This chapter provides a deep, exam-focused comparison between AWS Global Accelerator and Amazon CloudFront, two services that improve application performance and availability globally. For the SAA-C03 exam, understanding when to use each is critical, as questions frequently present scenarios requiring one over the other. Approximately 5-8% of exam questions touch on global content delivery and acceleration, often testing your ability to distinguish between caching (CloudFront) and network path optimization (Global Accelerator). We will dissect each service's internal mechanisms, default values, protocol support, and integration patterns, then equip you to eliminate wrong answers with precision.
Jump to a section
Imagine you run a global e-commerce company. You have two ways to get your product catalog to customers: a direct dedicated fiber line to each major city (Global Accelerator) or a network of local warehouses that cache your most popular items and deliver them locally (CloudFront). Global Accelerator is like a private express lane on a highway: it doesn't cache anything, but it guarantees the fastest, most reliable route from your origin to the user by using AWS's global network backbone and anycast IPs to avoid internet congestion. CloudFront is like a chain of local shops: it stores copies of your catalog at edge locations close to users, so they don't have to travel all the way to your central warehouse. If a customer wants a product that isn't in the local shop, the shop fetches it from the central warehouse (origin fetch) and then keeps a copy for next time. The key difference: Global Accelerator speeds up the *path* to your existing servers (TCP/UDP), while CloudFront speeds up *content delivery* by caching HTTP(S) objects. If you need to improve performance for dynamic API calls that can't be cached, or for non-HTTP protocols like gaming UDP, you use Global Accelerator. If you serve mostly static or cacheable content (images, videos, web pages), use CloudFront. Both use AWS's global network, but they solve different problems.
What They Are and Why They Exist
AWS Global Accelerator and Amazon CloudFront are both global services that leverage the AWS global network to improve end-user experience. However, they operate at fundamentally different layers of the OSI model and solve different problems.
Global Accelerator operates at Layer 3/4 (Network and Transport layers). It uses anycast IP addresses to direct user traffic to the optimal AWS edge location, then routes it over the AWS global network to your application endpoint (e.g., Application Load Balancer, Network Load Balancer, EC2 instance, or Elastic IP). It does not cache content; it improves performance by reducing internet latency, jitter, and packet loss by keeping traffic on AWS's private backbone as much as possible.
CloudFront operates at Layer 7 (Application layer). It is a content delivery network (CDN) that caches HTTP(S) objects at edge locations. When a user requests content, CloudFront serves it from the nearest edge cache if available (cache hit), or fetches it from the origin (cache miss) and caches it for subsequent requests. CloudFront also supports dynamic content acceleration via its origin shield and TCP optimizations, but its primary value is caching.
How They Work Internally
Global Accelerator Mechanism: - Global Accelerator provides two static anycast IP addresses (or you can bring your own IP via BYOIP). These IPs are advertised from all AWS edge locations (points of presence) globally via BGP. - When a user sends traffic to one of these IPs, the internet's routing system directs the packet to the nearest AWS edge location (by BGP best path). - At the edge, Global Accelerator terminates the user's TCP/UDP connection and creates a new connection over the AWS global network to the endpoint in the chosen AWS region. This is called "connection termination at the edge." - The service monitors endpoint health via health checks (every 10 seconds by default) and can automatically route traffic to healthy endpoints, even across regions, providing failover within seconds. - Global Accelerator supports both TCP and UDP traffic, making it suitable for non-HTTP protocols like gaming, VoIP, or IoT.
CloudFront Mechanism: - CloudFront uses a global network of edge locations (over 600 points of presence). When a user requests content via a CloudFront URL (e.g., d123.cloudfront.net), DNS resolves to the nearest edge location. - The edge location checks its cache for the requested object. If present and not expired (based on Cache-Control headers, TTL defaults to 24 hours), it serves the object directly. - If not cached, the edge forwards the request to the origin (e.g., S3 bucket, ALB, EC2, or custom origin). The origin responds, and the edge caches the object for future requests. CloudFront supports HTTP/HTTPS only (Layer 7). - CloudFront can also use origin shield to reduce load on the origin by centralizing requests at a regional edge cache before hitting the origin.
