Amazon CloudFront CDN - Comprehensive Guide

📋 Table of Contents

CloudFront Overview
Global Architecture
Traffic Flow Patterns
Cache Behavior
Setup Command Flow
AWS CLI Commands
Advanced Configurations

🔍 Amazon CloudFront Overview

Amazon CloudFront is a content delivery network (CDN) service that delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds. It integrates with other AWS services and provides a developer-friendly environment.

                    Key Features:
                    Global Edge Network: 400+ edge locations across 90+ cities
Real-time Metrics: Detailed analytics and monitoring
Security: DDoS protection, SSL/TLS encryption, AWS WAF integration
Performance: Smart routing, compression, HTTP/2 support
Scalability: Automatic scaling based on demand

                

🏗️ CloudFront Global Architecture

graph TB User[👤 End User] --> DNS{Route 53
DNS Resolution} DNS --> Edge[🌐 CloudFront Edge Location] Edge --> Regional[🏢 Regional Edge Cache] Regional --> Origin[🎯 Origin Server] subgraph "Global Edge Network" Edge1[🌐 US East Edge] Edge2[🌐 EU West Edge] Edge3[🌐 Asia Pacific Edge] Edge4[🌐 South America Edge] end subgraph "Regional Caches" RC1[🏢 US Regional Cache] RC2[🏢 EU Regional Cache] RC3[🏢 APAC Regional Cache] end subgraph "Origin Options" S3[📦 S3 Bucket] ALB[⚖️ Application Load Balancer] EC2[💻 EC2 Instance] Custom[🔧 Custom HTTP Origin] end Edge1 --> RC1 Edge2 --> RC2 Edge3 --> RC3 Edge4 --> RC1 RC1 --> S3 RC1 --> ALB RC2 --> EC2 RC3 --> Custom classDef userClass fill:#e1f5fe,stroke:#01579b,stroke-width:3px classDef edgeClass fill:#fff3e0,stroke:#e65100,stroke-width:2px classDef regionalClass fill:#f3e5f5,stroke:#4a148c,stroke-width:2px classDef originClass fill:#e8f5e8,stroke:#1b5e20,stroke-width:2px classDef dnsClass fill:#fff8e1,stroke:#ff8f00,stroke-width:2px class User userClass class DNS dnsClass class Edge,Edge1,Edge2,Edge3,Edge4 edgeClass class Regional,RC1,RC2,RC3 regionalClass class Origin,S3,ALB,EC2,Custom originClass

🔍 Global Architecture Explanation

This diagram illustrates CloudFront's global distribution architecture:

DNS Resolution: Route 53 directs users to the nearest edge location based on latency
Edge Locations: 400+ points of presence worldwide that cache content closest to users
Regional Edge Caches: Intermediate caching layer between edge locations and origins
Origin Servers: Source of your content (S3, EC2, Load Balancers, or custom servers)
Traffic Flow: User → DNS → Edge → Regional Cache → Origin (if cache miss)

🚦 Traffic Flow Patterns

Cache Hit Scenario

sequenceDiagram participant U as 👤 User participant E as 🌐 Edge Location participant R as 🏢 Regional Cache participant O as 🎯 Origin Server U->>E: 1. Request content Note over E: Check local cache E-->>U: 2. Return cached content ✅ Note over U,E: Fast response (10-50ms) rect rgb(200, 255, 200) Note over U,O: Cache HIT - No origin request needed end

🎯 Cache Hit Flow Explanation

Optimal performance scenario:

Step 1: User requests content from CloudFront distribution
Step 2: Edge location checks local cache and finds content
Result: Content served directly from edge with minimal latency (10-50ms)
Benefits: Reduced origin load, faster response times, lower costs

Cache Miss Scenario

sequenceDiagram participant U as 👤 User participant E as 🌐 Edge Location participant R as 🏢 Regional Cache participant O as 🎯 Origin Server U->>E: 1. Request content Note over E: Cache MISS E->>R: 2. Request from Regional Cache alt Regional Cache HIT R-->>E: 3a. Return content else Regional Cache MISS R->>O: 3b. Request from Origin O-->>R: 4. Return content R-->>E: 5. Forward content end E-->>U: 6. Return content to user Note over E: Cache content locally rect rgb(255, 200, 200) Note over U,O: Cache MISS - Origin request required end

