This chapter covers CloudFront distribution design, a core component of AWS's content delivery network (CDN) service. You will learn how to architect CloudFront distributions for optimal performance, security, and cost efficiency. This topic is critical for the SAA-C03 exam, appearing in approximately 10-15% of questions, often integrated with S3, EC2, Lambda@Edge, and WAF scenarios. Mastering distribution design ensures you can deliver content globally with low latency and high throughput.
Jump to a section
Imagine a global coffee chain with a central bakery in Seattle that produces all pastries. Customers worldwide order pastries online. Without optimization, every order travels to Seattle, which is slow and overloads the bakery. To fix this, the chain deploys regional kitchens (edge locations) in major cities worldwide. Each regional kitchen caches popular pastries based on local demand. When a customer in Tokyo orders a croissant, the request goes to the nearest regional kitchen in Tokyo. If the kitchen has the croissant (cache hit), it serves it instantly. If not (cache miss), the kitchen sends a request to the Seattle bakery, receives the croissant, serves it to the customer, and keeps a copy for future orders. The chain also uses a smart ordering system (Route53) to direct customers to the fastest kitchen based on current load and network conditions. To ensure freshness, the chain sets expiration times (TTL) for each pastry type—croissants expire after 2 hours, but custom cakes expire after 24 hours. They can also proactively push new recipes (invalidation) to all kitchens when the menu changes. This system reduces latency, offloads the central bakery, and scales to millions of customers worldwide.
What is CloudFront and Why Use It?
Amazon CloudFront is a global content delivery network (CDN) that securely delivers data, videos, applications, and APIs to customers with low latency and high transfer speeds. It uses a network of edge locations—over 450 points of presence (PoPs) across 90+ cities—to cache content closer to users. The primary benefits are: - Reduced Latency: Content served from nearest edge location instead of origin. - Offload Origin: Reduces load on origin servers (S3, EC2, or on-premises). - DDoS Protection: Integrated with AWS Shield Standard and Shield Advanced. - Security: Supports HTTPS, field-level encryption, and AWS WAF. - Programmable Edge: Lambda@Edge and CloudFront Functions for custom logic.
How CloudFront Works Internally
When a user requests content from a CloudFront distribution, the following steps occur: 1. DNS Resolution: The user's browser resolves the CloudFront domain (e.g., d123.cloudfront.net) to the IP of the nearest edge location based on latency-based routing. 2. Edge Location Check: The edge location checks its cache for the requested object. If found and not expired (cache hit), it serves the object immediately. 3. Cache Miss: If not cached, the edge location forwards the request to the origin (e.g., S3 bucket or HTTP server). The origin responds with the object and optional Cache-Control headers. 4. Caching: The edge location stores the object according to the TTL (time-to-live) set by Cache-Control max-age or the CloudFront minimum TTL default (24 hours if not specified). 5. Response: The edge location serves the object to the user and caches it for subsequent requests.
Key Components and Defaults
#### Distributions A distribution is the unit of configuration. You can create web distributions (HTTP/HTTPS) or RTMP distributions (Adobe Flash—deprecated). Each distribution has: - Origin: The source of content (S3 bucket, Elastic Load Balancer, EC2 instance, or custom origin). - Behaviors: Path patterns that map requests to specific origins and caching settings. Default behavior covers all requests. - Price Class: Limits edge locations used. Options: Price Class All (all regions), Price Class 200 (most regions, excludes South America), Price Class 100 (only US, Canada, Europe). - SSL/TLS: Supports dedicated IP or SNI (Server Name Indication) for custom domains. Default is *.cloudfront.net.
#### Cache Behavior Settings - Path Pattern: E.g., /images/*. Default is *. - Viewer Protocol Policy: HTTP, HTTPS, or Redirect HTTP to HTTPS. - Allowed HTTP Methods: GET, HEAD (default) or GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE. - Cached HTTP Methods: GET, HEAD (only these are cached). - TTL Settings: Minimum TTL, Maximum TTL, Default TTL (24 hours). Can be overridden by origin Cache-Control headers. - Restrict Viewer Access: Use signed URLs or signed cookies. - Lambda@Function Associations: Trigger Lambda@Edge on viewer request/response or origin request/response.