Key Components, Values, Defaults, and Timers
Global Accelerator: - Accelerator: The top-level resource. You configure listeners (ports and protocols) and endpoint groups (mapping to regions). - Listener: Processes inbound connections. Supports TCP and UDP. Default port ranges: 1-65535. You can specify port overrides. - Endpoint Group: Associates a listener with a specific AWS region. You can set traffic dials (0-99%) to control the percentage of traffic sent to a region (useful for gradual migration). - Endpoint: Can be an Application Load Balancer, Network Load Balancer, EC2 instance, or Elastic IP. Supports cross-region endpoints. - Health Check: By default, health checks run every 10 seconds with a 5-second timeout and 3 consecutive failures to mark unhealthy. You can customize interval, timeout, and thresholds. - Client Affinity: Optional. Ensures that requests from the same client are routed to the same endpoint (uses source IP and port). - Flow Stickiness: By default, Global Accelerator maintains flow stickiness for TCP connections (same source IP/port goes to same endpoint) for the duration of the flow.
CloudFront: - Distribution: The top-level resource. You configure origins, behaviors, and cache settings. - Origin: The source of content (S3 bucket, ALB, EC2, or custom HTTP server). You can set origin path, connection attempts, and timeout. - Cache Behavior: Controls which URLs are cached, TTL defaults (Minimum TTL: 0 seconds, Default TTL: 86400 seconds (24 hours), Maximum TTL: 31536000 seconds (1 year)). You can override with Cache-Control headers. - Edge Location: Over 600 locations. Content is cached here. - Regional Edge Cache: Larger cache in each region to reduce origin load. Used when origin shield is enabled. - Origin Shield: An additional layer that aggregates requests from all edge locations in a region, sending a single request to the origin. Reduces origin load by up to 80%. - Price Class: Controls which edge locations are used (Price Class All: all locations; Price Class 200: most locations except the most expensive; Price Class 100: only locations in North America and Europe). - Signed URLs/Cookies: For private content. You can restrict access using AWS WAF, geo-restriction, or IP whitelisting. - TLS/SSL: Supports custom SSL certificates via AWS Certificate Manager (ACM) or IAM. Default uses CloudFront's domain name.
Configuration and Verification Commands
Global Accelerator (AWS CLI):
# Create accelerator
aws globalaccelerator create-accelerator --name MyAccelerator --ip-address-type IPV4
# List accelerators
aws globalaccelerator list-accelerators
# Describe accelerator
aws globalaccelerator describe-accelerator --accelerator-arn arn:aws:globalaccelerator::123456789012:accelerator/abc123
# Create listener
aws globalaccelerator create-listener --accelerator-arn <arn> --port-ranges From=80,To=80 --protocol TCP
# Create endpoint group
aws globalaccelerator create-endpoint-group --listener-arn <arn> --endpoint-group-region us-east-1 --endpoint-configurations EndpointId=arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/123CloudFront (AWS CLI):
# Create distribution (simple S3 origin)
aws cloudfront create-distribution --origin-domain-name my-bucket.s3.amazonaws.com --default-root-object index.html
# List distributions
aws cloudfront list-distributions
# Get distribution config
aws cloudfront get-distribution --id E123ABC
# Invalidate cache
aws cloudfront create-invalidation --distribution-id E123ABC --paths /images/*Interaction with Related Technologies
Global Accelerator + AWS WAF: Global Accelerator does not natively integrate with AWS WAF for L7 filtering. For web traffic, you should use CloudFront or ALB with WAF.
CloudFront + AWS WAF: CloudFront integrates directly with AWS WAF, allowing you to block requests at the edge before they reach your origin.
Global Accelerator + Shield Advanced: Both services can be used with AWS Shield Advanced for DDoS protection. Global Accelerator provides automatic DDoS mitigation at the edge.
