AWS CloudFront and Content Delivery

AWS CloudFront is a Content Delivery Network (CDN). It speeds up the delivery of websites, APIs, videos, and other content by serving it from locations physically close to the user — instead of from a distant origin server. CloudFront uses AWS's global network of Edge Locations to achieve this.

The Problem CloudFront Solves

Imagine an application hosted in the AWS Mumbai Region. A user in New York requests a product image. The image travels from Mumbai → across the ocean → to New York. That round trip adds significant latency — maybe 200–300 milliseconds per request.

With CloudFront, the image is cached at an Edge Location in New York (or the nearest city). The user's browser fetches it from there — just 10–20 milliseconds away. The image loads nearly instantly.

Without CloudFront:
[User in New York] ←————————————— 300ms ————————————→ [Origin: Mumbai]

With CloudFront:
[User in New York] ←— 15ms —→ [CloudFront Edge: New York] → (cached)
                                      |
                        (first request only goes to origin)
                                      |
                              [Origin: Mumbai]

How CloudFront Works

  1. A Distribution is created in CloudFront. It points to an Origin — the original source of content (an S3 bucket, EC2 instance, ALB, or custom HTTP server).
  2. A user requests a file (e.g., a product image at cdn.mysite.com/images/product1.jpg).
  3. CloudFront routes the request to the nearest Edge Location.
  4. If the file is cached at the Edge Location → it is returned immediately (cache hit).
  5. If the file is not cached → CloudFront fetches it from the Origin, caches it at the Edge Location, and returns it to the user. Future requests for the same file are served from cache.

CloudFront Key Concepts

Distribution

A distribution is the CloudFront configuration. It defines the origin, cache behavior, SSL certificates, and access controls. CloudFront provides a domain name for the distribution (e.g., d1234abcd.cloudfront.net). A custom domain (e.g., cdn.mysite.com) can be pointed to this via Route 53.

Origins

An origin is where CloudFront fetches content from when it is not cached. Common origins:

  • S3 Bucket: Static websites, images, files, and videos.
  • Application Load Balancer: Dynamic web application responses.
  • EC2 Instance: Custom application servers.
  • Custom HTTP Endpoint: Any HTTP server, even outside AWS.

Cache Behavior

Cache behaviors define how CloudFront handles requests matching specific URL patterns. A distribution can have multiple cache behaviors:

URL PatternCache SettingOrigin
/images/*Cache for 7 daysS3 bucket
/api/*No caching (dynamic content)ALB → EC2
/*.htmlCache for 1 hourS3 bucket

TTL — Time to Live

TTL defines how long a cached object stays at the Edge Location before CloudFront checks the origin for a newer version. Setting the right TTL is important:

  • Long TTL: Fewer requests to the origin. Faster for users. But stale content if the file changes.
  • Short TTL: Content is always fresh. But more origin requests → higher latency and cost.

Cache Invalidation

When content is updated on the origin and it needs to be refreshed immediately (before TTL expires), a cache invalidation is issued. This tells CloudFront to remove the cached version from all Edge Locations immediately.

aws cloudfront create-invalidation \
  --distribution-id E1234ABCDEFGH \
  --paths "/images/product1.jpg" "/index.html"

Invalidation is useful after deploying a new version of a website. The first 1,000 invalidation paths per month are free.

CloudFront with S3 — Static Website Delivery

[User requests: cdn.mysite.com/index.html]
          |
[CloudFront Edge Location — nearest city]
          |
 Cached? YES → return instantly
          |
    NO → fetch from:
          |
    [S3 Bucket: my-website-bucket]
          |
    Store in cache → return to user

This is the standard architecture for hosting fast, globally distributed static websites at very low cost. S3 stores the files. CloudFront serves them. Route 53 handles the domain name.

CloudFront Security Features

HTTPS and SSL/TLS

CloudFront supports HTTPS by default with a free SSL certificate from AWS Certificate Manager (ACM). All connections between users and CloudFront edge locations are encrypted. This prevents data interception in transit.

Signed URLs and Signed Cookies

Signed URLs grant temporary, authenticated access to specific CloudFront content. They are used for premium or private content — like a paid video that only subscribed users can stream.

A signed URL contains:

  • The resource URL
  • An expiration timestamp
  • A cryptographic signature

CloudFront rejects requests with an expired or invalid signature.

AWS WAF Integration

AWS WAF (Web Application Firewall) integrates with CloudFront to block malicious traffic before it reaches the origin. WAF rules can block SQL injection, cross-site scripting (XSS), specific IP addresses, and countries.

Origin Access Control (OAC)

OAC restricts S3 bucket access so that only CloudFront can fetch files from S3 — direct access to the S3 URL is blocked. This prevents users from bypassing CloudFront and accessing files directly from S3 (which would skip security and caching).

CloudFront Functions and Lambda@Edge

Both services run code at Edge Locations — close to the user — to customize request/response handling without sending traffic back to the origin.

FeatureCloudFront FunctionsLambda@Edge
LanguagesJavaScript onlyPython, Node.js
Execution time limit1 millisecond5–30 seconds
Use caseURL rewrites, header manipulation, redirectsAuthentication, A/B testing, complex logic
CostVery cheapMore expensive

Real-World Example — Global News Website

A news website gets traffic from readers worldwide. The homepage and articles are stored on S3. Videos are stored on S3 in a separate bucket.

  • CloudFront Distribution 1: Serves www.newsite.com — HTML pages cached for 1 hour.
  • CloudFront Distribution 2: Serves videos.newsite.com — videos cached for 24 hours, secured with signed URLs for premium subscribers.
  • AWS WAF attached to both distributions — blocks suspicious IP ranges and bot traffic.
  • ACM SSL certificate — both distributions serve over HTTPS.

Result: Readers in any country load content in under 50ms. The origin S3 bucket receives a tiny fraction of the total requests because CloudFront serves almost everything from cache.

Summary

  • CloudFront is AWS's CDN — it serves content from 400+ Edge Locations closest to users for fast delivery.
  • Distributions define the origin (S3, ALB, EC2) and cache behaviors for different URL patterns.
  • TTL controls how long content stays cached. Invalidation removes stale content immediately.
  • Signed URLs control access to private content. OAC ensures S3 content is only accessible through CloudFront.
  • Lambda@Edge and CloudFront Functions run code at the edge for customized request handling.
Previous lessons
Back to courses
Next lessons

Leave a Comment