CloudFront Notes


·       Amazon CloudFront is a web service that gives businesses and web application developers an easy and cost-effective way to distribute content with low latency and high data transfer speeds. Like other AWS services, Amazon CloudFront is a self-service, pay-per-use offering, requiring no long term commitments or minimum fees. With CloudFront, your files are delivered to end-users using a global network of edge locations.











Edge Locations






·        In the event that offensive or potentially harmful material needs to be removed before the specified expiration time, you can use the Invalidation API to remove the object from all Amazon CloudFront edge locations. You can see the charge for making invalidation requests here.




·       Amazon CloudFront currently supports GET, HEAD, POST, PUT, PATCH, DELETE and OPTIONS requests. Amazon CloudFront does not cache the responses to POST, PUT, DELETE, and PATCH requests – these requests are proxied back to the origin server. You may enable caching for the responses to OPTIONS requests.


·       HTTP/2 is automatically enabled for all new CloudFront distributions.


·       Cloudfront does not support HTTP/2 without TLS.


·       WebSocket is a real-time communication protocol that provides bidirectional communication between a client and a server over a long-held TCP connection. By using a persistent open connection, the client and the server can send real-time data to each other without the client having to frequently reinitiate connections checking for new data to exchange


·       WebSocket connections are often used in chat applications, collaboration platforms, multiplayer games, and financial trading platforms. 


·       You can use WebSockets globally, and no additional configuration is needed to enable the WebSocket protocol within your CloudFront resource as it is now supported by default.


·       Amazon CloudFront supports encrypted WebSocket connections (WSS) using the SSL/TLS protocol.


·       By default, you can deliver your content to viewers over HTTPS by using your CloudFront distribution domain name in your URLs, for example, If you want to deliver your content over HTTPS using your own domain name and your own SSL certificate, you can use one of our Custom SSL certificate support features.


·       Field-Level Encryption is a feature of CloudFront that allows you to securely upload user-submitted data such as credit card numbers to your origin servers. Using this functionality, you can further encrypt sensitive data in an HTTPS form using field-specific encryption keys (which you supply) before a PUT/ POST request is forwarded to your origin. This ensures that sensitive data can only be decrypted and viewed by certain components or services in your application stack. To learn more about field-level encryption, see Field-Level Encryption in our documentation.


·       Server Name Indication (SNI) is an extension of the Transport Layer Security (TLS) protocol. This mechanism identifies the domain (server name) of the associated SSL request so the proper certificate can be used in the SSL handshake. This allows a single IP address to be used across multiple servers. SNI requires browser support to add the server name, and while most modern browsers support it, there are a few legacy browsers that do not. For more details see the SNI section of the CloudFront Developer Guide or the SNI Wikipedia article.





·       You can use Amazon CloudFront live streaming with any live video origination service that outputs HTTP-based streams, such as AWS Elemental MediaPackage or AWS Elemental MediaStore. MediaPackage is a video origination and just-in-time packaging service that allows video distributors to securely and reliably deliver streaming content at scale using multiple delivery and content protection standards.

·       Visit the AWS Live Video Streaming page to learn more.


·       Origin Shield is a centralized caching layer that helps increase your cache hit ratio to reduce the load on your origin

·       Origin Shield also decreases your origin operating costs by collapsing requests across regions so as few as one request goes to your origin per object.


·       When enabled, CloudFront will route all origin fetches through Origin Shield, and only make a request to your origin if the content is not already stored in Origin Shield's cache.


·       When you create or modify a CloudFront distribution, you can enable access logging. CloudFront provides two ways to log the requests that are delivered from your distributions: Standard logs and Real-time logs.


·       CloudFront standard logs are delivered to the Amazon S3 bucket of your choice (log records are delivered within minutes of a viewer request). When enabled, CloudFront will automatically publish detailed log information in a W3C extended format into an Amazon S3 bucket that you specify. Access logs contain detailed information about each request for your content, including the object requested, the date and time of the request, the edge location serving the request, the client IP address, the referrer, the user agent, the cookie header, and the result type (for example, cache hit, or miss, or error). CloudFront doesn’t charge for standard logs, though you incur Amazon S3 charges for storing and accessing the log files.


·      CloudFront real-time logs are delivered to the data stream of your choice in Amazon Kinesis Data Streams (log records are delivered within seconds of a viewer request). You can choose the sampling rate for your real-time logs—that is, the percentage of requests for which you want to receive real-time log records. You can also choose the specific fields that you want to receive in the log records. CloudFront real-time logs contain all the same data points as the standard logs and also contain certain additional information about each request such as viewer request headers, and country code, in a W3C extended format. CloudFront charges for real-time logs, in addition to the charges you incur for using Kinesis Data Streams.


·      If you have time sensitive use cases and require access log data quickly within a few seconds, then choose the real-time logs. If you need your real-time log pipeline to be cheaper, you can choose to filter the log data by enabling logs only for specific cache behaviors, or choosing a lower sampling rate. The real-time log pipeline is built for quick data delivery. Therefore, log records may be dropped if there are data delays. On the other hand, if you need a low-cost log processing solution with no requirement for real-time data then the current standard log option is ideal for you.


·      CloudFront standard logs are delivered to your S3 bucket. The real-time logs are delivered to your Kinesis Data Stream. From Kinesis Data Streams, the logs can be published to Amazon Kinesis Data Firehose.


·      CloudFront Functions is a serverless edge compute feature allowing you to run JavaScript code at the 225+ CloudFront edge locations for lightweight HTTP(s) transformations and manipulations.


·      Lambda@Edge  is an extension of AWS Lambda allowing you to run code at global edge locations without provisioning or managing servers. Lambda@Edge offers powerful and flexible serverless computing for complex functions and full application logic closer to your viewers. Lambda@Edge functions run in a Node.js or Python environment.


All existing features of Amazon CloudFront will continue to work on IPv6, though there are two changes you may need for internal IPv6 address processing before you turn on IPv6 for your distributions.

·       If you have turned on the Amazon CloudFront Access Logs feature, you will start seeing your viewer’s IPv6 address in the “c-ip” field and may need to verify that your log processing systems continue to work for IPv6.

·       When you enable IPv6 for your Amazon CloudFront distribution, you will get IPv6 addresses in the ‘X-Forwarded-For’ header that is sent to your origins. If your origin systems are only able to process IPv4 addresses, you may need to verify that your origin systems continue to work for IPv6.

·      Amazon CloudFront charges are based on actual usage of the service in four areas:

·      Data Transfer Out,

·      HTTP/HTTPS Requests,

·      Invalidation Requests,

·       and Dedicated IP Custom SSL certificates associated with a CloudFront distribution.