CloudFront
Owner | |
---|---|
Verification | |
Tags | |
Last edited time |
AWS content delivery network (CDN) improves reads , Shield WAF, Route 53 & HTTPs integration
Origins:
- S3 configured as a Website - first enable website
- Media Endpoint - AWS media services (Live stream)
- HTTP (EC2, ELB, API Gateway , On Premises )
Security
- To require HTTPS for communication between the viewers and CloudFront:
- Set the
Viewer Protocol Policy
to useRedirect HTTP to HTTPS
orHTTPS Only
- Configure CloudFront to use its default SSL/TLS by changing the
Viewer Protocol Policy
- Set the
- To secure - allow the IP of the Edge location from the outside - allow traffic from the ALB to EC2
- From CloudFront to S3:
– Create a special CloudFront user called an origin access identity OAI and associate it with your CloudFront distribution.
– Give the origin access identity permission to read the files in your bucket.
– Remove permission for anyone else to use Amazon S3 URLs to read the files.
- Custom Header to requests from CloudFront to ALB - receive only this header
- Price Classes (ALL / Class 200 (without expensive) / Class 100
- Signed URL with expiration to get specific content from S3 - not like S3 pre-signed
- access to a path, with key , can filter by IP
- S3 Pre-signed - copies permissions , uses IAM principle, has limited lifetime
- Custom Error Pages that are stored in CloudFront from S3
- OAC = origin access control - ( replacing OAI) :
- Restrict access to files in CloudFront caches.
- Restrict access to files in your origin by doing one of the following:
– Set up an origin access identity (OAI) for your Amazon S3 bucket.
– Configure custom headers for a private HTTP server (a custom origin).
CloudFront Functions
Support Java only code to read header change requests/responses, <1ms runtime, 2mb memory
use cases:
- Cache key normalization
- Header manipulation
- URL rewrite or redirect
- Request authentication & authorization
Lambda@Edge
Supports NodeJS or Python , VM isolation based, 30 sec runtime 10gb memory
Use cases:
Longer execution with more memory with network and filesystem access with 3rd party integration based on User-Agent
- used to change CloudFront requests and responses:
Viewer Request - after CloudFront receives a request from a viewer
Origin Request - before CloudFront forwards the request to the origin
Origin Response - after CloudFront receives the response from the origin
Viewer Response - before CloudFront forwards the response to the viewer