Amazon CloudFront is a Content Delivery Network (CDN) service that can securely deliver your content globally with low latency. CloudFront is one of the best ways to enhance User Experience in terms of speed of serving content.


Key Components of CloudFront

  • Origin – host of your content. Host can be S3, Web / Application Server, etc.
  • Distribution – you create a Distribution to specify settings like:
    • Origin
    • Access
    • Security
    • Cache Key
    • Origin Request Settings
    • Geo-restrictions
    • Access Logs
  • Behaviors – allows you to detail out configurations on how your content will be distributed
  • Edge Location – the physical infrastructure location that hosts and distributes your content to your users
  • Regional Edge Caches – scaled-up version of Edge Location with larger capacity to hold content cache


Following diagram shows snapshot of CloudFront Edge Locations and Regional Edge Caches

CloudFront Locations

Image courtesy of AWS


Key Points

  • CloudFront is built within the global physical AWS infrastructure, and thus can communicate with other AWS services and components in a secured manner.
  • CloudFront can have ELB, EC2, or S3 as it source origin for your applications.
    • There is no charge for data transfer from any of these origins to CloudFront
  • CloudFront can run Lambda@Edge allowing custom code run closer to your end-users’ location.
  • Use Cases
    • Caching for Static content such as images, CSS, videos, etc.
    • Perform Security filtering closer to end-user – you can leverage AWS Shield for Layer 3/ 4 DDoS and AWS WAF for Layer 7 at CloudFront
    • Customization of content delivery based on types of end-user (or types of request) – you can use Lambda@Edge to process request and make decisions at Edge locations to decide on specific content that you want to serve (or to go to origin to fetch non-local content).
  • CloudFront can be integrated into your DevOps deployment process by integrating it in tools like CloudFormation, CodeDeploy, CodeCommit and AWS SDKs
  • CloudFront supports Server Name Identification (SNI) – see below what SNI is



  • CloudFront fully supports content delivery over SSL / TLS and HTTPS.
  • CloudFront allows use of AWS Shield and AWS Web Application Firewall (WAF) to safeguard from common security attacks.
  • Access Control – CloudFront supports multiple ways to configure who can access your content
    • Signed URLs / Cookies can be used to serve content only to authenticated users
    • Geo-restriction can be used to restrict data to specific geographies
    • Origin Access Identity (OAI) allows you to expose S3 buckets only via CloudFront (and not directly from buckets)
  • CloudFront supports compliance with HIPAA, PCI-DSS Level 1, SOC (1, 2 and 3), ISO 9001, ISO 27001


What is Server Name Identification (SNI)?

SNI extends TLS handshake to allow Client (e.g., browser) to specify what specific certificate is it looking for.

  • The need for SNI arises when there are multiple domains being served from same Server (and thus IP address). In this case (without SNI) Server would have no idea what certificate to return to client (e.g., browser) during handshake – which often results in Security warning on your browser
  • Since CloudFront often serves multiple sites (content) from its Edge servers, there is a need for SNI
  • Caveat – some (very) old browsers do not support SNI




Free Tier – for one year

  • 50 GB of Data transfer out
  • 2,000,000 HTTP(s) requests


On-demand – charged per usage of following components:

  • Data transfer out
  • HTTP(s) Requests
  • Invalidation Requests
  • Field-level Encryption Requests
  • Real-time Log Requests
  • Dedicated IP Custom SSL Certificates (associated with a CloudFront Distribution)


AWS also offers discount for customer willing to commit 10 TB or higher traffic per month.


External Resources