CloudFront + Lambda@Edge: CloudFront can execute Lambda functions at edge locations to modify requests/responses (e.g., A/B testing, URL rewriting).
Global Accelerator + Route 53: Global Accelerator can be used with Route 53 via alias records, allowing you to point your domain to the accelerator's static IPs.
CloudFront + S3: CloudFront is commonly used with S3 to serve static content with low latency and high transfer rates. S3 bucket policies can restrict access to only CloudFront (using Origin Access Control).
When to Use Each
Use Global Accelerator when:
You need to accelerate non-HTTP protocols (UDP, TCP) such as gaming, VoIP, or IoT.
Your application has dynamic content that cannot be cached (e.g., real-time APIs, database queries).
You need fast regional failover for global applications with endpoints in multiple AWS regions.
You want static IP addresses for whitelisting by clients or partners.
You need to reduce jitter and packet loss for real-time applications.
Use CloudFront when:
You serve cacheable content (static assets, images, videos, web pages).
You need to secure your application with AWS WAF at the edge.
You want to use Lambda@Edge for custom logic.
You need to serve content over HTTPS with custom SSL certificates.
You need to restrict access via signed URLs or cookies.
You want to reduce origin load through caching.
Exam Trap: The "Both" Scenario
The exam often presents a scenario where both services could theoretically work, but one is clearly better. For example: - "An application serves both static and dynamic content. Which service should be used?" The answer is CloudFront for static, and Global Accelerator for dynamic, but the question might ask for a single service. In such cases, if the focus is on dynamic content acceleration, choose Global Accelerator. If the focus is on caching static content, choose CloudFront. Sometimes the answer is "use both" — CloudFront for static and Global Accelerator for dynamic, but this is rare. More often, the question specifies the need (e.g., "requires UDP support") which eliminates CloudFront.
Another trap: "Need to reduce latency for an HTTP API with no caching possible." Many candidates choose CloudFront because it's HTTP, but Global Accelerator is better because it improves network path without caching. CloudFront's caching is useless here, and its dynamic acceleration is less effective than Global Accelerator's network optimization.
User sends request to anycast IP
A user's client resolves a domain name (e.g., via Route 53 alias) to one of Global Accelerator's two static anycast IP addresses. The client sends a TCP SYN packet to that IP. Internet routers forward the packet to the nearest AWS edge location based on BGP routing. The edge location terminates the TCP connection, recording the client's source IP and port. Global Accelerator then initiates a new TCP connection over the AWS global backbone to the selected endpoint (e.g., ALB in us-east-1). This separation of client-to-edge and edge-to-origin connections reduces the impact of internet congestion by keeping the majority of the path on AWS's private network.
Edge location evaluates endpoint health
Global Accelerator continuously monitors the health of all endpoints in the endpoint group. Health checks are sent every 10 seconds (default) from each edge location to the endpoint. If an endpoint fails 3 consecutive health checks (default threshold), it is marked unhealthy. The accelerator then stops routing new connections to that endpoint. Existing connections are not disrupted but will not be re-established to the failed endpoint. Traffic is redistributed among remaining healthy endpoints. This failover typically completes within 30 seconds (3 checks * 10 seconds). You can customize health check interval (10s or 30s), timeout (5s or 10s), and threshold (1-10).
Traffic routed via AWS backbone
Once the edge location terminates the user's connection, it selects a healthy endpoint (e.g., an ALB in us-east-1). The edge location then creates a new TCP connection to that endpoint, but this connection traverses the AWS global network backbone rather than the public internet. The AWS backbone is a private, high-bandwidth, low-latency network connecting all AWS regions. This avoids internet congestion, BGP path inefficiencies, and potential packet loss. The edge location may also apply TCP optimizations like larger window sizes and selective acknowledgments to improve throughput. The response from the endpoint follows the same path in reverse.