#### Origins - S3 Origin: Use Origin Access Control (OAC) to restrict direct S3 access. OAC replaces the older Origin Access Identity (OAI). - Custom Origin: HTTP/HTTPS server. Must be publicly accessible or behind a load balancer with CloudFront's IP ranges whitelisted.
#### SSL/TLS - Default CloudFront Certificate: *.cloudfront.net, free. - Custom SSL Certificate: Upload via AWS Certificate Manager (ACM) or IAM. Must be in US East (N. Virginia) region for CloudFront. - SNI vs Dedicated IP: SNI is free and works with most modern browsers. Dedicated IP costs extra and is needed for legacy browser support.
#### Security - AWS WAF: Integrated for web ACLs (e.g., block SQL injection, IP blacklists). - Field-Level Encryption: Encrypt sensitive data before reaching origin. - Geo-Restriction: Allow or block countries using a whitelist or blacklist. - Origin Shield: An additional caching layer in a central AWS region to reduce origin load.
Configuration and Verification
#### Creating a Distribution via AWS CLI
aws cloudfront create-distribution --distribution-config file://config.jsonExample config.json:
{
"CallerReference": "unique-ref",
"Aliases": {
"Quantity": 1,
"Items": ["www.example.com"]
},
"DefaultRootObject": "index.html",
"Origins": {
"Quantity": 1,
"Items": [
{
"Id": "myS3Origin",
"DomainName": "my-bucket.s3.amazonaws.com",
"OriginAccessControlId": "oac-id",
"S3OriginConfig": {
"OriginAccessIdentity": ""
}
}
]
},
"DefaultCacheBehavior": {
"TargetOriginId": "myS3Origin",
"ViewerProtocolPolicy": "redirect-to-https",
"MinTTL": 0,
"DefaultTTL": 86400,
"MaxTTL": 31536000,
"ForwardedValues": {
"QueryString": false,
"Cookies": {
"Forward": "none"
}
},
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
}
},
"PriceClass": "PriceClass_All",
"Enabled": true
}#### Verification Commands
# List distributions
aws cloudfront list-distributions
# Get distribution details
aws cloudfront get-distribution --id E1234567890ABC
# Test with curl
curl -I https://d123.cloudfront.net/image.jpgInteraction with Related Technologies
Route53: Use latency-based routing or geolocation routing to point to CloudFront distribution.
S3: CloudFront can serve static content from S3 with OAC for security. S3 Transfer Acceleration is not needed.
EC2/ALB: CloudFront can front dynamic content from an ALB, offloading SSL and caching static assets.
Lambda@Edge: Run code at edge locations for A/B testing, URL rewrites, or authentication.
AWS WAF: Attach web ACLs to CloudFront distributions for layer 7 protection.
Shield Advanced: Provides enhanced DDoS protection for CloudFront distributions.
Caching and TTL Details
CloudFront caches objects based on TTL values. The actual TTL is determined by:
If the origin sends Cache-Control: max-age=3600, CloudFront uses that value (within MinTTL and MaxTTL bounds).
If no Cache-Control header, CloudFront uses the Default TTL (24 hours).
MinTTL and MaxTTL override origin headers if they fall outside the range.
Default TTL is 86400 seconds (24 hours). MinTTL default is 0. MaxTTL default is 31536000 seconds (365 days).
#### Cache Invalidation You can invalidate objects by path (e.g., /images/*). Each invalidation costs $0.005 per path. Invalidation is not instant; it takes a few seconds to propagate. Alternatively, use versioned filenames (e.g., image_v2.jpg) to avoid invalidation costs.
#### Origin Shield Origin Shield is an optional caching layer that aggregates requests from multiple edge locations, reducing origin load. It is enabled per origin group and incurs additional costs. Use it for high-traffic origins to improve cache hit ratio.
Price Classes
Price Class All: All edge locations, highest cost.
Price Class 200: Most regions excluding South America, moderate cost.
Price Class 100: US, Canada, Europe only, lowest cost.
Custom Error Responses
You can configure custom error pages (e.g., 404.html) and error caching minimum TTL (default 300 seconds).
Signed URLs and Cookies
Use signed URLs or cookies to restrict access to premium content. Signed URLs grant access to individual files; signed cookies grant access to groups of files. They use CloudFront key pairs or trusted signers (AWS accounts).
