17. CloudFront Overview

A content delivery network (CDN) is a system of distributed servers (network) that deliver webpages and other web content to a user based on the geographic locations of the user, the origin of the webpage, and a content delivery server.

Edge location: This is the location where content will be cached. This is separate to an AWS Region/ AZ. Edge locations are not just READ only, we can write to them too (i.e put an object on to them). Objects are cached for the life of the TTL. We can clear cached objects but we will be charged.

Origin: This is the origin of all the files that the CDN will distribute. This can be an S3 bucket, an EC2 instance, an ELB or Route53.

Distribution: This is the name given to the CDN, which consists of a collection of Edge locations.

CloudFront: CloudFront is Amazons CDN. Its a way of caching large files at locations that’s close to end users. Can be used to deliver your entire website, including dynamic, static, streaming, and interactive content using a global n/w of edge locations. Requests for your content are automatically routed to the nearest edge location, so content is delivered with the best possible performance. CloudFront is global service.

Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery)

CloudFront Distributions:

Web Distribution RTMP
Typically used for websites Used for media streaming

Question 1:
Where does Amazon retrieve web content when it is not in the nearest
CloudFront edge location?
A. secondary location
B. file server
C. EBS
D. S3 bucket
Answer: D

Question 2:
How are origin servers located within CloudFront (Select two)
A. DNS request
B. distribution list
C. web distribution
D. RTMP protocol
E. source mapping
Answer (A,C)

Question 3:
Where are HTML files sourced from when they are not cached at a CloudFront
edge location?
A. S3 object
B. origin HTTP server
C. S3 bucket
D. nearest edge location
E. RTMP server
F. failover edge location
Answer (B)

Question 4:
What feature permits tenants to use a private domain name instead of the domain name that CloudFront assigns to a distribution?
A. Route 53
B. CNAME record
C. MX record
D. RTMP
E. Signed URL
Answer (B)

Question 5:
Your company is deploying a web site with dynamic content to
customers in US, EU and APAC regions of the world. Content will include live
streaming videos to customers. SSL certificates are required for security
purposes. Select the AWS service delivers all requirements and provides the
lowest latency?
A. DynamoDB
B. CloudFront
C. S3
D. Redis
Answer (B)

Question 6:
CloudFront offers a multi-tier cache in the form of regional edge caches that improve latency. However, there are certain content types that bypass the regional edge cache, and go directly to the origin. Which of the following content types skip the regional edge cache? (Select two)
Answer: a. Dynamic content, as determined at request time (cache-behavior configured to forward all headers)
b. Proxy methods PUT/POST/PATCH/OPTIONS/DELETE go directly to the origin

Question 7:
You are hosting a web server on AWS with an EC2 instance. Recently, the number of image acquisition requests for applications has increased, and these requests occupy most of the CPU usage, resulting in poor application response performance.
What is the appropriate way to improve the usability of this application?
Options:
A. Increase EC2 instances by setting the ASG
B. Install an ELB to enable load balancing
C. Install CloudFront on the front to handle image processing
D. Set up Dynamo DB to handle high-speed data processing
Answer: C
Explanation
In order to improve usability due to the increase in image acquisition requests, it is desirable to set up CloudFront instead of Auto Scaling and leave the image distribution to AWS. CloudFront is a high-speed content delivery network (CDN) service that delivers content securely to viewers with low-latency, high-speed forwarding. CloudFront connects directly to AWS’s global infrastructure as well as its other AWS services.
Option 1 is incorrect. It is possible to improve the processing on the WEB server side by increasing the number of EC2 instances by setting the Auto Scaling group, but it is recommended first to set CloudFront to improve the content distribution processing of the WEB application.
Option 2 is incorrect. It has nothing to do with load balancing and fast image delivery processing.
Option 4 is incorrect. DynamoDB cannot be used to speed up image distribution. DynamoDB is suitable for managing session data and metadata, and for KVS data processing such as high-speed processing.

