"Amazon CloudFront, the AWS Content Delivery Network (CDN), can be used to deliver your entire website, including dynamic, static, streaming, and interactive content using a global network of edge locations.
In this technical session, learn directly from CloudFront engineers on how you can improve the performance, availability, and cacheability of your website or application. Several topics will be explored in a series of flash talks including: Best Practices for Setting up Your Origin, How to Gain Visibility into Your Distribution Using Real-Time Metrics & Analytics, How to Improve Cacheability, and How to Test Your Configuration. This session assumes a working knowledge of CDN."
2. What to expect from the session
• Best practices for setting up your origin
• Gaining visibility into your distribution
• How to improve cacheability
• How to test your configuration
4. Following origin best practices can give you…
Easier debugging
Better performance
Higher availability
5. Five best practices
1. Use Amazon Route 53 health checks and DNS failover
2. Configure multiple origins
3. Secure your origin
4. Log request IDs
5. Set origin response headers
6. Failover
Only return answers for resources
that are healthy and reachable
from the outside world, so that
your end users are routed away
from a failed or unhealthy part of
your application
Health Checks
Automated requests sent over
the Internet to your application
to verify that your application is
reachable, available, and
functional
+
Amazon Route 53 health checks and
DNS failover
7. Use Route 53 to improve availability & performance
8. Use Route 53 to improve availability & performance
9. Use Route 53 to improve availability & performance
10. Use Route 53 to improve availability & performance
11. Use Route 53 to improve availability & performance
eu-west-1
13. Access control: Restricting origin access
Amazon S3
Origin Access Identify (OAI)
• Prevents direct access to your Amazon
S3 bucket
• Ensure performance benefits to all
customers
Custom origin
Block by IP address
• Whitelist only the Amazon CloudFront
IP Range
• Protects origin from overload
• Ensure performance benefits to all
customers
14. Object Access Identity (OAI)
• Ensure only Amazon CloudFront
can access Amazon S3 bucket
• We make it simple for you
Amazon CloudFront
Region
Amazon S3
bucket
Custom origin
15. Object Access Identity (OAI)
• Ensure only Amazon CloudFront
can access Amazon S3 bucket
• We make it simple for you
Amazon CloudFront
Region
Amazon S3
bucket
Custom origin
16. Shield custom origin
• Shield your custom origin
• Whitelist Amazon CloudFront IP range
Amazon CloudFront
Region
Amazon S3
bucket
Custom Origin
17. Shield custom origin
• Shield your custom origin
• Whitelist Amazon CloudFront IP range
Amazon CloudFront
Region
Amazon S3
bucket
Custom origin
18. Shield custom origin
• Subscribe to Amazon SNS notifications on changes to
IP ranges
• Automatically update security groups
AWS Lambda
Amazon CloudFront
Amazon SNS
Security group
Web app
server
Web app
server
AWS IP ranges
Update IP range
SNS message
22. Key takeaways
• Use Amazon Route53’s health checks and DNS failover
• Improve security by setting headers at your origin
• Enable logging
• Serve your static assets on Amazon S3
• Serve error pages from Amazon S3
24. Visibility into your distribution
Four different ways to get visibility:
• AWS CloudTrail – for monitoring distribution config changes
• Near real-time metrics – Provided by Amazon CloudFront
• Amazon CloudFront reports – for analytics
• Amazon CloudWatch Logs – for custom monitoring
25. Monitor distribution config changes
• Monitor changes to distribution configuration using
AWS CloudTrail
• Get alarms when:
• Distribution is disabled
• Trusted signers are disabled
• Custom TLS certificate changes
26. Amazon CloudFront near real-time metrics
• Provided in near real-time
• Via Amazon CloudWatch
• Alarm on 6 metrics:
• Requests
• Bytes downloaded
• Bytes uploaded
• 4XX error rate
• 5XX error rate
• Total error rate
27. Amazon CloudFront reports to identify trends
• Cache hit/miss
• Incomplete downloads
• Top countries
• Mobile users
• Popular objects
28. Generate custom metrics
• Amazon CloudFront access logs
• Delivered via Amazon Kinesis to Amazon S3 buckets
• Typically within an hour of an event happening
Edge location
Amazon
S3
Edge location
Edge location
29. Generate custom metrics
• Upload logs to Amazon CloudWatch using AWS Lambda
Amazon
CloudFront
Amazon
S3
AWS
Lambda
Amazon
CloudWatch
Alarm
Keywords e.g. Bots Granular Response Code e.g. 4XX Request to certain URLs TLS versions
43. Test your configuration
• Test in development mode
• Ensure content is cached correctly
• Performance testing
• Load testing
• Test SSL configuration
44. Turn on development mode
• Set maximum TTL to 0
• Without need to constantly invalidate!
• Forwarding all headers changes behavior
• Whitelist your IP using AWS WAF so only
accessible from corporate network
• Signed cookies
45. Ensure content is cached correctly
Check cache/hit miss ratio of distribution on reports
Developer console on Chrome or Firefox
• Age header
• X-Cache
• Cache-Control headers
• HSTS headers
47. Load testing
Traditional load testing
• Use one client
• From a single region
• Hits single IP
DNS load balancing
Simulate real user environment
Ideal load testing
• Clients from multiple locations
• Independent DNS requests
• Distribute across IPs
DNS load balancing
Simulate real user environment