Geo-Restriction
Use geo-restriction (whitelist or blacklist) to block traffic from specific countries. This is based on GeoIP databases maintained by AWS.
Field-Level Encryption
Encrypt sensitive data (e.g., credit card numbers) at the edge using public key encryption. The origin decrypts with private key. This ensures sensitive data is never visible in plaintext at the edge.
Real-Time Logs
CloudFront can stream logs to Kinesis Data Streams for real-time monitoring. Standard logs are delivered to S3 with up to 24-hour delay.
Reporting
CloudFront provides monitoring metrics (requests, bytes downloaded, error rates) in CloudWatch. You can also enable detailed billing reports.
Limits
Maximum number of distributions per account: 200 (soft limit).
Maximum number of origins per distribution: 25.
Maximum number of behaviors per distribution: 25.
Maximum file size for GET requests: 20 GB.
Maximum file size for PUT/POST: 20 GB (with chunked transfer).
Maximum URL length: 8,192 characters.
Maximum header size: 16 KB.
Best Practices
Use S3 as origin for static content with OAC.
Set appropriate TTLs: long TTL for static assets, short TTL for dynamic content.
Use Origin Shield for high-traffic origins.
Use Lambda@Edge for custom logic like URL rewrites.
Enable compression (gzip, brotli) to reduce transfer size.
Use multiple origins and behaviors for different content types.
Use AWS WAF to block malicious traffic.
Monitor cache hit ratio in CloudWatch; aim for >90%.
Troubleshooting
403 Forbidden: Check OAC/OAI configuration, S3 bucket policy, or signed URL validity.
502 Bad Gateway: Origin is not responding or SSL handshake fails.
504 Gateway Timeout: Origin takes too long to respond (default timeout 30 seconds).
Low Cache Hit Ratio: Check TTL settings, query string/cookie forwarding, or use Origin Shield.
Create an S3 bucket as origin
First, create an S3 bucket to store static content. Enable static website hosting if you want to serve index documents. Set the bucket policy to grant CloudFront access via Origin Access Control (OAC). OAC uses a service principal (cloudfront.amazonaws.com) with a condition on the distribution ID. Alternatively, use Origin Access Identity (OAI) for older setups. Ensure the bucket is in the same AWS region as your distribution for optimal performance, though CloudFront can reach any region.
Configure CloudFront distribution with origin
In the CloudFront console, create a new web distribution. Set the origin domain to your S3 bucket's regional endpoint (e.g., my-bucket.s3.us-east-1.amazonaws.com). Enable Origin Access Control and select the OAC you created. For the default cache behavior, set Viewer Protocol Policy to Redirect HTTP to HTTPS. Set Allowed HTTP Methods to GET, HEAD for static content. Configure TTLs: MinTTL=0, DefaultTTL=86400, MaxTTL=31536000. Optionally, set a default root object (e.g., index.html).
Attach custom domain and SSL certificate
To use a custom domain (e.g., www.example.com), add it to the distribution's Alternate Domain Names (CNAMEs). Request a public SSL certificate in ACM in US East (N. Virginia) for the domain. After validation, select the certificate in the distribution settings. Update your DNS provider to create a CNAME record pointing www.example.com to the CloudFront distribution domain (e.g., d123.cloudfront.net). For apex domains, use Route53 Alias records.
Set up caching and behaviors
Define cache behaviors for different path patterns. For example, create a behavior for /images/* with a longer TTL (e.g., 1 year) and another for /api/* with no caching (TTL=0) and forward query strings. Use path patterns to route requests to different origins if needed. Enable compression (gzip, brotli) for text files. Set Forwarded Values: for static content, forward none; for dynamic, forward relevant headers, cookies, or query strings.
Enable security and monitoring
Attach an AWS WAF web ACL to the distribution to block common attacks (e.g., SQL injection, XSS). Enable geo-restriction if needed. Enable CloudFront standard logs (delivered to S3) or real-time logs (to Kinesis). Set up CloudWatch alarms for metrics like 4xx/5xx error rates. Optionally, enable Origin Shield to improve cache hit ratio. Finally, test the distribution by accessing your custom domain and verify HTTPS and caching behavior.