Question 8:
Your company operates an image distribution application. The Application is using CloudFront to optimize image delivery, but what happens when the content isn’t on the edge location?
Choose an action that CloudFront will take in this situation
Options:
A. CloudFront will take advantage of another edge location where the content is being stored
B. CloudFront accesses the origin server to retrieve data and then stores it at the edge location
C. Displays a 404 error because the data is not found
D. Stock requests in CloudFront and waits for the requested data to reach the edge location
Answer: B
Explanation
CloudFront optimizes content delivery by caching data at the edge location closest to your users. If the data doesn’t exist at the edge location, CloudFront will retrieve the data from the origin server before delivering it, but from the next request onwards, it will be processed from the cache at the edge location. Therefore, option 2 is the correct answer.
Option 1 is incorrect. There is no way to handle the request from another edge location. CloudFront delivers from the edge closer to the user. Therefore, if CloudFront doesn’t have a deliverable cache on the appropriate edge for the user, it will retrieve this data from the origin server.
Option 3 is incorrect. CloudFront doesn’t show a 404 error because CloudFront doesn’t have the right data on the edge.
If it doesn’t have a the appropriate data cache on the right edge location for the user, it goes to the origin server to get this data.
Option 4 is incorrect. CloudFront doesn’t stock requests and wait for data to reach the edge location.

Question 9:
As a Solutions Architect, you plan to use Route 53 as your DNS server. As a requirement, in order to speed up image distribution etc., it is necessary to use CloudFront distribution using your company’s domain name.
Choose the best method to meet this requirement.
Options:
A. Create a CNAME record to specify CloudFront delivery
B. Create a A record and specify CloudFront delivery
C. Create an ALIAS record to specify CloudFront delivery
D. Create a NS record and specify CloudFront delivery
Answer: C
Explanation
You can configure CloudFront on Route 53 to associate a domain by creating an ALIAS record and configuring CloudFront. Therefore, option 3 is the correct answer.
Regular Route 53 records use standard DNS records, but you should make use of ALIAS records when configuring AWS resources such as CloudFront. ALIAS records provide Route 53-specific extensions to DNS functionality. Instead of an IP address or domain name, the ALIAS record should be a CloudFront, Elastic Beanstalk environment, ELB, a pointer to an Amazon S3 bucket configured as a static website, or another Route 53 record in the same hosted zone.
Option 1 is incorrect. The CNAME record is used to associate another domain with an existing domain.
Option 2 is incorrect. The A record is used to associate the IPv4 address with a domain.
Option 4 is incorrect. NS records are records that specify an authoritative server for a zone.

Question 10:
A company offers an online product brochure that is delivered from a static website running on Amazon S3. The company’s customers are mainly in the United States, Canada, and Europe. The company is looking to cost-effectively reduce the latency for users in these regions.
What is the most cost-effective solution to these requirements?
Options:
A. Create an Amazon CloudFront distribution and use Lambda@Edge to run the website’s data processing closer to the users
B. Create an Amazon CloudFront distribution that uses origins in U.S, Canada and Europe
C. Create an Amazon CloudFront distribution and set the price class to use all Edge Locations for best performance
D. Create an Amazon CloudFront distribution and set the price class to use only U.S, Canada and Europe.
Answer: D
Explanation
With Amazon CloudFront you can set the price class to determine where in the world the content will be cached. One of the price classes is “U.S, Canada and Europe” and this is where the company’s users are located. Choosing this price class will result in lower costs and better performance for the company’s users.
CORRECT: “Create an Amazon CloudFront distribution and set the price class to use only U.S, Canada and Europe.” is the correct answer.
INCORRECT: “Create an Amazon CloudFront distribution and set the price class to use all Edge Locations for best performance” is incorrect. This will be more expensive as it will cache content in Edge Locations all over the world.
INCORRECT: “Create an Amazon CloudFront distribution that uses origins in U.S, Canada and Europe” is incorrect. The origin can be in one place, there’s no need to add origins in different Regions. The price class should be used to limit the caching of the content to reduce cost.
INCORRECT: “Create an Amazon CloudFront distribution and use Lambda@Edge to run the website’s data processing closer to the users” is incorrect. Lambda@Edge will not assist in this situation as there is no data processing required, the content from the static website must simply be cached at an edge location.

