Amazon CloudFront

Amazon CloudFront is AWS's global content delivery network (CDN). It caches static and dynamic content at 600+ edge locations and regional edge caches, terminates TLS close to users, and can execute lightweight code at the edge — reducing latency and offloading traffic from origin servers.

Key Features:

Global Edge Network: Points of Presence on six continents serve cached content from the nearest location to the user.
Multiple Origin Types: S3 buckets (with Origin Access Control), custom HTTP origins, Application Load Balancers, API Gateway, MediaStore, MediaPackage.
Cache Policies & Origin Request Policies: Decouple cache-key construction from headers forwarded upstream — essential for cache hit rates.
CloudFront Functions: Sub-millisecond JavaScript at viewer request/response for URL rewrites, header manipulation, A/B routing.
Lambda@Edge: Full Node.js/Python functions at four lifecycle hooks — heavier than CloudFront Functions but far more capable.
TLS & ACM Integration: Free certificates via ACM, SNI support, modern ciphers, HTTP/2 and HTTP/3.
Origin Shield: Extra regional cache layer that further reduces origin load and improves cache hit ratio.
Signed URLs & Cookies: Time-limited, restricted access to private content.
AWS WAF & Shield Integration: L7 firewall rules and DDoS mitigation at the edge.

Common Use Cases:

Static Website Hosting: S3 + CloudFront + ACM is the canonical pattern for serving SPAs and marketing sites globally.
Dynamic API Acceleration: Terminate TLS at the edge and use long-lived connections to origin for lower latency.
Video Streaming: HLS/DASH delivery for live and VOD workflows.
Software & Package Distribution: Cache large binaries (container layers, installers, model weights) close to users.
Security Edge: Enforce bot rules, geo-blocking, and rate limiting via WAF before traffic reaches origins.

Tips for High Cache Hit Ratio:

Minimize cache-key dimensions — only include headers and query strings that actually vary the response.
Set sensible Cache-Control headers at the origin; CloudFront honors them.
Normalize query strings (sort keys, strip tracking params) in a CloudFront Function.
Use Origin Shield for origins with modest traffic spread across many POPs.
Monitor with CloudFront reports and CloudWatch metrics — look at cache hit ratio, 4xx/5xx rate, and origin latency.

Service Limits & Quotas:

Distributions per account: 200 (soft).
Origins per distribution: 25 (soft).
Cache behaviors per distribution: 25 (soft).
Alternate domain names (CNAMEs) per distribution: 100 (soft).
Maximum file size: 30 GB per object.
Request timeout: 60 seconds default origin response timeout (raisable to 60s for cached, longer for streaming).
CloudFront Functions: Max 10 KB code size, 1 MB memory, 1 ms execution; viewer-request and viewer-response only.
Lambda@Edge: 1 MB response size at viewer events, 10 KB request body; 5–30 second timeouts depending on event type.
Invalidations: 1,000 free per month per account; charged per path beyond that. Wildcards count as 1 path.

Pricing Model:

Data transfer OUT to internet: Per-GB tiered by region (cheapest in US/EU ~$0.085/GB, more expensive in South America/Africa). Ten regional price classes — you can restrict to the cheaper ones if you don't need global coverage.
HTTP/HTTPS requests: Per 10,000 — HTTPS slightly more than HTTP.
Origin shield: Per-request charge for shield-region requests, on top of normal pricing.
CloudFront Functions: ~$0.10 per 1M invocations.
Lambda@Edge: Per-invocation + per-GB-second, more expensive than regular Lambda.
Free tier: 1 TB data transfer OUT and 10 million HTTP/HTTPS requests per month, always free (not just first 12 months).
Origin transfer: Data transfer from S3/EC2 to CloudFront in the same region is free (key cost-saver — S3 origin behind CloudFront is cheaper than direct S3 egress at scale).
Common cost surprises: low cache hit ratio causing high origin transfer (still cheaper than direct, but not as cheap as fully cached), Lambda@Edge running on every request, frequent invalidations of many paths, and serving large files like ML model weights without HTTP caching headers.

