Ends in
00
days
00
hrs
00
mins
00
secs
LEARN MORE

FLASH SALE - AWS SAA, CDA, and SysOps Practice Exams at $12.99 ONLY!

Amazon CloudFront

A web service that speeds up distribution of your static and dynamic web content to your users. A Content Delivery Network (CDN) service.

  • It delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you’re serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so that content is delivered with the best possible performance.
    • If the content is already in the edge location with the lowest latency, CloudFront delivers it immediately.
    • If the content is not in that edge location, CloudFront retrieves it from an origin that you’ve defined

AWS Training Amazon Cloudfront

  • How CloudFront Delivers Content

    • You specify origin servers, like an S3 bucket or your own HTTP server, from which CloudFront gets your files which will then be distributed from CloudFront edge locations all over the world.
    • Upload your files to your origin servers. Your files, also known as objects.
    • Create a CloudFront distribution, which tells CloudFront which origin servers to get your files from when users request the files through your web site or application. At the same time, you specify details such as whether you want CloudFront to log all requests and whether you want the distribution to be enabled as soon as it’s created.
    • CloudFront assigns a domain name to your new distribution that you can see in the CloudFront console.
    • CloudFront sends your distribution’s configuration (but not your content) to all of its edge locations—collections of servers in geographically dispersed data centers where CloudFront caches copies of your objects.
  • CloudFront supports the WebSocket protocol as well as the HTTP protocol with the following HTTP methods:
    • GET
    • HEAD
    • POST
    • PUT
    • DELETE
    • OPTIONS
    • PATCH.
  • Using Lambda@Edge with CloudFront enables a variety of ways to customize the content that CloudFront delivers. It can help you configure your CloudFront distribution to serve private content from your own custom origin, as an option to using signed URLs or signed cookies.(See AWS Compute Services Lambda Lambda@Edge)
  • CloudFront also has regional edge caches that bring more of your content closer to your viewers, even when the content is not popular enough to stay at a CloudFront edge location, to help improve performance for that content.
  • You can use a zone apex name on CloudFront
  • CloudFront supports wildcard CNAME
  • Different CloudFront Origins
    • Using S3 buckets for your origin – you place any objects that you want CloudFront to deliver in an S3 bucket.
    • Using S3 buckets configured as website endpoints for your origin
    • Using a mediastore container or a media package channel for your origin – you can set up an S3 bucket that is configured as a MediaStore container, or create a channel and endpoints with MediaPackage. Then you create and configure a distribution in CloudFront to stream the video.
    • Using EC2 or other custom origins – A custom origin is an HTTP server, for example, a web server.
    • Using CloudFront Origin Groups for origin failover – use origin failover to designate a primary origin for CloudFront plus a second origin that CloudFront automatically switches to when the primary origin returns specific HTTP status code failure responses.
  • Objects are cached for 24 hours by default. You can invalidate files in CloudFront edge caches even before they expire.
  • You can configure CloudFront to automatically compress files of certain types and serve the compressed files when viewer requests include Accept-Encoding: gzip in the request header.
  • CloudFront can cache different versions of your content based on the values of query string parameters.
  • CloudFront Distributions
    • You create a CloudFront distribution to tell CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery.
    • You create a distribution and choose the configuration settings you want:
      • Your content origin—that is, the Amazon S3 bucket, MediaPackage channel, or HTTP server from which CloudFront gets the files to distribute. You can specify any combination of up to 25 S3 buckets, channels, and/or HTTP servers as your origins.
      • Access—whether you want the files to be available to everyone or restrict access to some users.
      • Security—whether you want CloudFront to require users to use HTTPS to access your content.
      • Cookie or query-string forwarding—whether you want CloudFront to forward cookies or query strings to your origin.
      • Geo-restrictions—whether you want CloudFront to prevent users in selected countries from accessing your content.
      • Real Time Access logs—whether you want CloudFront to create access logs that show viewer activity, which are recorded in real time.
    • You can use distributions to serve the following content over HTTP or HTTPS:
      • Static and dynamic download content.
      • Video on demand in different formats, such as Apple HTTP Live Streaming (HLS) and Microsoft Smooth Streaming.
      • A live event, such as a meeting, conference, or concert, in real time.
    • Values that you specify when you create or update a distribution
      • Delivery Method – Web or RTMP.
      • Origin Settings – information about one or more locations where you store the original versions of your web content.
      • Cache Behavior Settings – lets you configure a variety of CloudFront functionality for a given URL path pattern for files on your website.
      • Custom Error Pages and Error Caching
      • Restrictions – if you need to prevent users in selected countries from accessing your content, you can configure your CloudFront distribution either to allow users in a whitelist of specified countries to access your content or to not allow users in a blacklist of specified countries to access your content.
IT Certification Category (English)728x90
  • Cache Behavior Settings