Question 11:
A company runs a dynamic website that is hosted on an on-premises server in the United States. The company is expanding to Europe and is investigating how they can optimize the performance of the website for European users. The website’s backed must remain in the United States. The company requires a solution that can be implemented within a few days.
What should a Solutions Architect recommend?
Options:
A. Use Amazon CloudFront with Lambda@Edge to direct traffic to an on-premises origin
B. Use Amazon CloudFront with a custom origin pointing to the on-premises servers
C. Launch an Amazon EC2 instance in an AWS Region in the United States and migrate the website to it
D. Migrate the website to Amazon S3. Use cross-Region replication between Regions and a latency-based Route 53 policy
Answer: B
Explanation
A custom origin can point to an on-premises server and CloudFront is able to cache content for dynamic websites. CloudFront can provide performance optimizations for custom origins even if they are running on on-premises servers. These include persistent TCP connections to the origin, SSL enhancements such as Session tickets and OCSP stapling.
Additionally, connections are routed from the nearest Edge Location to the user across the AWS global network. If the on-premises server is connected via a Direct Connect (DX) link this can further improve performance.
CORRECT: “Use Amazon CloudFront with a custom origin pointing to the on-premises servers” is the correct answer.
INCORRECT: “Use Amazon CloudFront with Lambda@Edge to direct traffic to an on-premises origin” is incorrect. Lambda@Edge is not used to direct traffic to on-premises origins.
INCORRECT: “Launch an Amazon EC2 instance in an AWS Region in the United States and migrate the website to it” is incorrect. This would not necessarily improve performance for European users.
INCORRECT: “Migrate the website to Amazon S3. Use cross-Region replication between Regions and a latency-based Route 53 policy” is incorrect. You cannot host dynamic websites on Amazon S3 (static only).

Question 12:
A company delivers content to subscribers distributed globally from an application running on AWS. The application uses a fleet of Amazon EC2 instance in a private subnet behind an Application Load Balancer (ALB). Due to an update in copyright restrictions, it is necessary to block access for specific countries.
What is the EASIEST method to meet this requirement?
Options:
A. Modify the security group for EC2 instances to deny incoming traffic from blocked countries
B. Use a Network ACL to block the IP address ranges associated with the specific countries
C. Modify the ALB security group to deny incoming traffic from blocked countries
D. Use Amazon CloudFront to serve the application and deny access to blocked countries
Answer: D
Explanation
When a user requests your content, CloudFront typically serves the requested content regardless of where the user is located. If you need to prevent users in specific countries from accessing your content, you can use the CloudFront geo restriction feature to do one of the following:
Allow your users to access your content only if they’re in one of the countries on a whitelist of approved countries.
Prevent your users from accessing your content if they’re in one of the countries on a blacklist of banned countries.
For example, if a request comes from a country where, for copyright reasons, you are not authorized to distribute your content, you can use CloudFront geo restriction to block the request.
This is the easiest and most effective way to implement a geographic restriction for the delivery of content.
CORRECT: “Use Amazon CloudFront to serve the application and deny access to blocked countries” is the correct answer.
INCORRECT: “Use a Network ACL to block the IP address ranges associated with the specific countries” is incorrect as this would be extremely difficult to manage.
INCORRECT: “Modify the ALB security group to deny incoming traffic from blocked countries” is incorrect as security groups cannot block traffic by country.
INCORRECT: “Modify the security group for EC2 instances to deny incoming traffic from blocked countries” is incorrect as security groups cannot block traffic by country.

