CloudFront — Edge CDN
CloudFront — Edge CDN
Caching static files, video, and API responses near users speeds up responses and reduces load on the origin server. The service that does this on globally distributed edges is a CDN (Content Delivery Network).
1. About CloudFront
| When | Event |
|---|---|
| 2008 | CloudFront launches. |
| 2014 | HTTPS · custom certificates. |
| 2017 | Lambda@Edge · HTTP/2. |
| 2020 | Origin Shield. |
| 2021 | CloudFront Functions. |
It caches and delivers content from PoPs (Points of Presence) worldwide. Numbers commonly cited: 600+ PoPs across 90+ cities.
Core objects:
- Distribution — Bundles a domain, behaviors, and origins.
- Origin — The source of content (S3 · ALB · EC2 · external HTTP).
- Behavior — Per-URL-pattern handling rules.
- Cache Policy · Origin Request Policy · Response Headers Policy — Separated policy objects.
2. Cache key
The key used to look up a request in cache. Default is the URL. Cache Policy lets you add headers, cookies, and query parameters to the key.
The more attributes added to the key, the lower the cache hit rate, because the same URL with different headers is treated as a different object. Add only what is genuinely needed.
3. TTL and Cache-Control
CloudFront looks at two signals together:
- The origin response's
Cache-Control: max-ageorExpiresheader. - The Distribution's Cache Policy Min/Default/Max TTL.
It is common for the origin's explicit value (e.g., Cache-Control: public, max-age=86400) to take precedence. Responses with Cache-Control: no-cache, no-store, private are not cached.
4. Invalidation
Force an already-cached object to invalidate. Path patterns (/static/*) work in batch. 1000 paths free per month, additional billed.
aws cloudfront create-invalidation \
--distribution-id E1XXXX \
--paths "/index.html" "/static/*"
In production, versioned filenames (app.abc123.js) to bypass cache are recommended over invalidation. Keeping the old versioned files makes rollbacks and gradual deploys natural.
5. Edge compute
Lambda@Edge — Run Lambda functions near PoPs. Four triggers (Viewer Request · Origin Request · Origin Response · Viewer Response). Header transforms · auth · A/B · image processing. Has cold starts and memory limits.
CloudFront Functions — A much lighter JS runtime. Suited for very short header transforms or URL rewrites. Lower cost and latency than Lambda@Edge (but stricter memory and execution time, 2 MB · 1 ms).
function handler(event) {
const req = event.request;
if (!req.uri.endsWith('/') && !req.uri.includes('.')) {
req.uri += '.html';
}
return req;
}
6. Security integrations
Signed URL · Signed Cookie — Allow access only via URLs/cookies signed with a CloudFront key pair. Time and IP restrictions are possible. For private content (video streaming, downloads).
OAC (Origin Access Control) — Block direct access to S3 origins so that only CloudFront passes through. The successor to OAI (2022). The bucket policy permits only the CloudFront distribution ARN.
WAF · Shield — Attach AWS WAF in front of CloudFront (SQL injection · XSS · rate-based). Shield Standard is auto-applied DDoS protection free for everyone.
7. CDN comparison
| CDN | Started | Notes |
|---|---|---|
| Akamai | 1998 | The oldest commercial CDN. Enterprise-focused. |
| Cloudflare | 2010 | Strong free tier. WAF · DDoS · Workers. |
| Fastly | 2011 | Powerful caching control via VCL. Instant invalidation. |
| CloudFront | 2008 | AWS integration. Natural billing and IAM. |
| Bunny.net | 2017 | Simple, low pricing. Newer. |
Decision factors:
- AWS-centric infrastructure — CloudFront.
- Free tier · DDoS protection — Cloudflare.
- Instant cache invalidation — Fastly (in seconds).
- Simple pricing — Bunny.net.
8. S3 + CloudFront static site
User → CloudFront (HTTPS · cache) → S3 (private, OAC) → content
- ACM certificate for a custom domain.
default_root_object = "index.html".- For SPAs, rewrite 404 →
/index.html200 (CloudFront Functions or Custom Error Responses).
Cost structure:
- Data Transfer Out — Per-GB rate by region · user location.
- Request count — Separate rates for HTTP vs HTTPS.
- Lambda@Edge · Functions — Invocations · execution time.
Edge-to-user traffic dominates the bill.
9. Common pitfalls
Wrong cache key — Putting per-user tokens into the cache key drives hit rate near zero.
Origin missing Cache-Control — When the origin omits cache headers, an unintended TTL applies. Make the origin's response explicit.
Missing OAC — Combining a public S3 origin with CloudFront still allows bypass. Use OAC + Block Public Access.
Reliance on invalidation — Invalidating on every deploy gets expensive and slow. Replace with versioned filenames.
Lambda@Edge global propagation — Function updates take time to propagate to all PoPs.
Cookie effects on cache — Misconfigured cookie forwarding crashes hit rate.
Closing thoughts
The core of a CDN is cache key design. Low hit rate puts the load back on the origin and erases the CDN's purpose. Small operations fit Cloudflare's free tier; AWS-centric infrastructure fits CloudFront; instant invalidation needs fit Fastly.
Next
- lambda
- route53
CloudFront developer guide · Lambda@Edge · CloudFront Functions · Cloudflare · Fastly · Bunny.net · RFC 9111 HTTP Caching for reference.