CloudFront — Edge CDN

Caching static files, video, and API responses near users speeds up responses and reduces load on the origin server. The service that does this on globally distributed edges is a CDN (Content Delivery Network).

1. About CloudFront

When	Event
2008	CloudFront launches.
2014	HTTPS · custom certificates.
2017	Lambda@Edge · HTTP/2.
2020	Origin Shield.
2021	CloudFront Functions.

It caches and delivers content from PoPs (Points of Presence) worldwide. Numbers commonly cited: 600+ PoPs across 90+ cities.

Core objects:

Distribution — Bundles a domain, behaviors, and origins.
Origin — The source of content (S3 · ALB · EC2 · external HTTP).
Behavior — Per-URL-pattern handling rules.
Cache Policy · Origin Request Policy · Response Headers Policy — Separated policy objects.

2. Cache key

The key used to look up a request in cache. Default is the URL. Cache Policy lets you add headers, cookies, and query parameters to the key.

The more attributes added to the key, the lower the cache hit rate, because the same URL with different headers is treated as a different object. Add only what is genuinely needed.

3. TTL and Cache-Control

CloudFront looks at two signals together:

The origin response's Cache-Control: max-age or Expires header.
The Distribution's Cache Policy Min/Default/Max TTL.

It is common for the origin's explicit value (e.g., Cache-Control: public, max-age=86400) to take precedence. Responses with Cache-Control: no-cache, no-store, private are not cached.

4. Invalidation

Force an already-cached object to invalidate. Path patterns (/static/*) work in batch. 1000 paths free per month, additional billed.

aws cloudfront create-invalidation \
  --distribution-id E1XXXX \
  --paths "/index.html" "/static/*"

In production, versioned filenames (app.abc123.js) to bypass cache are recommended over invalidation. Keeping the old versioned files makes rollbacks and gradual deploys natural.

5. Edge compute

Lambda@Edge — Run Lambda functions near PoPs. Four triggers (Viewer Request · Origin Request · Origin Response · Viewer Response). Header transforms · auth · A/B · image processing. Has cold starts and memory limits.

CloudFront Functions — A much lighter JS runtime. Suited for very short header transforms or URL rewrites. Lower cost and latency than Lambda@Edge (but stricter memory and execution time, 2 MB · 1 ms).

function handler(event) {
  const req = event.request;
  if (!req.uri.endsWith('/') && !req.uri.includes('.')) {
    req.uri += '.html';
  }
  return req;
}

6. Security integrations

Signed URL · Signed Cookie — Allow access only via URLs/cookies signed with a CloudFront key pair. Time and IP restrictions are possible. For private content (video streaming, downloads).

OAC (Origin Access Control) — Block direct access to S3 origins so that only CloudFront passes through. The successor to OAI (2022). The bucket policy permits only the CloudFront distribution ARN.

WAF · Shield — Attach AWS WAF in front of CloudFront (SQL injection · XSS · rate-based). Shield Standard is auto-applied DDoS protection free for everyone.

7. CDN comparison

CDN	Started	Notes
Akamai	1998	The oldest commercial CDN. Enterprise-focused.
Cloudflare	2010	Strong free tier. WAF · DDoS · Workers.
Fastly	2011	Powerful caching control via VCL. Instant invalidation.
CloudFront	2008	AWS integration. Natural billing and IAM.
Bunny.net	2017	Simple, low pricing. Newer.

Decision factors:

AWS-centric infrastructure — CloudFront.
Free tier · DDoS protection — Cloudflare.
Instant cache invalidation — Fastly (in seconds).
Simple pricing — Bunny.net.

8. S3 + CloudFront static site

User → CloudFront (HTTPS · cache) → S3 (private, OAC) → content

ACM certificate for a custom domain.
default_root_object = "index.html".
For SPAs, rewrite 404 → /index.html 200 (CloudFront Functions or Custom Error Responses).

Cost structure:

Data Transfer Out — Per-GB rate by region · user location.
Request count — Separate rates for HTTP vs HTTPS.
Lambda@Edge · Functions — Invocations · execution time.

Edge-to-user traffic dominates the bill.

9. Common pitfalls

Wrong cache key — Putting per-user tokens into the cache key drives hit rate near zero.

Origin missing Cache-Control — When the origin omits cache headers, an unintended TTL applies. Make the origin's response explicit.

Missing OAC — Combining a public S3 origin with CloudFront still allows bypass. Use OAC + Block Public Access.

Reliance on invalidation — Invalidating on every deploy gets expensive and slow. Replace with versioned filenames.

Lambda@Edge global propagation — Function updates take time to propagate to all PoPs.

Cookie effects on cache — Misconfigured cookie forwarding crashes hit rate.

Closing thoughts

The core of a CDN is cache key design. Low hit rate puts the load back on the origin and erases the CDN's purpose. Small operations fit Cloudflare's free tier; AWS-centric infrastructure fits CloudFront; instant invalidation needs fit Fastly.

lambda
route53

CloudFront developer guide · Lambda@Edge · CloudFront Functions · Cloudflare · Fastly · Bunny.net · RFC 9111 HTTP Caching for reference.