Question 13:
An organization want to share regular updates about their charitable work using static webpages. The pages are expected to generate a large amount of views from around the world. The files are stored in an Amazon S3 bucket. A solutions architect has been asked to design an efficient and effective solution.
Which action should the solutions architect take to accomplish this?
Options:
A. Use cross-region replication to all regions
B. Use Amazon CloudFront with the S3 bucket as its origin
C. Use geoproximity feature of Amazon Route 53
D. Generate presigned URLs for the files
Answer: B
Explanation
Amazon CloudFront can be used to cache the files in edge locations around the world and this will improve the performance of the webpages.
To serve a static website hosted on Amazon S3, you can deploy a CloudFront distribution using one of these configurations:
Using a REST API endpoint as the origin with access restricted by an origin access identity (OAI)
Using a website endpoint as the origin with anonymous (public) access allowed
Using a website endpoint as the origin with access restricted by a Referer header
CORRECT: “Use Amazon CloudFront with the S3 bucket as its origin” is the correct answer.
INCORRECT: “Generate presigned URLs for the files” is incorrect as this is used to restrict access which is not a requirement.
INCORRECT: “Use cross-Region replication to all Regions” is incorrect as this does not provide a mechanism for directing users to the closest copy of the static webpages.
INCORRECT: “Use the geoproximity feature of Amazon Route 53” is incorrect as this does not include a solution for having multiple copies of the data in different geographic locations.

Question 14:
A website runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB) which serves as an origin for an Amazon CloudFront distribution. An AWS WAF is being used to protect against SQL injection attacks. A review of security logs revealed an external malicious IP that needs to be blocked from accessing the website.
What should a solutions architect do to protect the application?
Options:
A. Modify the network ACL for the EC2 instances in the target groups behind the ALB to deny the malicious IP address
B. Modify the network ACL on the CloudFront distribution to add a deny rule for the malicious IP address
C. Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address
D. Modify the security groups for the EC2 instances in the target groups behind the ALB to deny the malicious IP address.
Answer: C
Explanation
A new version of the AWS Web Application Firewall was released in November 2019. With AWS WAF classic you create “IP match conditions”, whereas with AWS WAF (new version) you create “IP set match statements”. Look out for wording on the exam.
The IP match condition / IP set match statement inspects the IP address of a web request’s origin against a set of IP addresses and address ranges. Use this to allow or block web requests based on the IP addresses that the requests originate from.
AWS WAF supports all IPv4 and IPv6 address ranges. An IP set can hold up to 10,000 IP addresses or IP address ranges to check.
CORRECT: “Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address” is the correct answer.
INCORRECT: “Modify the network ACL on the CloudFront distribution to add a deny rule for the malicious IP address” is incorrect as CloudFront does not sit within a subnet so network ACLs do not apply to it.
INCORRECT: “Modify the network ACL for the EC2 instances in the target groups behind the ALB to deny the malicious IP address” is incorrect as the source IP addresses of the data in the EC2 instances subnets will be the ELB IP addresses.
INCORRECT: “Modify the security groups for the EC2 instances in the target groups behind the ALB to deny the malicious IP address.” is incorrect as you cannot create deny rules with security groups.

Question 15:
CloudFront offers a multi-tier cache in the form of regional edge caches that improve latency. However, there are certain content types that bypass the regional edge cache, and go directly to the origin.
Which of the following content types skip the regional edge cache? (Select two)
Options:
A. Static content such as style sheets, JavaScript files
B. E-commerce assets such as product photos
C. Proxy methods PUT/POST/PATCH/OPTIONS/DELETE go directly to the origin
D. User-generated videos
E. Dynamic content, as determined at request time (cache-behavior configured to forward all headers)
Answer: C & E
Explanation
Correct options:
Dynamic content, as determined at request time (cache-behavior configured to forward all headers)
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment.
CloudFront points of presence (POPs) (edge locations) make sure that popular content can be served quickly to your viewers. CloudFront also has regional edge caches that bring more of your content closer to your viewers, even when the content is not popular enough to stay at a POP, to help improve performance for that content.
Dynamic content, as determined at request time (cache-behavior configured to forward all headers), does not flow through regional edge caches, but goes directly to the origin. So this option is correct.
Proxy methods PUT/POST/PATCH/OPTIONS/DELETE go directly to the origin
Proxy methods PUT/POST/PATCH/OPTIONS/DELETE go directly to the origin from the POPs and do not proxy through the regional edge caches. So this option is also correct.
Incorrect Options:
E-commerce assets such as product photos
User-generated videos
Static content such as style sheets, JavaScript files
The following type of content flows through the regional edge caches – user-generated content, such as video, photos, or artwork; e-commerce assets such as product photos and videos and static content such as style sheets, JavaScript files. Hence these three options are not correct.

