Intro

• Global CDN that caches content at edge locations, reducing load at the origin
• TTL (0 sec - 1 year) can be set by the origin using headers
• Supports Server Name Indication (SNI) to allow SSL traffic to multiple domains
• CloudFront Geo Restriction can be used to allow or block countries from accessing a distribution.
• Edge Locations are present outside the VPC so the origin's SG must be configured to allow inbound requests from the list of public IPs of all the edge locations.
• Supports HTTP/RTMP protocol (does not support UDP protocol)
• In-flight encryption using HTTPS (from client all the way to the origin)
• To block a specific IP at the CloudFront level, deploy a WAF on CloudFront

Origin

• S3 Bucket
  • For distributing static files
  • Origin Access Identity (OAl) or Origin Access Control (OAC) allows the S3 bucket to only be accessed by CloudFront
  • Can be used as ingress to upload files to S3 (transfer acceleration)
• Custom Origin (for HTTP) - need to be publicly accessible on HTTP by public IPs of edge locations
  • EC2 Instance
  • ELB
  • S3 Website (may contain client-side script)
  • On-premise backend

<aside> 💡 To restrict access to ELB directly when it is being used as the origin in a CloudFront distribution, create a VPC Security Group for the ELB and use AWS Lambda to automatically update the CloudFront internal service IP addresses when they change.

</aside>

Pricing

• Price Class All: all regions (best performance)
• Price Class 200: most regions (excludes the most expensive regions)
• Price Class 100: only the least expensive regions

Origin Groups