Code Example:

Creating a CloudFront distribution in front of an S3 bucket with Origin Access Control via AWS CLI:

# 1) Create an Origin Access Control (OAC) for S3
OAC_ID=$(aws cloudfront create-origin-access-control \
  --origin-access-control-config '{
    "Name": "site-oac",
    "OriginAccessControlOriginType": "s3",
    "SigningBehavior": "always",
    "SigningProtocol": "sigv4"
  }' --query 'OriginAccessControl.Id' --output text)

# 2) Create distribution
aws cloudfront create-distribution --distribution-config '{
  "CallerReference": "site-2026-04-25",
  "Comment": "Static site",
  "DefaultRootObject": "index.html",
  "Origins": {"Quantity": 1, "Items": [{
    "Id": "s3-site",
    "DomainName": "my-site.s3.us-west-2.amazonaws.com",
    "OriginAccessControlId": "'"$OAC_ID"'",
    "S3OriginConfig": {"OriginAccessIdentity": ""}
  }]},
  "DefaultCacheBehavior": {
    "TargetOriginId": "s3-site",
    "ViewerProtocolPolicy": "redirect-to-https",
    "Compress": true,
    "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6"
  },
  "Enabled": true
}'

A simple CloudFront Function that strips tracking query params to improve cache hit ratio:

function handler(event) {
    var req = event.request;
    var qs = req.querystring;
    var stripped = {};
    var skip = ['utm_source','utm_medium','utm_campaign','gclid','fbclid'];
    for (var key in qs) {
        if (skip.indexOf(key) === -1) stripped[key] = qs[key];
    }
    req.querystring = stripped;
    return req;
}

Common Interview Questions:

What is the difference between CloudFront Functions and Lambda@Edge?

CloudFront Functions run in a lightweight V8 isolate at viewer-request and viewer-response only — sub-millisecond execution, much cheaper, ideal for header rewrites, redirects, A/B routing. Lambda@Edge is full Node.js or Python at four event hooks (viewer request/response, origin request/response), supports network calls and AWS SDK, but adds 30–100 ms latency and costs more. Use CloudFront Functions first; reach for Lambda@Edge when you need its capabilities.

How do you secure a CloudFront-fronted S3 origin?

Use Origin Access Control (OAC, the modern replacement for OAI). Configure the bucket policy to allow GetObject only from your distribution ARN, then enable S3 Block Public Access on the bucket. Optionally add SigV4 signed origin requests, restrict viewer access with signed URLs/cookies, and put AWS WAF in front of the distribution.

What's the difference between cache invalidation and versioned filenames?

Invalidation tells CloudFront to discard a cached object across all edges — useful but slow (minutes) and metered beyond 1,000/month. Versioned filenames (app.a8f3d.js) make every release a unique URL with a long Cache-Control: max-age; old versions naturally age out and you never invalidate. Versioning is the production-grade pattern for SPAs and assets; invalidation is the emergency tool.

How would you reduce CloudFront costs?

Restrict to cheaper price classes if your audience is regional, raise cache hit ratio (compress objects, set long max-age on hashed assets, normalize query strings, use Origin Shield), serve large downloads from regions with lower egress pricing, use signed URLs to prevent hotlinking, and avoid Lambda@Edge on every request when a CloudFront Function suffices.

How does CloudFront integrate with WAF and Shield?

AWS WAF can be attached directly to a CloudFront distribution, applying L7 rules (rate limiting, geo-blocking, managed bot rules, OWASP rule sets) at the edge before traffic reaches your origin. AWS Shield Standard (free) is automatic; Shield Advanced (paid) adds 24/7 DDoS response team support, cost protection during attacks, and additional metrics — typically only needed for high-profile workloads.

What is Origin Shield and when does it help?

Origin Shield is an extra regional cache layer between the edge POPs and your origin. Without it, a cache miss at any of 600+ POPs goes back to origin; with it, misses funnel through one shield region first — dramatically increasing the chance of a cache hit and reducing origin load. Most useful for medium-traffic origins or origins in a single region with global viewers.