CloudFront CDN
CloudFront is AWS's content delivery network (CDN) with 400+ edge locations globally. It caches static and dynamic content close to users, reducing latency and origin load. Origins include S3, ALB, EC2, and custom HTTP servers.
CloudFront is a chain of convenience stores (edge locations) stocking the most popular items from the main warehouse (origin). Most customers grab what they need locally; only unusual requests need the warehouse.
Cache behavior: defined by path patterns, maps to an origin. Cache key: by default URI + query strings + headers you specify. TTL: Cache-Control max-age from the origin overrides CloudFront defaults. Invalidation removes objects from edge caches (charged after first 1,000/month). Signed URLs and Signed Cookies restrict access to private content. OAC (Origin Access Control) restricts S3 buckets to only accept requests from CloudFront, preventing direct S3 access. Lambda@Edge and CloudFront Functions run code at edge (request/response manipulation, auth, A/B testing).
CloudFront's distribution has Price Classes that limit which edge locations are used (reducing cost by excluding expensive regions). Real-Time Logs stream access logs to Kinesis. CloudFront Shield Standard is included; Shield Advanced adds DDoS protection with cost protection guarantees. WAF rules attached to CloudFront apply globally at the edge before traffic reaches the origin. Cache hit ratio is the key operational metric — inspect X-Cache header (Hit from cloudfront vs Miss from cloudfront). For S3 static sites, CloudFront + OAC is the canonical pattern — S3 bucket stays private, CloudFront serves all traffic with HTTPS.
CloudFront caches content at edge locations to reduce latency and origin load. For static sites, I use S3 + CloudFront with OAC to keep S3 private and serve HTTPS globally. For APIs, CloudFront caches GET responses and provides WAF protection. Lambda@Edge lets me run auth logic at the edge without round-trips to origin. Cache hit ratio is my primary health metric — low hit rates mean cache key tuning or TTL adjustment.
Forgetting that CloudFront invalidations have a cost and aren't instant — they propagate to all edge locations within 1-5 minutes. For versioned assets (file.v2.js), use cache-busting filenames instead of invalidations.