⚡ Cache Miss Flow Explanation

First-time or expired content request:

Step 1: User requests content not in edge cache
Step 2: Edge location checks regional cache first
Step 3a: If regional cache has content, it's returned (faster than origin)
Step 3b-5: If regional cache also misses, request goes to origin
Step 6: Content returned to user and cached at both levels
Future requests: Will be cache hits with faster response times

🔄 Cache Behavior and Invalidation

flowchart TD Request[📥 Incoming Request] --> PathMatch{Path Pattern
Match?} PathMatch -->|Yes| Behavior[Cache Behavior Rules] PathMatch -->|No| Default[Default Behavior] Behavior --> TTL{TTL Settings} Default --> TTL TTL --> Cache[💾 Cache Content] Cache --> Serve[📤 Serve to User] subgraph "Cache Behavior Options" TTL --> MinTTL[Min TTL: 0s] TTL --> MaxTTL[Max TTL: 31536000s] TTL --> DefaultTTL[Default TTL: 86400s] end subgraph "Invalidation Process" Invalid[🔄 Create Invalidation] Invalid --> Paths[Specify Paths/*] Paths --> Clear[Clear Edge Caches] Clear --> Fresh[Fresh Content Fetch] end Cache -.-> Invalid classDef requestClass fill:#e3f2fd,stroke:#0277bd classDef behaviorClass fill:#f3e5f5,stroke:#7b1fa2 classDef cacheClass fill:#e8f5e8,stroke:#388e3c classDef invalidClass fill:#fff3e0,stroke:#f57c00 class Request requestClass class PathMatch,Behavior,Default behaviorClass class TTL,Cache,Serve,MinTTL,MaxTTL,DefaultTTL cacheClass class Invalid,Paths,Clear,Fresh invalidClass

🎛️ Cache Behavior Configuration

How CloudFront determines caching behavior:

Path Pattern Matching: Different cache rules for different URL patterns
TTL Settings: Control how long content stays cached
Default Behavior: Fallback rules for unmatched patterns
Invalidation: Force refresh of cached content before TTL expires
Cache Headers: Origin can control caching with HTTP headers

⚡ CloudFront Setup Command Flow

flowchart TD Start([🚀 Start Setup]) --> S3Create[1️⃣ Create S3 Bucket] S3Create --> S3Config[2️⃣ Configure S3 Bucket] S3Config --> S3Upload[3️⃣ Upload Content] S3Upload --> OAC[4️⃣ Create Origin Access Control] OAC --> Distribution[5️⃣ Create CloudFront Distribution] Distribution --> Behavior[6️⃣ Configure Cache Behaviors] Behavior --> SSL[7️⃣ Configure SSL Certificate] SSL --> Deploy[8️⃣ Deploy Distribution] Deploy --> DNS[9️⃣ Update DNS Records] DNS --> Test[🔟 Test & Validate] Test --> Monitor[1️⃣1️⃣ Monitor & Optimize] subgraph "Prerequisites" PreReq1[AWS CLI Configured] PreReq2[IAM Permissions Set] PreReq3[Domain Name Ready] end subgraph "Optional Steps" WAF[Configure AWS WAF] Lambda[Lambda@Edge Functions] Logging[Enable Access Logging] end SSL -.-> WAF SSL -.-> Lambda SSL -.-> Logging classDef startClass fill:#e1f5fe,stroke:#01579b,stroke-width:3px classDef processClass fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px classDef prereqClass fill:#fff8e1,stroke:#ff8f00,stroke-width:2px classDef optionalClass fill:#e8f5e8,stroke:#388e3c,stroke-width:2px class Start,Test startClass class S3Create,S3Config,S3Upload,OAC,Distribution,Behavior,SSL,Deploy,DNS,Monitor processClass class PreReq1,PreReq2,PreReq3 prereqClass class WAF,Lambda,Logging optionalClass