CloudFront receives request at edge
When a user requests content from a CloudFront distribution, DNS resolves the CloudFront domain to the IP of the nearest edge location. The edge location receives the HTTP/HTTPS request. It checks its local cache for the object based on the URL and query parameters. If the object is cached and its TTL has not expired (cache hit), the edge returns the object immediately without contacting the origin. If not (cache miss), the edge forwards the request to the origin (e.g., S3 bucket or ALB). The origin responds, and the edge caches the object according to the Cache-Control headers or default TTL (24 hours).
CloudFront caches and serves content
Upon receiving the origin response, the edge location stores the object in its cache. The cache uses a least-recently-used (LRU) eviction policy when storage is full. The object is served with the appropriate headers (e.g., Cache-Control, ETag). Subsequent requests for the same object from any user in the same region will hit the cache until the TTL expires. CloudFront also supports origin shield, where a regional edge cache aggregates requests from multiple edge locations before hitting the origin, reducing load. If the object is invalidated via a CloudFront invalidation request, it is removed from all edge caches immediately (though propagation may take minutes).
Enterprise Scenario 1: Global Gaming Platform
A multiplayer game company uses Global Accelerator to route UDP traffic from players worldwide to game servers in us-east-1 and eu-west-1. The game requires real-time communication with low jitter. Previously, players experienced high latency and packet loss on the public internet, especially from regions like South America and Asia. With Global Accelerator, each player's UDP packets enter the AWS edge at the nearest location (e.g., Sao Paulo for South American players) and travel over the AWS backbone to the game server. The accelerator's health checks detect if the primary region's servers are overloaded and shift traffic to the secondary region within 30 seconds. The company also uses Global Accelerator's static IP addresses to whitelist traffic in corporate firewalls. Misconfiguration: Initially, they set the traffic dial for eu-west-1 to 100% during a test, accidentally routing all traffic to Europe, causing increased latency for US players. They corrected by setting dials based on player geography.
Enterprise Scenario 2: E-commerce Website with Static and Dynamic Content
A large e-commerce site uses CloudFront for all user-facing content. Product images, CSS, JS, and HTML are cached at edge locations, reducing load on the origin ALB by 70%. Dynamic content (user cart, checkout) is not cached; instead, CloudFront forwards these requests to the origin ALB. The site uses Lambda@Edge to rewrite URLs for A/B testing and to add security headers. They also use AWS WAF integrated with CloudFront to block SQL injection and XSS attacks. The origin is an S3 bucket for static assets and an ALB for dynamic content. Misconfiguration: They set a very long TTL (1 year) for product images, and when a price changed, the old image was served for days until they issued a cache invalidation. They learned to use versioned URLs or shorter TTLs for mutable content.
Enterprise Scenario 3: Financial Services API
A financial services company exposes a REST API that processes real-time transactions. The API cannot be cached due to strict consistency requirements. They use Global Accelerator to reduce latency for clients in Asia and Europe connecting to the primary region (us-east-1). Global Accelerator provides static IPs for firewall whitelisting and ensures fast failover to a secondary region (eu-west-1) in case of a regional outage. The API runs on an Application Load Balancer behind Global Accelerator. Performance: Latency from Tokyo to us-east-1 dropped from 150ms to 110ms (27% improvement) because traffic stayed on AWS backbone from the Tokyo edge location. They also use Global Accelerator's TCP termination at the edge to offload TLS termination, reducing CPU load on the ALB.
SAA-C03 Exam Focus: Global Accelerator vs CloudFront
Objective Codes: This topic falls under Domain 2: Resilient Architectures, specifically objective 2.5 (Select appropriate AWS services to meet business continuity and disaster recovery requirements) and also appears in Domain 1: Design Secure Architectures (1.2) and Domain 3: Design High-Performing Architectures (3.1). The exam tests your ability to choose between these services based on protocol, caching needs, and failover requirements.
