"Amazon CloudFront, the AWS Content Delivery Network (CDN), can be used to deliver your entire website, including dynamic, static, streaming, and interactive content using a global network of edge locations.   In this technical session, learn directly from CloudFront engineers on how you can improve the performance, availability, and cacheability of your website or application. Several topics will be explored in a series of flash talks including: Best Practices for Setting up Your Origin, How to Gain Visibility into Your Distribution Using Real-Time Metrics & Analytics, How to Improve Cacheability,  and How to Test Your Configuration. This session assumes a working knowledge of CDN."

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Alex Dunlap
GM, Amazon CloudFront
Jarrod Guthrie
Sr. Product Manager, Amazon CloudFront
Calin Nemes
Sr. Support Engineer, Amazon CloudFront
Matthew Baldwin
Sr. Software Development Engineer, Amazon CloudFront
October 2015
Using Amazon CloudFront to Improve
Performance, Availability and Cacheability
STG206

2. What to expect from the session
• Best practices for setting up your origin
• Gaining visibility into your distribution
• How to improve cacheability
• How to test your configuration

3. Best practices for setting up
your origin

4. Following origin best practices can give you…
Easier debugging
Better performance
Higher availability

5. Five best practices
1. Use Amazon Route 53 health checks and DNS failover
2. Configure multiple origins
3. Secure your origin
4. Log request IDs
5. Set origin response headers

6. Failover
Only return answers for resources
that are healthy and reachable
from the outside world, so that
your end users are routed away
from a failed or unhealthy part of
your application
Health Checks
Automated requests sent over
the Internet to your application
to verify that your application is
reachable, available, and
functional
+
Amazon Route 53 health checks and
DNS failover

7. Use Route 53 to improve availability & performance

8. Use Route 53 to improve availability & performance

9. Use Route 53 to improve availability & performance

10. Use Route 53 to improve availability & performance

11. Use Route 53 to improve availability & performance
eu-west-1

12. Configure multiple origins
Elastic Load
Balancing
Dynamic content
Amazon EC2
Static content
Amazon S3
*
(default)
/error/*
/assets/*
Amazon CloudFront
example.com

13. Access control: Restricting origin access
Amazon S3
Origin Access Identify (OAI)
• Prevents direct access to your Amazon
S3 bucket
• Ensure performance benefits to all
customers
Custom origin
Block by IP address
• Whitelist only the Amazon CloudFront
IP Range
• Protects origin from overload
• Ensure performance benefits to all
customers

14. Object Access Identity (OAI)
• Ensure only Amazon CloudFront
can access Amazon S3 bucket
• We make it simple for you
Amazon CloudFront
Region
Amazon S3
bucket
Custom origin

15. Object Access Identity (OAI)
• Ensure only Amazon CloudFront
can access Amazon S3 bucket
• We make it simple for you
Amazon CloudFront
Region
Amazon S3
bucket
Custom origin

16. Shield custom origin
• Shield your custom origin
• Whitelist Amazon CloudFront IP range
Amazon CloudFront
Region
Amazon S3
bucket
Custom Origin

17. Shield custom origin
• Shield your custom origin
• Whitelist Amazon CloudFront IP range
Amazon CloudFront
Region
Amazon S3
bucket
Custom origin

18. Shield custom origin
• Subscribe to Amazon SNS notifications on changes to
IP ranges
• Automatically update security groups
AWS Lambda
Amazon CloudFront
Amazon SNS
Security group
Web app
server
Web app
server
AWS IP ranges
Update IP range
SNS message

19. Log Amazon CloudFront request IDs at origin
Nginx:
log_format main '$remote_addr - $remote_user
[$time_local] "$request" ‘ '$status $body_bytes_sent
"$http_referer" ‘ '"$http_user_agent"
http_x_forwarded_for" "$http_x_amz_cf_id"';
Apache:
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i"
"%{User-Agent}i" "%{X-Amz-Cf-Id}i"" combined

20. Set origin response headers
*Strict-Transport-Security: max-age=15552000;
*X-Frame-Options: SAMEORIGIN
*X-XSS-Protection: 1; mode=block Options
*Cache-Control: max-age=300; public

21. Demo

22. Key takeaways
• Use Amazon Route53’s health checks and DNS failover
• Improve security by setting headers at your origin
• Enable logging
• Serve your static assets on Amazon S3
• Serve error pages from Amazon S3