    • The functionality that you can configure for each cache behavior includes:
      • The path pattern.
      • If you have configured multiple origins for your CloudFront distribution, which origin you want CloudFront to forward your requests to.
      • Whether to forward query strings to your origin.
      • Whether accessing the specified files requires signed URLs.
      • Whether to require users to use HTTPS to access those files.
      • The minimum amount of time that those files stay in the CloudFront cache regardless of the value of any Cache-Control headers that your origin adds to the files.
    • CloudFront also offers a new method of cache configuration called policies. You may use the policies premade by AWS or you can create your own. These policies define how you’d like the cache to behave, such as cache TTL Settings, Cache Key Contents, and Compression settings.
    • After creating your CloudFront distribution, you can invalidate its cached items by creating an invalidation request.
  • Price Class

    • Choose the price class that corresponds with the maximum price that you want to pay for CloudFront service. By default, CloudFront serves your objects from edge locations in all CloudFront regions.
  • Performance and Availability

    • CloudFront also allows you to set up multiple origins to enable redundancy with Origin Failover. To set up origin failover, you must have a distribution with at least two origins. Next, you create an origin group for your distribution that includes the two origins, setting one as the primary. Finally, you define a cache behavior in which you specify the origin group as your origin.
      • The two origins in the origin group can be any combination of the following: AWS origins, like Amazon S3 buckets or Amazon EC2 instances, or custom origins, like your own HTTP web server.
      • When you create the origin group, you configure CloudFront to failover to the second origin for GET, HEAD, and OPTIONS HTTP methods when the primary origin returns specific status codes that you configure.
    • CloudFront is optimized for both dynamic and static content, providing extensive flexibility for optimizing cache behavior, coupled with network-layer optimizations for latency and throughput.
  • Using HTTPS with CloudFront

    • You can choose HTTPS settings both for communication between viewers and CloudFront, and between CloudFront and your origin.
    • If you want your viewers to use HTTPS and to use alternate domain names for your files, you need to choose one of the following options for how CloudFront serves HTTPS requests:
      • Use a dedicated IP address in each edge location
      • Use Server Name Indication (SNI)
  • Monitoring

    • The billing report is a high-level view of all of the activity for the AWS services that you’re using, including CloudFront.
    • The usage report is a summary of activity for a service such as CloudFront, aggregated by hour, day, or month. It also includes usage charts that provide a graphical representation of your CloudFront usage.
    • CloudFront console includes a variety of reports based on the data in CloudFront access logs:
      • CloudFront Cache Statistics Reports
      • CloudFront Popular Objects Report
      • CloudFront Top Referrers Report
      • CloudFront Usage Reports
      • CloudFront Viewers Reports
    • You can use AWS Config to record configuration changes for CloudFront distribution settings changes.
    • CloudFront integrates with Amazon CloudWatch metrics so that you can monitor your website or application.
    • Capture API requests with AWS CloudTrail. CloudFront is a global service. To view CloudFront requests in CloudTrail logs, you must update an existing trail to include global services.
  • Security

    • CloudFront, AWS Shield, AWS WAF, and Route 53 work seamlessly together to create a flexible, layered security perimeter against multiple types of attacks including network and application layer DDoS attacks.
    • You can deliver your content, APIs or applications via SSL/TLS, and advanced SSL features are enabled automatically.
    • Through geo-restriction capability, you can prevent users in specific geographic locations from accessing content that you’re distributing through CloudFront.
    • With Origin Access Identity feature, you can restrict access to an S3 bucket to only be accessible from CloudFront.
    • Field-Level Encryption is a feature of CloudFront that allows you to securely upload user-submitted data such as credit card numbers to your origin servers.
  • Pricing

    • Charge for storage in an S3 bucket.
    • Charge for serving objects from edge locations.
      • Data Transfer Out
    • Charge for submitting data to your origin.
      • Data Transfer Out
      • HTTP/HTTPS Requests
      • Invalidation Requests,
      • Dedicated IP Custom SSL certificates associated with a CloudFront distribution.
    • You also incur a surcharge for HTTPS requests, and an additional surcharge for requests that also have field-level encryption enabled.
  • Compliance

    • CloudFront has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS).
    • CloudFront is a HIPAA eligible service.
    • CloudFront is compliant with SOC measures.

Free Amazon CloudFront Tutorials on YouTube:
https://www.youtube.com/user/AmazonWebServices/search?query=CloudFront

Amazon CloudFront-related Cheat Sheets:

Note: If you are studying for the AWS Certified Advanced Networking Specialty exam, we highly recommend that you take our AWS Certified Advanced Networking – Specialty Practice Exams and read our Advanced Networking Specialty exam study guide.

