What is CloudFront
Amazon CloudFront is a fast and highly secure content delivery network. CloudFront is convenient for companies or organizations, which need to distribute huge file content to multiple users around the globe.
By leveraging the AWS network through edge locations, also called Point of Presence, CloudFront can significantly impact your application or website's performance, security, availability, and reliability. CloudFront contains many tools like DDOS protection, integration with shield, and AWS Web Application Firewall (WAF).
How does it work
Consider an example of having media files that you distribute globally through your website hosted in the US. Users in Australia will probably encounter latency issues while accessing the website due to the distance between both endpoints and the internet connectivity. To minimize the latency and increase users' experience, you can leverage a content delivery network. CloudFront caches copies of your static content at the edge locations close to the users, reduce the load on your backend, improves read performance, and allows users to access that content faster. It supports different origin types, whether an Amazon S3 bucket or a custom origin (HTTP).
S3 bucket as an origin It uses CloudFront for distributing files and caching them at the edge. Consider an example if you have some media files that you distribute globally. CloudFront will cache the most recent access files to the edge locations, reducing the read on your S3 bucket with a baseline performance of 5500 Get/Head request/sec per prefix. You can enhance security on your S3 bucket by using Origin Access Identity (OAI) only to allow requests from CloudFront when your S3 bucket is public-facing. Users can also custom the origin to serve a static S3 website through CloudFront.
ALB or EC2 as an origin To use a custom origin on CloudFront, users must allow all the public IP addresses of the edge locations. In the case of an EC2 (Elastic Cloud Computing), the instance must be public. In contrast, with an ALB (Application Load Balancer), the EC2 instances can be private. Still, the load balancer must be public to receive all traffic from edge locations.
AWS WAF is a service integrated with CloudFront, which will protect your web applications against common attacks. CloudFront also provides that security layer to your network by enforcing HTTPS connections between edge locations and your origin server.
What is it used for
CloudFront is an excellent tool for content delivery because it leverages AWS's global edge network by utilizing edge locations close to the users. It is great for static content that must be available everywhere. Suppose you want to distribute paid shared content to premium users over the world. In that case, you can use CloudFront Signed URL/Cookie to create a policy that can include URL expiration, IP ranges to access the data from, and trusted signers.
A signed URL gives access to individual files in your S3 bucket, while a signed Cookies give access to multiples files. Users can set the validity of the URL depending on the nature of the content. Integrated with CloudFront, Geo Restriction allows users to restrict its distribution by either "Whitelisting" approved countries or "Blacklisting" banned countries.
Thank you for your time. I hope you enjoyed this.
Yvan, the Architect.