Graduate Program KB

Section 10 - CloudFront & AWS Global Accelerator

CloudFront

  • Content Delivery Network for improving read performance and caching content at the edge
  • Currently 216 points of presence globally (edge locations)
  • Has DDoS protection, integration with Shield and AWS Web Application Firewall

Origins

  • S3 bucket
    • Distributing files and caching them at edge
    • Enhanced security with Origin Access Control, replacing Origin Access Identity
    • CloudFront can be used as ingress (uploading files to S3)
  • Custom Origin (HTTP)
    • ALB, EC2 instance, S3 website, any HTTP backend the user wants

CloudFront vs. S3 Cross Region Replication

  • CloudFront
    • Global edge network
    • Files cached for a TTL (maybe a day)
    • Great for static content that must be globally available
  • S3 Cross Region Replication
    • Must be setup for each region you want replication to happen
    • Files are updated in near real-time
    • Read-only
    • Great for dynamic content that needs to be available at low-latency in few regions

Geo Restriction

  • Restrict access to your distribution
    • Allowlist: Allow users to access content by country
    • Blocklist: Prevent users from accessing content by country
  • Country is determined using a 3rd party Geo-IP database
  • Useful for enforcing copyright laws to control access to content

Pricing

  • Cost of egress varies per edge location
  • Can reduce the number of edge locations for cost reduction
  • Price classes:
    • Class All: All regions
    • Class 200: Most regions but excludes the most expensive ones
    • Class 100: Only the least expensive regions

Cache Invalidations

  • Force an entire or partial cache refresh by performing CloudFront Invalidation
    • If you update the backend origin, CloudFront doesn't know to refresh the content until the TTL expires
  • Invalidate all files using the wildcard () or a special path (ex. /images/)

Unicast IP vs. Anycast IP

  • Unicast IP: One server holds one IP address
  • Anycast IP: All servers hold the same IP address and the client is routed to the nearest one

AWS Global Accelerator

  • Leverage AWS internal network to route to your app
  • 2 Anycast IP are created, sending traffic directly to edge locations which send traffic to your app
  • Works with with Elastic IP, EC2 instances, ALB, NLB and public / private IP addresses
  • Benefits:
    • Intelligent routing to lowest latency and fast regional failover
    • No client caching issue since IP doesn't change
    • Global accelerator performs health checks of apps with a failover of less than 1 minute
    • Only 2 external IP addresses need to be whitelisted
    • Has DDoS protection from AWS Shield

AWS Global Accelerator vs. CloudFront

  • Both use AWS global network and its edge locations
  • Both integrate with AWS Shield for DDoS protection
  • CloudFront
    • Improves performance for both cacheable content (ex. images and videos)
    • Dynamic content and served at the edge
  • Global Accelerator
    • Improves performance for a wide range of apps over TCP or UDP
    • Proxy packets at edge to apps running in multiple regions
    • Good for non-HTTP use cases
    • Good for HTTP use cases requiring static IP addresses or requiring deterministic, fast regional failover