Enterprise Scenario 1: Global Media Streaming
A media company streams video content to millions of users worldwide. They use CloudFront with S3 as the origin for video files (MP4, HLS). They configure multiple origins: one for video files (S3) and one for API requests (ALB). For video, they set TTL to 1 year and use signed URLs for premium content. They enable Origin Shield in US East to reduce load on S3. They also use Lambda@Edge to authenticate users before serving video. Common issues: expired signed URLs cause 403 errors; low cache hit ratio due to unique query strings for analytics. Solution: use cookies instead of query strings for analytics, or forward only specific parameters.
Enterprise Scenario 2: E-commerce Platform
An e-commerce site uses CloudFront to serve static assets (CSS, JS, images) and dynamic content (product pages, cart). They use two origins: S3 for static assets and an ALB for dynamic content. For static assets, TTL is 1 day, and they use versioned filenames to avoid invalidation. For dynamic content, they set TTL=0 and forward cookies for session management. They attach WAF to block bots and SQL injection. They use CloudFront Functions to rewrite URLs (e.g., /product/123 to /product?id=123). Performance: average latency reduced from 500ms to 50ms. Misconfiguration: forwarding all query strings leads to cache misses; solution: whitelist only necessary parameters.
Enterprise Scenario 3: Software Distribution
A software company distributes large binaries (up to 20 GB) via CloudFront. They use S3 as origin with OAC. They set TTL to 1 year and use signed URLs for controlled access. They enable chunked transfer for large files. They also use CloudFront's geo-restriction to comply with export laws. They monitor cache hit ratio and use Origin Shield to handle peak loads. Common mistake: not setting appropriate MaxTTL, causing objects to be revalidated frequently. Best practice: set MaxTTL to 365 days for immutable objects.
SAA-C03 Exam Focus on CloudFront Distribution Design
The SAA-C03 exam tests your ability to design CloudFront distributions for performance, security, and cost optimization. Key objective codes: Domain 3 (High Performance) Objective 3.4 (Determine how to design a CDN solution). Questions often integrate CloudFront with S3, EC2, Lambda@Edge, WAF, and Route53.
Common Wrong Answers and Traps
Choosing S3 Transfer Acceleration over CloudFront: Candidates incorrectly select Transfer Acceleration for global content delivery. However, Transfer Acceleration only speeds up uploads to S3, not downloads. For download acceleration, CloudFront is the correct service.
Using OAI instead of OAC: The exam may ask about restricting access to S3 origin. OAC is the newer, recommended method. OAI is legacy but still valid. Know the difference: OAC uses service principal with condition on distribution ID; OAI uses a special CloudFront user.
Setting TTL to 0 for all content: Some candidates think TTL=0 always ensures freshness, but it eliminates caching benefits. The exam expects you to set appropriate TTLs: long for static, short for dynamic.
Forgetting to use Origin Shield: In scenarios with high traffic and many edge locations, Origin Shield can significantly improve cache hit ratio. Not using it when appropriate is a missed optimization.
Specific Numbers and Values
Default TTL: 86400 seconds (24 hours)
MinTTL default: 0
MaxTTL default: 31536000 seconds (365 days)
Maximum file size: 20 GB
Maximum URL length: 8192 characters
Maximum header size: 16 KB
Price classes: All, 200, 100
Error caching minimum TTL: 300 seconds
Invalidation cost: $0.005 per path
ACM certificate must be in us-east-1 for CloudFront
Edge Cases and Exceptions
Signed URLs vs Signed Cookies: Signed URLs are for individual files; signed cookies for groups of files. The exam may ask which to use for a media site with multiple videos.
Lambda@Edge vs CloudFront Functions: Lambda@Edge is for complex logic (node.js, Python) with up to 5-second execution; CloudFront Functions is for lightweight operations (JavaScript) with sub-millisecond execution. The exam tests selecting the right one based on requirements.
Geo-restriction vs WAF geo match: Geo-restriction blocks at edge based on country; WAF geo match can be more granular (e.g., block specific IPs within a country).
Custom error pages: You can configure custom error pages for 4xx/5xx errors. The exam may test that error caching TTL is separate from object TTL.
How to Eliminate Wrong Answers
If the question asks for low latency global content delivery, eliminate any answer that doesn't mention a CDN. Look for CloudFront.
If the question involves securing S3 content behind CloudFront, look for OAC or OAI. Avoid answers that make S3 bucket public.
If the question involves dynamic content, consider TTL=0 or forwarding cookies/query strings.