📋 Setup Flow Explanation

Recommended sequence for CloudFront deployment:

Steps 1-3: Prepare origin content in S3 bucket
Step 4: Create Origin Access Control for secure S3 access
Steps 5-6: Create and configure CloudFront distribution
Steps 7-8: Set up SSL/TLS and deploy
Steps 9-11: Configure DNS, test, and monitor
Optional: Add security (WAF), serverless compute (Lambda@Edge), and logging

💻 AWS CLI Commands & Configuration

🔧 Command Execution Order

Phase 1: S3 Origin Setup (Commands 1-3)

Phase 2: Security Configuration (Commands 4-5)

Phase 3: CloudFront Distribution (Commands 6-8)

Phase 4: DNS & Monitoring (Commands 9-11)

1️⃣ Create S3 Bucket (Origin Setup)

aws s3 mb s3://my-cloudfront-origin-bucket \
    --region us-east-1

📋 S3 Bucket Creation Parameters

s3://my-cloudfront-origin-bucket - Globally unique bucket name
--region us-east-1 - AWS region (us-east-1 recommended for CloudFront)

Note: S3 bucket serves as the origin server for CloudFront. Choose us-east-1 for optimal CloudFront integration and lower costs.

2️⃣ Configure S3 Bucket Policy

cat > bucket-policy.json << 'EOF'
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-cloudfront-origin-bucket/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::ACCOUNT-ID:distribution/DISTRIBUTION-ID"
                }
            }
        }
    ]
}
EOF

🔐 S3 Bucket Policy Parameters

Principal.Service - Allows CloudFront service to access bucket
Action: s3:GetObject - Grants read-only access to objects
Resource - Specifies bucket and all objects within it
Condition.StringEquals - Restricts access to specific CloudFront distribution

Security Note: This policy uses Origin Access Control (OAC) to secure S3 access. Replace ACCOUNT-ID and DISTRIBUTION-ID with actual values after creating the distribution.

3️⃣ Upload Content to S3

aws s3 sync ./website-content/ s3://my-cloudfront-origin-bucket/ \
    --exclude "*.DS_Store" \
    --exclude "*.git/*" \
    --cache-control "max-age=86400" \
    --content-encoding gzip

📤 S3 Content Upload Parameters

sync - Synchronizes local directory with S3 bucket
--exclude - Skips unwanted files (system files, git)
--cache-control - Sets HTTP cache headers (86400 = 24 hours)
--content-encoding gzip - Enables compression for faster delivery

Performance Tip: Use appropriate cache-control headers for different content types. Static assets (CSS, JS, images) can have longer cache times.

4️⃣ Create Origin Access Control (OAC)

aws cloudfront create-origin-access-control \
    --origin-access-control-config '{
        "Name": "my-s3-oac",
        "Description": "OAC for S3 bucket access",
        "OriginAccessControlOriginType": "s3",
        "SigningBehavior": "always",
        "SigningProtocol": "sigv4"
    }'

🛡️ Origin Access Control Parameters

Name - Unique identifier for the OAC
OriginAccessControlOriginType - Type of origin (s3, mediastore)
SigningBehavior - When to sign requests (always, never, no-override)
SigningProtocol - AWS signature version (sigv4 recommended)

Security: OAC replaces the legacy Origin Access Identity (OAI) and provides better security for S3 origins. It uses AWS Signature Version 4 for authentication.

5️⃣ Request SSL Certificate (Optional but Recommended)

aws acm request-certificate \
    --domain-name "example.com" \
    --subject-alternative-names "*.example.com" \
    --validation-method DNS \
    --region us-east-1

🔒 SSL Certificate Parameters

--domain-name - Primary domain for the certificate
--subject-alternative-names - Additional domains (wildcards supported)
--validation-method - How AWS validates domain ownership (DNS/EMAIL)
--region us-east-1 - Must be us-east-1 for CloudFront certificates

Important: ACM certificates for CloudFront must be requested in us-east-1 region. DNS validation is recommended for automation.