Question 16:
A Hollywood studio is planning a series of promotional events leading up to the launch of the trailer of its next sci-fi thriller. The executives at the studio want to create a static website with lots of animations in line with the theme of the movie. The studio has hired you as a solutions architect to build a scalable serverless solution.
Which of the following represents the MOST cost-optimal and high-performance solution?
Options:
A• Build the website as a static website hosted on Amazon S3. Create a CloudFront distribution with Amazon S3 as the origin. Use Amazon Route 53 to create an alias record that points to your CloudFront distribution
B• Host the website on AWS Lambda. Create a CloudFront distribution with Lambda as the origin
C• Host the website on an instance in the studio’s on-premises data center. Create a CloudFront distribution with this instance as the custom origin
D• Host the website on an EC2 instance. Create a CloudFront distribution with the EC2 instance as the custom origin
Answer: A
Explanation
Correct option:
Build the website as a static website hosted on Amazon S3. Create a CloudFront distribution with Amazon S3 as the origin. Use Amazon Route 53 to create an alias record that points to your CloudFront distribution
You can use Amazon S3 to host a static website. On a static website, individual web pages include static content. They might also contain client-side scripts. To host a static website on Amazon S3, you configure an Amazon S3 bucket for website hosting and then upload your website content to the bucket.
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment.
You can use Amazon CloudFront to improve the performance of your website. CloudFront makes your website files (such as HTML, images, and video) available from data centers around the world (called edge locations). When a visitor requests a file from your website, CloudFront automatically redirects the request to a copy of the file at the nearest edge location. This results in faster download times than if the visitor had requested the content from a data center that is located farther away. Therefore, this option is correct.
Incorrect options:
Host the website on AWS Lambda. Create a CloudFront distribution with Lambda as the origin
With AWS Lambda, you can run code without provisioning or managing servers. You can’t host a website on Lambda. Also, you can’t have CloudFront in front of Lambda. So this option is incorrect.
Host the website on an EC2 instance. Create a CloudFront distribution with the EC2 instance as the custom origin
Host the website on an instance in the studio’s on-premises data center. Create a CloudFront distribution with this instance as the custom origin
Hosting the website on an EC2 instance or a data-center specific instance is ruled out as the studio wants a serverless solution. So both these options are incorrect.

Question 17:
An IT training company hosted its website on Amazon S3 a couple of years ago. Due to COVID-19 related travel restrictions, the training website has suddenly gained traction. With an almost 300% increase in the requests served per day, the company’s AWS costs have sky-rocketed for just the S3 outbound data costs.
As a Solutions Architect, can you suggest an alternate method to reduce costs while keeping the latency low?
Options:
A• To reduce S3 cost, the data can be saved on an EBS volume connected to an EC2 instance that can host the application
B• Configure Amazon CloudFront to distribute the data hosted on Amazon S3 cost-effectively
C• Use Amazon EFS service, as it provides a shared, scalable, fully managed elastic NFS file system for storing AWS Cloud or on-premises data
D• Configure S3 Batch Operations to read data in bulk at one go, to reduce the number of calls made to S3 buckets
Answer: B
Explanation
Correct option:
Configure Amazon CloudFront to distribute the data hosted on Amazon S3, cost-effectively – Storing content with S3 provides a lot of advantages. But to help optimize your application’s performance and security while effectively managing cost, AWS recommends that you also set up Amazon CloudFront to work with your S3 bucket to serve and protect the content.
CloudFront is a content delivery network (CDN) service that delivers static and dynamic web content, video streams, and APIs around the world, securely and at scale. By design, delivering data out of CloudFront can be more cost-effective than delivering it from S3 directly to your users.
CloudFront serves content through a worldwide network of data centers called Edge Locations. Using edge servers to cache and serve content improves performance by providing content closer to where viewers are located. CloudFront has edge servers in locations all around the world.
When a user requests content that you serve with CloudFront, their request is routed to a nearby Edge Location. If CloudFront has a cached copy of the requested file, CloudFront delivers it to the user, providing a fast (low-latency) response. If the file they’ve requested isn’t yet cached, CloudFront retrieves it from your origin – for example, the S3 bucket where you’ve stored your content. Then, for the next local request for the same content, it’s already cached nearby and can be served immediately.
By caching your content in Edge Locations, CloudFront reduces the load on your S3 bucket and helps ensure a faster response for your users when they request content. Also, data transfer out for content by using CloudFront is often more cost-effective than serving files directly from S3, and there is no data transfer fee from S3 to CloudFront. You only pay for what is delivered to the internet from CloudFront, plus request fees.
Incorrect options:
To reduce S3 cost, the data can be saved on an EBS volume connected to an EC2 instance that can host the application – EBS volumes are fast and are relatively cheap (though S3 is still a cheaper alternative). But, EBS volumes are accessible only through EC2 instances and are bound to a specific region.
Use Amazon Elastic File System (Amazon EFS), as it provides a shared, scalable, fully managed elastic NFS file system for storing AWS Cloud or on-premises data – EFS is a shareable file system that can be mounted onto EC2 instances. EFS is costlier than EBS and not a solution if the company is looking at reducing costs.
Configure S3 Batch Operations to read data in bulk at one go, to reduce the number of calls made to S3 buckets – This statement is and given only as a distractor. You can use S3 Batch Operations to perform large-scale batch operations on Amazon S3 objects, and it has nothing to do with content distribution.