AWS Certified Advanced Networking Specialty Practice Exams

Validate Your Knowledge

Question 1

An online customer portal is hosted in an Amazon ECS cluster behind an Application Load Balancer. The portal is set as the origin of a CloudFront Web distribution to deliver the dynamic and static content to users in low-latency. A Cloud Engineer was assigned to configure CloudFront to communicate with your origin using HTTP or HTTPS, based on the protocol of the viewer request.

What should the Engineer implement to complete this task?

  1. Set the Origin Protocol policy of the CloudFront distribution to Match Viewer.
  2. Set the Origin Protocol policy of the CloudFront distribution to HTTP and HTTPS.
  3. Set the Viewer Protocol policy of the CloudFront distribution to HTTP and HTTPS.
  4. Set the Viewer Protocol policy of the CloudFront distribution to Match Viewer.

Correct Answer: 1

For web distributions, you can configure CloudFront to require that viewers use HTTPS to request your objects, so that connections are encrypted when CloudFront communicates with viewers. You also can configure CloudFront to use HTTPS to get objects from your origin, so that connections are encrypted when CloudFront communicates with your origin.

In CloudFront, there are 3 options that you can choose as the value for your Origin Protocol Policy:

  1. HTTP Only
  2. HTTPS Only
  3. Match Viewer.

For HTTP Only, CloudFront solely uses HTTP to access the origin. For HTTPS Only, CloudFront uses only HTTPS to access the origin and for Match Viewer, CloudFront communicates with your origin using HTTP or HTTPS, depending on the protocol of the viewer request. CloudFront caches the object only once even if viewers make requests using both HTTP and HTTPS protocols.

Take note that the term “Viewer” in CloudFront basically means the requestor or the client that sends the request. Therefore, the name: “MatchViewer” basically means that CloudFront is simply matching the protocol being used by the viewer.

Hence, the correct answer is: Set the Origin Protocol policy of the CloudFront distribution to Match Viewer.

The option that says: Set the Origin Protocol policy of the CloudFront distribution to HTTP and HTTPS is incorrect because this is not a valid value for the Origin Protocol policy. The HTTP and HTTPS type is only valid with the Viewer Protocol policy.

The option that says: Set the Viewer Protocol policy of the CloudFront distribution to HTTP and HTTPS is incorrect because you have to use the Origin Protocol policy and not Viewer Protocol.

The option that says: Set the Viewer Protocol policy of the CloudFront distribution to Match Viewer is incorrect because the Match Viewer type is only applicable if you are using an Origin Protocol policy.

References:
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html

Note: This question was extracted from our AWS Certified Advanced Networking Specialty Practice Exams.

Question 2

A company wants to launch its online shopping website to give customers an easy way to purchase the products they need. The proposed setup is to host the application on an AWS Fargate cluster, utilize a Load Balancer to distribute traffic between the Fargate tasks, and use Amazon CloudFront for caching and content delivery. The company wants to ensure that the website complies with industry best practices and should be able to protect customers from common “man-in-the-middle” attacks for e-commerce websites such as DNS spoofing, HTTPS spoofing, or SSL hijacking.

Which of the following configurations will provide the MOST secure access to the website?

  1. Register the domain name on Route 53 and enable DNSSEC validation for all public hosted zones to ensure that all DNS requests have not been tampered with during transit. Use AWS Certificate Manager (ACM) to generate a valid TLS/SSL certificate for the domain name. Configure the Application Load Balancer with an HTTPS listener to use the ACM TLS/SSL certificate. Use Server Name Identification and HTTP to HTTPS redirection on CloudFront.
  2. Register the domain name on Route 53. Use a third-party DNS provider that supports the import of the customer-managed keys for DNSSEC. Import a 2048-bit TLS/SSL certificate from a third-party certificate service to AWS Certificate Manager (ACM). Configure the Application Load Balancer with an HTTPS listener to use the imported TLS/SSL certificate. Use Server Name Identification and HTTP to HTTPS redirection on CloudFront.
  3. Use Route 53 for domain registration. Use a third-party DNS service that supports DNSSEC for DNS requests that use the customer-managed keys. Use AWS Certificate Manager (ACM) to generate a valid 2048-bit TLS/SSL certificate for the domain name and configure the Application Load Balancer HTTPS listener to use this TLS/SSL certificate. Use Server Name Identification and HTTP to HTTPS redirection on CloudFront.
  4. Register the domain name on Route 53. Since Route 53 only supports DNSSEC for registration, host the company DNS root servers on Amazon EC2 instances running the BIND service. Enable DNSSEC for DNS requests to ensure the replies have not been tampered with. Generate a valid certificate for the website domain name on AWS ACM and configure the Application Load Balancers HTTPS listener to use this TLS/SSL certificate. Use Server Name Identification and HTTP to HTTPS redirection on CloudFront.