6️⃣ Create CloudFront Distribution Configuration

cat > distribution-config.json << 'EOF'
{
    "CallerReference": "my-distribution-2024-001",
    "Comment": "Production website CDN",
    "Enabled": true,
    "Origins": {
        "Quantity": 1,
        "Items": [
            {
                "Id": "S3-my-cloudfront-origin-bucket",
                "DomainName": "my-cloudfront-origin-bucket.s3.us-east-1.amazonaws.com",
                "S3OriginConfig": {
                    "OriginAccessIdentity": ""
                },
                "OriginAccessControlId": "ORIGIN-ACCESS-CONTROL-ID"
            }
        ]
    },
    "DefaultCacheBehavior": {
        "TargetOriginId": "S3-my-cloudfront-origin-bucket",
        "ViewerProtocolPolicy": "redirect-to-https",
        "CachePolicyId": "4135ea2d-6df8-44a3-9df3-4b5a84be39ad",
        "OriginRequestPolicyId": "88a5eaf4-2fd4-4709-b370-b4c650ea3fcf",
        "Compress": true
    },
    "PriceClass": "PriceClass_100"
}
EOF

🏗️ CloudFront Distribution Configuration

CallerReference - Unique identifier to prevent duplicate distributions
Origins - Configuration for content origin servers
OriginAccessControlId - Links to OAC created in step 4
ViewerProtocolPolicy - Enforces HTTPS (redirect-to-https/https-only)
CachePolicyId - Managed caching policy (Managed-CachingOptimized)
PriceClass - Geographic distribution scope (affects cost)

Configuration Notes: Replace ORIGIN-ACCESS-CONTROL-ID with the ID from step 4. PriceClass_100 uses only North America and Europe edge locations.

7️⃣ Create CloudFront Distribution

aws cloudfront create-distribution \
    --distribution-config file://distribution-config.json \
    --output table \
    --query 'Distribution.{Id:Id,DomainName:DomainName,Status:Status}'

🚀 Distribution Creation Parameters

--distribution-config - References the JSON configuration file
--output table - Formats output as a readable table
--query - Filters output to show only essential information

Deployment Time: Distribution creation takes 15-20 minutes. Status will change from "InProgress" to "Deployed". Note the Domain Name for DNS configuration.

8️⃣ Update S3 Bucket Policy with Distribution ID

aws s3api put-bucket-policy \
    --bucket my-cloudfront-origin-bucket \
    --policy file://bucket-policy.json

🔗 Bucket Policy Application

--bucket - Target S3 bucket name
--policy - References the policy JSON file from step 2

Security: Update the bucket-policy.json file with the actual distribution ID before applying. This creates a secure link between CloudFront and S3.

9️⃣ Configure Custom Domain (Optional)

aws cloudfront update-distribution \
    --id DISTRIBUTION-ID \
    --distribution-config '{
        "CallerReference": "my-distribution-2024-001",
        "Aliases": {
            "Quantity": 1,
            "Items": ["www.example.com"]
        },
        "ViewerCertificate": {
            "ACMCertificateArn": "arn:aws:acm:us-east-1:ACCOUNT:certificate/CERT-ID",
            "SSLSupportMethod": "sni-only",
            "MinimumProtocolVersion": "TLSv1.2_2021"
        }
    }'

🌐 Custom Domain Configuration

Aliases - Custom domain names for the distribution
ACMCertificateArn - SSL certificate ARN from step 5
SSLSupportMethod - SNI-only (recommended) or dedicated IP
MinimumProtocolVersion - Minimum TLS version for security

DNS Setup: After updating, create a CNAME record pointing your domain to the CloudFront distribution domain name.

🔟 Create Route 53 DNS Record

aws route53 change-resource-record-sets \
    --hosted-zone-id Z1D633PJN98FT9 \
    --change-batch '{
        "Changes": [{
            "Action": "CREATE",
            "ResourceRecordSet": {
                "Name": "www.example.com",
                "Type": "CNAME",
                "TTL": 300,
                "ResourceRecords": [{"Value": "d1234567890123.cloudfront.net"}]
            }
        }]
    }'

🔗 DNS Record Parameters

--hosted-zone-id - Route 53 hosted zone ID for your domain
Action: CREATE - Creates a new DNS record
Type: CNAME - Points domain to CloudFront distribution
TTL: 300 - DNS cache time (5 minutes)

Alternative: Use an A record with alias target for apex domains (example.com). CNAME records are for subdomains (www.example.com).