Most Common Wrong Answers: 1. Choosing CloudFront for non-HTTP protocols (e.g., UDP gaming): Candidates see "global acceleration" and think CloudFront, but CloudFront only supports HTTP/HTTPS. Global Accelerator supports TCP and UDP. 2. Choosing Global Accelerator for static content caching: Candidates think any global service improves performance, but Global Accelerator does not cache. CloudFront is needed for caching. 3. Choosing CloudFront when static IPs are required: CloudFront uses a dynamic IP range (though you can use a custom domain). Global Accelerator provides two static anycast IPs. 4. Assuming both services are interchangeable: Many candidates don't realize that Global Accelerator operates at L3/4 and CloudFront at L7. The exam will test this distinction.
Specific Numbers and Values: - Global Accelerator: 2 static anycast IPs (IPv4 or dual-stack). Health check interval: 10 seconds default. Traffic dial: 0-99% (not 100%? Actually 0-100 but 100 means all traffic sent to that endpoint group; you can set 100 for a region). - CloudFront: Over 600 edge locations. Default TTL: 86400 seconds (24 hours). Price classes: All, 200, 100. Origin shield reduces origin load by up to 80%.
Edge Cases: - "An application uses WebSocket (non-HTTP) for real-time communication. Which service?" Global Accelerator supports WebSocket because it is TCP-based. CloudFront does not support WebSocket (it supports HTTP/HTTPS only). - "A company needs to serve content from an S3 bucket with a custom domain and HTTPS. Which service?" CloudFront is the answer because it integrates with S3 and ACM for custom SSL. - "A company needs to failover between two regions for a TCP-based application. Which service?" Global Accelerator can route traffic to multiple regions with health checks. CloudFront can also use multi-region origins but is HTTP-only.
How to Eliminate Wrong Answers: - If the scenario mentions "UDP" or "TCP" (non-HTTP), eliminate CloudFront. - If the scenario mentions "cache" or "static assets" or "reduce load on origin", eliminate Global Accelerator. - If the scenario mentions "static IP addresses" for whitelisting, eliminate CloudFront (unless you use a custom domain with Route 53). - If the scenario mentions "AWS WAF" or "Lambda@Edge", eliminate Global Accelerator (it does not support these). - If the scenario mentions "real-time" or "dynamic" without caching, Global Accelerator is often better. - If the scenario mentions "origin shield" or "signed URLs", it's CloudFront.
Exam Tip: Read the question carefully for keywords like "HTTP", "HTTPS", "UDP", "TCP", "cache", "static", "dynamic", "failover", "static IP". The answer is almost always one or the other, rarely both.
Global Accelerator operates at Layer 3/4 (TCP/UDP); CloudFront operates at Layer 7 (HTTP/HTTPS).
Global Accelerator does NOT cache content; it optimizes the network path using the AWS backbone.
CloudFront caches content at over 600 edge locations; it is a content delivery network (CDN).
Use Global Accelerator for non-HTTP protocols (gaming, VoIP, IoT) and dynamic APIs that cannot be cached.
Use CloudFront for static assets, web content, video streaming, and when you need AWS WAF or Lambda@Edge at the edge.
Global Accelerator provides two static anycast IPs; CloudFront uses a dynamic DNS name.
Both services improve performance, but through different mechanisms: path optimization (Global Accelerator) vs. caching (CloudFront).
Global Accelerator supports fast regional failover with health checks every 10 seconds; CloudFront can also use multiple origins but is HTTP-only.
CloudFront integrates with S3 via Origin Access Control (OAC) for secure static hosting; Global Accelerator does not directly integrate with S3.
The exam will test your ability to choose based on protocol (TCP/UDP vs HTTP), caching needs, and requirement for static IPs.
These come up on the exam all the time. Here's how to tell them apart.