If the question involves cost optimization, consider Price Class 100 or 200, and using versioned filenames instead of invalidation.
CloudFront is a global CDN with over 450 edge locations for low-latency content delivery.
Default TTL is 86400 seconds (24 hours); MinTTL default 0; MaxTTL default 31536000 seconds (365 days).
Use Origin Access Control (OAC) to restrict S3 bucket access to specific CloudFront distributions.
Cache invalidation costs $0.005 per path and is not instantaneous; prefer versioned filenames.
CloudFront supports custom SSL certificates from ACM, but they must be in us-east-1.
Price Class 100 limits edge locations to US, Canada, Europe for cost savings.
CloudFront can front both static (S3) and dynamic (ALB/EC2) origins.
Lambda@Edge runs Node.js or Python up to 5 seconds; CloudFront Functions runs JavaScript sub-millisecond.
Origin Shield reduces origin load by aggregating cache misses in a central region.
CloudFront integrates with AWS WAF for layer 7 protection and geo-restriction for country blocking.
These come up on the exam all the time. Here's how to tell them apart.
CloudFront
Global CDN with 450+ edge locations
Caches content for repeated downloads
Supports HTTPS, WAF, Lambda@Edge
Best for static and dynamic content delivery
Cost based on data transfer out and requests
S3 Transfer Acceleration
Only speeds up uploads to S3
No caching; each upload goes to S3 directly
Uses AWS edge locations but only for TCP optimization
Best for large uploads from distributed users
Cost based on accelerated upload bytes
Mistake
CloudFront caches all HTTP methods including PUT and POST.
Correct
CloudFront only caches GET and HEAD responses. PUT, POST, PATCH, DELETE requests are always forwarded to the origin and not cached.
Mistake
Setting TTL to 0 means content is never cached.
Correct
Setting TTL to 0 means CloudFront will still cache the object for a very short time (typically 0 seconds) but may still serve from cache if the request arrives within the same millisecond. To truly bypass cache, use Cache-Control: no-cache or no-store headers, or configure the behavior to forward all headers.
Mistake
Origin Access Identity (OAI) is the only way to restrict S3 access.
Correct
OAI is legacy. AWS now recommends Origin Access Control (OAC), which provides more granular control using service principal and distribution ID conditions.
Mistake
CloudFront invalidation is instantaneous.
Correct
Invalidation takes a few seconds to propagate to all edge locations. It is not immediate. For faster updates, use versioned filenames.
Mistake
CloudFront distributions can only have one origin.
Correct
A single distribution can have multiple origins, each associated with different cache behaviors based on path patterns.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
CloudFront is a CDN that caches content at edge locations for fast downloads. S3 Transfer Acceleration (TA) speeds up uploads to S3 by routing traffic through AWS edge locations using optimized TCP. TA does not cache content. Use CloudFront for content delivery; use TA for large uploads from distant clients.
Use Origin Access Control (OAC). Create an OAC in the CloudFront distribution, then attach a bucket policy that allows s3:GetObject only when the principal is cloudfront.amazonaws.com and the condition aws:SourceArn matches your distribution ARN. This ensures only your distribution can access the bucket.
Yes. You can set the origin to an ALB's DNS name. For dynamic content, set TTL to 0 and forward necessary headers (e.g., cookies, query strings). CloudFront will still terminate SSL and provide DDoS protection, but each request will go to the ALB.
The maximum file size for GET requests is 20 GB. For PUT/POST, also 20 GB, but you must use chunked transfer encoding. Larger files should be served via S3 presigned URLs or other methods.
You can create an invalidation request specifying object paths (e.g., /images/*). Each path costs $0.005. Invalidation propagates in a few seconds. Alternatively, use versioned filenames (e.g., image_v2.jpg) to avoid invalidation costs.
Origin Shield is an additional caching layer in a central AWS region that aggregates requests from all edge locations. It improves cache hit ratio and reduces origin load. Use it for high-traffic origins with many edge locations. It incurs extra costs.
Yes. Add your custom domain as an alternate domain name (CNAME) in the distribution. Request a public SSL certificate from ACM in us-east-1 for that domain. After validation, select the certificate in the distribution settings. Update DNS with a CNAME or Alias record pointing to the CloudFront domain.
You've just covered CloudFront Distribution Design — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?