CloudFront — Edge CDN

1. About CloudFront

When	Event
2008	CloudFront launches.
2014	HTTPS · custom certificates.
2017	Lambda@Edge · HTTP/2.
2020	Origin Shield.
2021	CloudFront Functions.

It caches and delivers content from PoPs (Points of Presence) worldwide. Numbers commonly cited: 600+ PoPs across 90+ cities.

Core objects:

Distribution — Bundles a domain, behaviors, and origins.
Origin — The source of content (S3 · ALB · EC2 · external HTTP).
Behavior — Per-URL-pattern handling rules.
Cache Policy · Origin Request Policy · Response Headers Policy — Separated policy objects.

2. Cache key

The key used to look up a request in cache. Default is the URL. Cache Policy lets you add headers, cookies, and query parameters to the key.

The more attributes added to the key, the lower the cache hit rate, because the same URL with different headers is treated as a different object. Add only what is genuinely needed.

3. TTL and Cache-Control

CloudFront looks at two signals together:

The origin response's Cache-Control: max-age or Expires header.
The Distribution's Cache Policy Min/Default/Max TTL.

It is common for the origin's explicit value (e.g., Cache-Control: public, max-age=86400) to take precedence. Responses with Cache-Control: no-cache, no-store, private are not cached.

4. Invalidation

Force an already-cached object to invalidate. Path patterns (/static/*) work in batch. 1000 paths free per month, additional billed.

aws cloudfront create-invalidation \
  --distribution-id E1XXXX \
  --paths "/index.html" "/static/*"

In production, versioned filenames (app.abc123.js) to bypass cache are recommended over invalidation. Keeping the old versioned files makes rollbacks and gradual deploys natural.

5. Edge compute

function handler(event) {
  const req = event.request;
  if (!req.uri.endsWith('/') && !req.uri.includes('.')) {
    req.uri += '.html';
  }
  return req;
}

6. Security integrations

Signed URL · Signed Cookie — Allow access only via URLs/cookies signed with a CloudFront key pair. Time and IP restrictions are possible. For private content (video streaming, downloads).

WAF · Shield — Attach AWS WAF in front of CloudFront (SQL injection · XSS · rate-based). Shield Standard is auto-applied DDoS protection free for everyone.

7. CDN comparison

CDN	Started	Notes
Akamai	1998	The oldest commercial CDN. Enterprise-focused.
Cloudflare	2010	Strong free tier. WAF · DDoS · Workers.
Fastly	2011	Powerful caching control via VCL. Instant invalidation.
CloudFront	2008	AWS integration. Natural billing and IAM.
Bunny.net	2017	Simple, low pricing. Newer.

Decision factors:

AWS-centric infrastructure — CloudFront.
Free tier · DDoS protection — Cloudflare.
Instant cache invalidation — Fastly (in seconds).
Simple pricing — Bunny.net.

8. S3 + CloudFront static site

User → CloudFront (HTTPS · cache) → S3 (private, OAC) → content

ACM certificate for a custom domain.
default_root_object = "index.html".
For SPAs, rewrite 404 → /index.html 200 (CloudFront Functions or Custom Error Responses).

Cost structure:

Data Transfer Out — Per-GB rate by region · user location.
Request count — Separate rates for HTTP vs HTTPS.
Lambda@Edge · Functions — Invocations · execution time.

Edge-to-user traffic dominates the bill.

9. Common pitfalls

Wrong cache key — Putting per-user tokens into the cache key drives hit rate near zero.

Origin missing Cache-Control — When the origin omits cache headers, an unintended TTL applies. Make the origin's response explicit.

Missing OAC — Combining a public S3 origin with CloudFront still allows bypass. Use OAC + Block Public Access.

Reliance on invalidation — Invalidating on every deploy gets expensive and slow. Replace with versioned filenames.

Lambda@Edge global propagation — Function updates take time to propagate to all PoPs.

Cookie effects on cache — Misconfigured cookie forwarding crashes hit rate.

Closing thoughts

lambda
route53

CloudFront developer guide · Lambda@Edge · CloudFront Functions · Cloudflare · Fastly · Bunny.net · RFC 9111 HTTP Caching for reference.

CloudFront — Edge CDN

CloudFront — Edge CDN

1. About CloudFront

2. Cache key

3. TTL and Cache-Control

4. Invalidation

5. Edge compute

6. Security integrations

7. CDN comparison

8. S3 + CloudFront static site

9. Common pitfalls

Closing thoughts

Next

More in cloud

CloudFront — Edge CDN

CloudFront — Edge CDN

1. About CloudFront

2. Cache key

3. TTL and Cache-Control

4. Invalidation

5. Edge compute

6. Security integrations

7. CDN comparison

8. S3 + CloudFront static site

9. Common pitfalls

Closing thoughts

Next

More in cloud