AWS Global Accelerator
Operates at Layer 3/4 (Network and Transport)
Supports TCP and UDP protocols
Does not cache content; optimizes network path
Provides two static anycast IP addresses
Ideal for non-HTTP traffic, real-time apps, and dynamic APIs
Amazon CloudFront
Operates at Layer 7 (Application)
Supports HTTP and HTTPS only
Caches content at edge locations (CDN)
Uses a dynamic DNS name (e.g., d123.cloudfront.net) or custom domain
Ideal for static and cacheable web content, video streaming, and HTTPS applications
Global Accelerator
Health checks every 10 seconds (default) for fast failover
Traffic dials (0-99%) to control traffic distribution per region
No integration with AWS WAF or Lambda@Edge
Supports client affinity (stickiness) for TCP flows
Pricing based on data transfer and accelerator hours
CloudFront
Cache TTL defaults to 24 hours, configurable
Origin shield reduces origin load by up to 80%
Integrates with AWS WAF and Lambda@Edge
Supports signed URLs/cookies for private content
Pricing based on data transfer out and request count
Mistake
CloudFront and Global Accelerator are interchangeable for any global application.
Correct
They operate at different layers. CloudFront is an HTTP/HTTPS CDN that caches content. Global Accelerator is a network layer (TCP/UDP) service that optimizes the path to your origin. They solve different problems and are not interchangeable.
Mistake
Global Accelerator caches content at edge locations.
Correct
Global Accelerator does not cache any content. It only optimizes network routing. It terminates connections at the edge and re-establishes them over the AWS backbone. Caching is done by CloudFront or other services.
Mistake
CloudFront can accelerate any TCP/UDP traffic.
Correct
CloudFront only supports HTTP and HTTPS (Layer 7). It cannot handle raw TCP or UDP traffic. For non-HTTP protocols, you must use Global Accelerator or a third-party solution.
Mistake
Global Accelerator provides a single static IP address.
Correct
Global Accelerator provides two static anycast IP addresses (IPv4 or dual-stack). You can also bring your own IP (BYOIP) but you still get two addresses. These IPs are advertised from all edge locations.
Mistake
CloudFront always improves performance for dynamic content.
Correct
CloudFront can improve dynamic content delivery through TCP optimizations and persistent connections, but its primary benefit is caching. For dynamic content that cannot be cached, Global Accelerator often provides better latency improvements by using the AWS backbone.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, you can use both together. For example, you can put CloudFront in front of your application to cache static content, and then put Global Accelerator in front of CloudFront? Actually, that doesn't make sense because CloudFront already uses edge locations. A common pattern is to use CloudFront for static content and Global Accelerator for dynamic API endpoints. However, you cannot chain them directly because Global Accelerator is not an HTTP proxy. A better approach: Route dynamic API requests to Global Accelerator (which points to an ALB) and static content to CloudFront (which points to S3 or the same ALB). The exam may ask about using both, but typically you choose one.
Yes, Global Accelerator supports WebSocket because WebSocket runs over TCP. Global Accelerator terminates the TCP connection at the edge and re-establishes it over the AWS backbone. CloudFront does not support WebSocket because it only handles HTTP/HTTPS. If your application uses WebSocket for real-time communication, Global Accelerator is the correct choice.
No, CloudFront only supports HTTP and HTTPS origins. If your origin requires UDP, you cannot use CloudFront. You would need to use Global Accelerator or a different solution.
Use Global Accelerator. It provides two static anycast IP addresses that you can whitelist in firewalls. CloudFront does not provide static IPs; its edge locations use a dynamic IP range. You can use a custom domain with CloudFront, but the underlying IPs change.
CloudFront is better for reducing origin load because it caches content, so fewer requests reach the origin. Global Accelerator does not cache, so all requests still go to the origin. However, Global Accelerator can reduce origin load by offloading TCP connections and TLS termination at the edge.
Global Accelerator does not directly support S3 buckets as endpoints. You can only use ALB, NLB, EC2, or Elastic IP. To accelerate S3 access, use CloudFront or S3 Transfer Acceleration. CloudFront integrates natively with S3.
Global Accelerator can failover within seconds (around 30 seconds) because health checks run every 10 seconds. CloudFront can also failover to a different origin, but it relies on DNS-based routing (if using multiple origins) or custom error responses. CloudFront's failover is typically slower because DNS caching may delay propagation. For fast failover, Global Accelerator is better.
You've just covered Global Accelerator vs CloudFront: When to Use Each — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?