Amazon CloudFront Documentation

Amazon CloudFront is a content delivery network (CDN) service that is designed to securely deliver data, videos, applications, and APIs to customers with low latency and high transfer speeds.

CloudFront offers security capabilities, such as field level encryption and HTTPS support, integrated with Amazon Shield, Amazon Web Application Firewall and Amazon Route 53 to protect against multiple types of attacks, including network and application layer DDoS attacks. These services co-reside at edge networking locations and connected via the Amazon Web Services network backbone.

CloudFront works with Amazon Web Services origins, such as Amazon S3, Amazon EC2, and Elastic Load Balancing and with custom HTTP origins. You can customize your content delivery through CloudFront using CloudFront Functions and Amazon Lambda@Edge.

CloudFront Edge locations are connected to Amazon Web Services Regions through the Amazon Web Services network backbone, which comprises multiple, redundant parallel fiber links and which also links with third-party networks to improve origin fetches and dynamic content acceleration.

Amazon CloudFront, Amazon Shield, Amazon Web Application Firewall (WAF), and Amazon Route 53 work together to create a layered security perimeter against multiple types of attacks, including network and application layer DDoS attacks. All of these services co-reside at the Amazon Web Services edge and are designed to provide a scalable, reliable, and high-performance security perimeter for applications and content. With CloudFront as the “front door” to an application and infrastructure, the primary attack surface is moved away from critical content, data, code and infrastructure.

With Amazon CloudFront, content, APIs or applications can be delivered over HTTPS using Transport Layer Security to encrypt and secure communications between viewer clients and CloudFront. Amazon Certificate Manager (ACM) can be used to create custom SSL certificates and deploy the certificates to CloudFront distributions. Additionally, CloudFront provides a number of TLS optimizations and advanced capabilities, such as full/half bridge HTTPS connections, OCSP stapling, Session Tickets, TLS Protocol Enforcements, Field-Level Encryption, and the Perfect Forward Secrecy feature.

Access is restricted to content through a number of capabilities. With Signed URLs and Signed Cookies, Token Authentication is supported to restrict access to only authenticated viewers. Geo-restriction prevents CloudFront from distributing content based on the geographic regions associated with the IP addresses of requesting clients. The Origin Access Identity (OAI) feature enables you to restrict access to an Amazon S3 bucket origin so that it is accessible only from CloudFront.

Origin Shield reduces the frequency of cache hits by consolidating object requests across regions. 

CloudFront supports multiple origins for backend architecture redundancy. CloudFront’s native origin failover capability is designed to automatically serve content from a backup origin when the primary origin is unavailable. CloudFront’s origin failover feature supports combinations of Amazon Web Services origins, such as EC2 instances, Amazon S3 buckets, and Media Services, or non- Amazon Web Services origins, such as on-premises HTTP servers. Additionally, you can implement origin failover capabilities using Lambda@Edge.

Amazon CloudFront offers programmable and secure edge CDN computing capabilities through CloudFront Functions and Amazon Lambda@Edge. CloudFront Functions can be used for high-scale and latency-sensitive operations like HTTP header manipulations, URL rewrites/redirects, and cache-key normalizations. 

Amazon Lambda@Edge is a general-purpose, serverless compute feature that supports a wide range of computing needs and customizations. Lambda@Edge is designed for computationally intensive operations, including computations that take several milliseconds to seconds to complete, computations that depend on external third-party libraries, computations that are integrated with other services of Amazon Web Services (e.g., S3, DynamoDB), and computations that make networks calls for data processing. 

Amazon CloudFront is integrated with Amazon CloudWatch and automatically publishes operational metrics per distribution, which are displayed as graphs in the CloudFront console. Additional metrics are available through the console or CloudFront APIs.

When enabled, CloudFront will automatically publish logs of CloudFront requests in a W3C-extended format into an Amazon S3 bucket that you specify. You can also configure CloudFront to deliver real-time logs of CloudFront requests to Amazon Kinesis Data Streams according to a sampling rate that you specify.

CloudFront is designed to propagate your changes and execute your invalidation requests within minutes.

CloudFront provides an API that can be used to create, configure and maintain CloudFront distributions. Developers can also use developer tools, such as Amazon CloudFormation, CodeDeploy, CodeCommit and Amazon SDKs, to configure and deploy their CloudFront workloads.

CloudFront provides options for configuring how requests will be processed, including customizing headers and metadata forwarded to your origin, creating content variants using cache-key manipulation, and support for various compression modes. With built-in device detection, CloudFront can detect the client device type (Desktop, Tablet, Smart TV, or Mobile device) and pass that information in the form of new HTTP Headers to your application to enable content variants or other custom responses. Amazon CloudFront can also detect the country-level location of the requesting user’s IP address for further customization of the response.

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.amazonaws.cn/en_us. This additional information does not form part of the Documentation for purposes of the Sinnet Customer Agreement for Amazon Web Services (Beijing Region), Western Cloud Data Customer Agreement for Amazon Web Services (Ningxia Region) or other agreement between you and Sinnet or NWCD governing your use of services of Amazon Web Services China Regions.