1️⃣1️⃣ Enable CloudWatch Monitoring

aws cloudfront put-monitoring-subscription \
    --distribution-id DISTRIBUTION-ID \
    --monitoring-subscription '{
        "RealtimeMetricsSubscriptionConfig": {
            "RealtimeMetricsSubscriptionStatus": "Enabled"
        }
    }'

📊 Monitoring Configuration

RealtimeMetricsSubscriptionStatus - Enables real-time metrics
Additional costs apply - Real-time metrics are a premium feature

Monitoring Benefits: Real-time metrics provide detailed insights into cache hit ratios, error rates, and geographic distribution of requests.

🔧 Advanced Configuration Examples

Cache Behaviors for Different Content Types

{
    "CacheBehaviors": {
        "Quantity": 3,
        "Items": [
            {
                "PathPattern": "/api/*",
                "TargetOriginId": "API-Origin",
                "ViewerProtocolPolicy": "https-only",
                "CachePolicyId": "4135ea2d-6df8-44a3-9df3-4b5a84be39ad",
                "TTL": 0,
                "ForwardedValues": {
                    "QueryString": true,
                    "Headers": {
                        "Quantity": 2,
                        "Items": ["Authorization", "Content-Type"]
                    }
                }
            },
            {
                "PathPattern": "/images/*",
                "TargetOriginId": "S3-Images",
                "ViewerProtocolPolicy": "redirect-to-https",
                "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
                "TTL": 31536000,
                "Compress": true
            },
            {
                "PathPattern": "*.css",
                "TargetOriginId": "S3-Assets",
                "ViewerProtocolPolicy": "redirect-to-https",
                "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
                "TTL": 2592000,
                "Compress": true
            }
        ]
    }
}

🎯 Advanced Cache Behavior Configuration

/api/* pattern: No caching (TTL: 0) for dynamic API responses
/images/* pattern: Long cache time (1 year) for static images
*.css pattern: Medium cache time (30 days) for stylesheets
Compression: Enabled for text-based content to reduce bandwidth
Headers forwarding: Forward authentication headers for API requests

Lambda@Edge Function for Custom Headers

aws lambda create-function \
    --function-name cloudfront-security-headers \
    --runtime nodejs18.x \
    --role arn:aws:iam::ACCOUNT:role/lambda-edge-role \
    --handler index.handler \
    --zip-file fileb://function.zip \
    --region us-east-1 \
    --timeout 5 \
    --memory-size 128

⚡ Lambda@Edge Configuration

--runtime nodejs18.x - Latest supported Node.js runtime
--region us-east-1 - Lambda@Edge functions must be in us-east-1
--timeout 5 - Maximum 5 seconds for viewer-response events
--memory-size 128 - Minimum memory allocation

Use Cases: Security headers, A/B testing, request/response modification, authentication, and personalization at the edge.

Invalidation for Content Updates

aws cloudfront create-invalidation \
    --distribution-id DISTRIBUTION-ID \
    --paths "/*" "/images/logo.png" "/css/main.css" \
    --caller-reference "invalidation-$(date +%s)"

🔄 Cache Invalidation Parameters

--paths - Specific files or patterns to invalidate
"/*" - Invalidates all cached content (use carefully)
--caller-reference - Unique identifier using timestamp

Cost Consideration: First 1,000 invalidation requests per month are free. Use versioned filenames to avoid frequent invalidations.

                    🚨 Best Practices Summary
                    Security: Always use HTTPS and Origin Access Control
Performance: Set appropriate TTL values for different content types
Cost Optimization: Use price classes and monitoring to control costs
Monitoring: Enable CloudWatch metrics and set up alarms
Updates: Use versioned assets instead of frequent invalidations

                

🌐 Amazon CloudFront CDN