23. Gaining visibility into your distribution

24. Visibility into your distribution
Four different ways to get visibility:
• AWS CloudTrail – for monitoring distribution config changes
• Near real-time metrics – Provided by Amazon CloudFront
• Amazon CloudFront reports – for analytics
• Amazon CloudWatch Logs – for custom monitoring

25. Monitor distribution config changes
• Monitor changes to distribution configuration using
AWS CloudTrail
• Get alarms when:
• Distribution is disabled
• Trusted signers are disabled
• Custom TLS certificate changes

26. Amazon CloudFront near real-time metrics
• Provided in near real-time
• Via Amazon CloudWatch
• Alarm on 6 metrics:
• Requests
• Bytes downloaded
• Bytes uploaded
• 4XX error rate
• 5XX error rate
• Total error rate

27. Amazon CloudFront reports to identify trends
• Cache hit/miss
• Incomplete downloads
• Top countries
• Mobile users
• Popular objects

28. Generate custom metrics
• Amazon CloudFront access logs
• Delivered via Amazon Kinesis to Amazon S3 buckets
• Typically within an hour of an event happening
Edge location
Amazon
S3
Edge location
Edge location

29. Generate custom metrics
• Upload logs to Amazon CloudWatch using AWS Lambda
Amazon
CloudFront
Amazon
S3
AWS
Lambda
Amazon
CloudWatch
Alarm
Keywords e.g. Bots Granular Response Code e.g. 4XX Request to certain URLs TLS versions

30. Demo

31. Key takeaways
• Enable AWS CloudTrail
• Monitor your Amazon CloudFront reports
• Create alarms
• Subscribe to Amazon CloudFront access logs
• Push logs to Amazon CloudWatch

32. How to improve cacheability

33. Improving cacheability of your objects
• Versioning website assets
• Cache headers
• Shared distribution
• Forwarded values
• Path prefix invalidations

34. Versioning website assets
<link
href="//assets.example.com/assets/v1/css/jumbotron-narrow.css“
rel="stylesheet">
<link
href="//assets.example.com/assets/v2/css/jumbotron-narrow.css“
rel="stylesheet">
<link
href="//assets.example.com/assets/css/jumbotron-narrow.css?<md5sum>“
rel="stylesheet">

35. Cache-Control & expires
< Cache-Control: max-age=300
< Cache-Control: max-age=30, s-maxage=3000
< Expires: Thu, 18 Sep 2025 21:34:50 GMT
Min TTL Default TTL Max TTL
Set min, max and default TTL on Amazon CloudFront

36. Cache-Control & expires
*.css, *.js or Images
Cache-Control:
public; max-
age=31536000
index.html
Cache-Control:
no-cache=Set-
Cookie; max-
age=30
Live streaming
/*.m3u8 => Cache-
Control: public;
max-age=2

37. Shared distributions
• Shared assets across multiple properties
Static content
Amazon S3
Amazon CloudFront
assets.example.com
www.example.com
www.example.org

38. Forwarded values
• Check forwarded headers
• Query string forwarding
• Cookie forwarding
• Trusted Advisor checks

39. Invalidations
• Last resort
• Only applies to Amazon CloudFront cache, not browsers or
intermediary caches

40. Demo

41. Key takeaways
• Use versioning
• Use multiple cache behaviors
• Forward only required headers
• Use invalidations as last resort

42. How to test your configuration

43. Test your configuration
• Test in development mode
• Ensure content is cached correctly
• Performance testing
• Load testing
• Test SSL configuration

44. Turn on development mode
• Set maximum TTL to 0
• Without need to constantly invalidate!
• Forwarding all headers changes behavior
• Whitelist your IP using AWS WAF so only
accessible from corporate network
• Signed cookies

45. Ensure content is cached correctly
Check cache/hit miss ratio of distribution on reports
Developer console on Chrome or Firefox
• Age header
• X-Cache
• Cache-Control headers
• HSTS headers

46. Performance testing
Backbone testing Last mile testing Real user testing

47. Load testing
Traditional load testing
• Use one client
• From a single region
• Hits single IP
DNS load balancing 
Simulate real user environment 
Ideal load testing
• Clients from multiple locations
• Independent DNS requests
• Distribute across IPs
DNS load balancing 
Simulate real user environment 

48. SSL labs
• Verify your SSL config

49. Demo

50. Key takeaways
• Switch off caching during development mode
• Use RUM for performance testing
• If you load test - test from multiple locations

51. Thank you!

52. Remember to complete
your evaluations!

53. Related Sessions
SEC323: Securing Web Applications with AWS WAF
Friday, Oct 9 at 9:00 AM – 10:00 AM
Lando 4301B