Amazon CloudFront – What is it?
Content Delivery Network (CDN)
Caches content at edge locations to improve read performance
Enhances user experience through global distribution
Hundreds of global Points of Presence (edge locations, caches)
Provides DDoS protection; integrates with AWS Shield & AWS WAF
CloudFront – Origins
S3 Bucket Origin
Distribute and cache files at edge locations
Upload files to S3 through CloudFront
Secure with Origin Access Control (OAC)
VPC Origin
For apps in private VPC subnets
Supports ALB, NLB, or EC2 instances
Custom HTTP Origin
S3 static website hosting (must enable static hosting)
Any public HTTP backend
What’s the difference between CloudFront and S3 Cross-Region Replication?
CloudFront
Global edge network
Caches files for a TTL (e.g., 1 day)
Best for static content that needs fast worldwide delivery
S3 Cross-Region Replication (CRR)
Must configure each target region
Near real-time replication
Replicas are read-only
Best for dynamic content needing low-latency in select regions
How does CloudFront connect to ALB or EC2 over the public network, and what must be public vs. private?
Direct EC2 Origin
CloudFront uses public IPs
EC2 instances must be public
EC2 security group must allow CloudFront IP ranges
ALB Origin
ALB must be public
ALB security group must allow CloudFront IP ranges
EC2 behind the ALB can be private, only needs to allow ALB’s security group
What is CloudFront cache invalidation and why would you use it?
When the origin content changes, CloudFront keeps serving the old cached version until the TTL expires.
You can force CloudFront to refresh immediately by performing a cache invalidation.
Invalidation can target all files () or specific paths (e.g., /images/).
This bypasses TTL and ensures users get the updated content right away.
What’s the difference between a Unicast IP and an Anycast IP?
Unicast IP
One server has one unique IP address
Client connects to a specific single server
Anycast IP
Multiple servers share the same IP address
The client is automatically routed to the nearest or fastest server
What does AWS Global Accelerator do and how does it route traffic?
Uses AWS’s private global network to reach your application faster
Provides 2 Anycast IPs for your app
Anycast IPs route users to the nearest AWS edge location
Edge locations forward traffic over AWS’s internal network to your application (e.g., a public ALB)
What benefits does AWS Global Accelerator provide?
Compatibility
Works with Elastic IPs, EC2, ALB, NLB (public or private)
Performance
Routes to the lowest-latency endpoint
Fast regional failover
No client-cache issues (IP stays constant)
Uses AWS’s internal network
Health Checks
Continuously checks application health
Global failover in under 1 minute
Useful for disaster recovery
Security
Only 2 external IPs to whitelist
Built-in DDoS protection via AWS Shield
How does AWS Global Accelerator differ from CloudFront?
CloudFront
Uses caching to speed up static and dynamic HTTP(S) content
Serves content from edge locations
Best for images, videos, APIs, and web content
Global Accelerator
Speeds up any TCP/UDP application by routing traffic over AWS’s global network
Proxies packets from edge locations to AWS regions
Ideal for non-HTTP apps (gaming, IoT, VoIP)
Useful for HTTP apps needing static IPs or fast, deterministic failover
