π 03. AWS CloudFront
AWS CloudFront is a Content Delivery Network (CDN) that improves content delivery performance by caching content at edge locations globally.
β‘ Key Featuresβ
- Faster Content Delivery: Cached at 216+ global edge locations
- Low Latency: Users are served from the nearest edge location
- DDoS Protection: Integrated with AWS Shield and AWS WAF
- Security: Uses Origin Access Control (OAC) for secure S3/backend access
- Global Reach: Improves user experience worldwide
βοΈ CloudFront Originsβ
An Origin is the source of your content β the location where CloudFront fetches your files (HTML, images, videos, etc.).
When a user requests content:
- If cached β served instantly from the nearest edge
- If not cached β fetched from origin, then cached for future use
πͺ£ A. Amazon S3 Bucket (Static Origin)β
Used for static files like images, CSS, JS, and HTML.
Key Points:
- CloudFront fetches and caches data from S3.
- Use OAC/OAI to restrict access (only CloudFront can read).
- Can be configured as an ingress path to upload via edge β S3.
ποΈ B. VPC Origin (Private Applications)β
For applications hosted in VPC private subnets
Examples:
- Application Load Balancer (ALB)
- Network Load Balancer (NLB)
- EC2 Instances
Security:
- Connects privately via AWS PrivateLink or VPC endpoints
- Requests pass through CloudFront (WAF, Shield) before backend access
π C. Custom HTTP Originβ
Used for any HTTP/HTTPS server, inside or outside AWS.
Examples:
- S3 bucket with Static Website Hosting enabled
- On-premises servers
- Other cloud providers
Notes:
- Must support HTTP/HTTPS
- Ideal for hybrid or legacy systems
- Can still apply WAF and Shield protections
CloudFront can connect to S3, private VPCs, or any HTTP backend β maintaining high performance, global caching, and strong security.
βοΈ CloudFront vs S3 Cross-Region Replication (CRR)β
| Feature | CloudFront | S3 Cross-Region Replication (CRR) |
|---|---|---|
| Purpose | CDN for fast content delivery | Replicates data between regions |
| Network | AWS Global Edge Network | Requires manual region setup |
| Data Behavior | Cached temporarily | Copied permanently |
| Update Frequency | Based on TTL (cache duration) | Near real-time replication |
| Access | Read-only cached copies | Full replicated copies |
| Best For | Static content (images, JS, CSS) | Dynamic or synced regional data |
| Example | Global website delivery | Data backup / multi-region sync |
π§ In short:
- CloudFront = Global caching β fast reads
- S3 CRR = Data replication β regional consistency
π CloudFront + S3 Demoβ
In this demo, we configure CloudFront to serve files securely from a private S3 bucket using Origin Access Control (OAC).
𧩠Step 1: Create CloudFront Distributionβ
- Open CloudFront β Create Distribution
- Select your S3 bucket as origin (e.g.,
demo-cloudfront-himanshu-v4) - Keep Origin Path index.html (files stored in root)
π Step 2: Enable Origin Access Control (OAC)β
- Choose Allow, use OAC (Allow private S3 bucket access to CloudFront)
βοΈ Step 3: Configure Settingsβ
- Keep default cache behavior and settings
- Disable optional security features (for demo/cost control)
ποΈ Step 4: Deploy Distributionβ
- Click Create Distribution
- Wait until status = βDeployedβ
- CloudFront is now active globally
π Step 5: Verify S3 Bucket Policyβ
- Open S3 β Permissions β Bucket Policy
- Confirm CloudFront automatically added permissions
(only your CloudFront distribution can read from S3)
π Step 6: Test CloudFront Domainβ
- Copy CloudFront domain (e.g.,
dxxxx.cloudfront.net) - Test the URLs:
/coffee.jpg/beach.jpg/index.html
β Files load successfully β served via CloudFront, not directly from S3.
π What Happenedβ
- CloudFront created a secure connection to S3 via OAC
- S3 bucket policy was updated to block public access
- Requests flow:
- User β CloudFront Edge
- CloudFront β S3 (private access)
- File cached β Served globally
- Next requests load instantly from the nearest edge location
π Resultβ
β
S3 bucket stays private
β
CloudFront serves files securely and globally
β
Caching boosts performance and reduces cost
β
Setup is automated and easy to manage