Question 18:
An online gaming application has a large chunk of its traffic coming from users who download static assets such as historic leaderboard reports and the game tactics for various games. The current infrastructure and design are unable to cope up with the traffic and application freezes on most of the pages.
Which of the following is a cost-optimal solution that does not need provisioning of infrastructure?
Options:
A• Configure AWS Lambda with an RDS database to provide a serverless architecture
B• Use Amazon CloudFront with DynamoDB for greater speed and low latency access to static assets
C• Use Amazon CloudFront with S3 as the storage solution for the static assets
D• Use AWS Lambda with ElastiCache and Amazon RDS for serving static assets at high speed and low latency
Answer: C
Explanation
Correct option:
Use Amazon CloudFront with S3 as the storage solution for the static assets
When you put your content in an S3 bucket in the cloud, a lot of things become much easier. First, you don’t need to plan for and allocate a specific amount of storage space because S3 buckets scale automatically. As S3 is a serverless service, you don’t need to manage or patch servers that store files yourself; you just put and get your content. Finally, even if you require a server for your application (for example, because you have a dynamic application), the server can be smaller because it doesn’t have to handle requests for static content.
CloudFront is a content delivery network (CDN) service that delivers static and dynamic web content, video streams, and APIs around the world, securely and at scale. By design, delivering data out of CloudFront can be more cost-effective than delivering it from S3 directly to your users. CloudFront serves content through a worldwide network of data centers called Edge Locations. Using edge servers to cache and serve content improves performance by providing content closer to where viewers are located.
When a user requests content that you serve with CloudFront, their request is routed to a nearby Edge Location. If CloudFront has a cached copy of the requested file, CloudFront delivers it to the user, providing a fast (low-latency) response. If the file they’ve requested isn’t yet cached, CloudFront retrieves it from your origin – for example, the S3 bucket where you’ve stored your content. Then, for the next local request for the same content, it’s already cached nearby and can be served immediately.
By caching your content in Edge Locations, CloudFront reduces the load on your S3 bucket and helps ensure a faster response for your users when they request content. Also, data transfer out for content by using CloudFront is often more cost-effective than serving files directly from S3, and there is no data transfer fee from S3 to CloudFront. You only pay for what is delivered to the internet from CloudFront, plus request fees.
Incorrect options:
Configure AWS Lambda with an RDS database to provide a serverless architecture – RDS is not the right choice for the current scenario because of the overhead of a database management system, as the given use-case can be addressed by using Amazon S3 storage solution.
Use Amazon CloudFront with DynamoDB for greater speed and low latency access to static assets – Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. But, DynamoDB is overkill for the given use-case and will prove to be a very costly solution.
Use AWS Lambda with ElastiCache and Amazon RDS for serving static assets at high speed and low latency – As discussed above, RDS is not needed for this use case where web application needs to display static pages and facilitate downloads of historic data. S3 is much better suited for this requirement.