private files served by your CloudFront distribution?

Answer 19

CloudFront Signed Cookies