Correct Answer: 1

Amazon now allows you to enable Domain Name System Security Extensions (DNSSEC) signing for all existing and new public hosted zones, and enable DNSSEC validation for Amazon Route 53 Resolver. Amazon Route 53 DNSSEC provides data origin authentication and data integrity verification for DNS and can help customers meet compliance mandates, such as FedRAMP.

When you enable DNSSEC signing on a hosted zone, Route 53 cryptographically signs each record in that hosted zone. Route 53 manages the zone-signing key, and you can manage the key-signing key in AWS Key Management Service (AWS KMS). Amazon’s domain name registrar, Route 53 Domains, already supports DNSSEC, and customers can now register domains and host their DNS on Route 53 with DNSSEC signing enabled. When you enable DNSSEC validation on the Route 53 Resolver in your VPC, it ensures that DNS responses have not been tampered with in transit. This can prevent DNS Spoofing.

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks. AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates. Using a valid SSL Certificate for your application load balancer ensures that all requests are encrypted on transit as well as protection against SSL hijacking.

CloudFront supports Server Name Indication (SNI) for custom SSL certificates, along with the ability to take incoming HTTP requests and redirect them to secure HTTPS requests to ensure that clients are always directed to the secure version of your website.

Therefore, the correct answer is: Register the domain name on Route 53 and enable DNSSEC validation for all public hosted zones to ensure that all DNS requests have not been tampered with during transit. Use AWS Certificate Manager (ACM) to generate a valid TLS/SSL certificate for the domain name. Configure the Application Load Balancer with an HTTPS listener to use the ACM TLS/SSL certificate. Use Server Name Identification and HTTP to HTTPS redirection on CloudFront. 

The option that says: Register the domain name on Route 53. Use a third-party DNS provider that supports the import of the customer-managed keys for DNSSEC. Import a 2048-bit TLS/SSL certificate from a third-party certificate service to AWS Certificate Manager (ACM). Configure the Application Load Balancer with an HTTPS listener to use the imported TLS/SSL certificate. Use Server Name Identification and HTTP to HTTPS redirection on CloudFront is incorrect. Although this is possible, you don’t have to rely on a third-party DNS provider as Route 53 supports DNSSEC signing. Also, ACM can secure a 2048-bit TLS/SSL Certificate for free so you don’t have to buy certificates from other providers.

The option that says: Use Route 53 for domain registration. Use a third-party DNS service that supports DNSSEC for DNS requests that use the customer-managed keys. Use AWS Certificate Manager (ACM) to generate a valid 2048-bit TLS/SSL certificate for the domain name and configure the Application Load Balancer HTTPS listener to use this TLS/SSL certificate. Use Server Name Identification and HTTP to HTTPS redirection on CloudFront is incorrect. This is also possible, but you don’t have to rely on a third-party DNS provider as Amazon Route 53 already supports DNSSEC signing.

The option that says: Register the domain name on Route 53. Since Route 53 only supports DNSSEC for registration, host the company DNS root servers on Amazon EC2 instances running the BIND service. Enable DNSSEC for DNS requests to ensure the replies have not been tampered with. Generate a valid certificate for the website domain name on AWS ACM and configure the Application Load Balancers HTTPS listener to use this TLS/SSL certificate. Use Server Name Identification and HTTP to HTTPS redirection on CloudFront is incorrect as this solution is no longer recommended. This setup was previously used as a workaround when DNSSEC signing was not supported natively yet in Amazon Route 53.

References:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html
https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
https://aws.amazon.com/about-aws/whats-new/2020/12/announcing-amazon-route-53-support-dnssec/
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html

Note: This question was extracted from our AWS Certified Solutions Architect Professional Practice Exams.

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

Tutorials Dojo AWS Practice Tests

References: 
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide
https://aws.amazon.com/cloudfront/features/
https://aws.amazon.com/cloudfront/pricing/
https://aws.amazon.com/cloudfront/faqs/

5-DAY FLASH SALE! Big Discounts on our SAA, CDA, and SysOps Practice Exams

Pass your AWS and Azure Certifications with the Tutorials Dojo Portal

Tutorials Dojo portal

Our Bestselling AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate Practice Exams

Enroll Now – Our AWS Practice Exams with 95% Passing Rate

AWS Practice Exams Tutorials Dojo

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

Tutorials Dojo Study Guide and Cheat Sheets-2

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers
error: Content is protected !!