Your origin server (S3 bucket, ALB, API) lives in one region (e.g., us-east-1 in Virginia). A user in Tokyo makes a request — that request travels ~14,000 km across the Pacific Ocean, through multiple network hops. Round-trip time: 200-300 ms before any content is even being sent. Multiply that by every image, CSS file, and API call — your site feels slow.

A Content Delivery Network (CDN) solves this by placing copies of your content at edge locations around the world. When a user in Tokyo requests your image, instead of traveling to Virginia, the request hits an edge server in Tokyo — distance: 0 km, latency: 1-5 ms.

Amazon CloudFront is AWS's managed CDN service. It has 450+ Points of Presence (PoPs) in 90+ cities across 49 countries. But CloudFront is far more than just a cache — it's an edge compute + security + routing layer:

Property	Value	Why It Matters
Edge Locations	450+ in 90+ cities, 49 countries	Content is always near your users, regardless of where they are
Scope	Global service (not regional)	One distribution serves the entire world. No per-region config.
Protocols	HTTP/1.1, HTTP/2, HTTP/3 (QUIC), WebSocket	Modern protocols for fastest delivery + real-time apps
HTTPS	Free SSL/TLS with ACM certificates	No cost for HTTPS. Custom domain requires ACM cert in us-east-1.
DDoS Protection	AWS Shield Standard (included free)	Layer 3/4 DDoS mitigation at edge — never hits your origin.
Origins Supported	S3, ALB, EC2, API Gateway, any HTTP endpoint	Works with any web server — AWS or non-AWS (custom origin).
Pricing	Pay per GB transferred + per request	No upfront. Free tier: 1 TB/month transfer + 10M requests for 12 months.

User Location	Direct to Origin (Virginia)	With CloudFront	Improvement
Virginia (US-East)	~10 ms	~5 ms	2× faster
London (EU)	~80 ms	~5 ms	16× faster
Tokyo (APAC)	~200 ms	~5 ms	40× faster
Sydney (APAC)	~250 ms	~8 ms	31× faster
São Paulo (SA)	~150 ms	~10 ms	15× faster

Most people think "CloudFront = CDN = caching." But the real understanding:

Function	What It Does	Benefit
Edge Caching	Store copies of static content at edge	90%+ requests never hit origin
TLS Optimization	Terminate HTTPS at edge (closer TLS handshake)	Faster even for dynamic content (no cache)
DDoS Shield	Absorb L3/L4 attacks at edge network	Origin never sees attack traffic
Origin Shield	Extra caching layer between edge and origin	Reduces origin load further (collapse requests)
OAC	Block direct access to S3 — only via CloudFront	Content only served through CDN (secure + fast)
Lambda@Edge	Run code at edge before/after cache	URL rewrites, A/B testing, auth, personalization

A Distribution is the main CloudFront resource — it represents your entire CDN configuration. When you create a distribution, CloudFront gives you a domain name (e.g., d111abc.cloudfront.net) that routes requests through the edge network to your origins.

Think of a distribution as the blueprint for how CloudFront handles your traffic — it defines: where content comes from (origins), how requests are routed (behaviors), how long to cache (TTL), and who can access content (security).

Distribution Component	What It Is	Example
Domain Name	CloudFront-assigned URL	d111abc.cloudfront.net
Origin(s)	Where content lives (source of truth)	S3 bucket, ALB, API Gateway
Cache Behavior(s)	Rules for how to handle requests by path	/api/* → ALB, /* → S3
Price Class	Which edge locations to use	All edges, NA+EU only, NA only
Alternate Domain	Custom domain (CNAME)	www.example.com
SSL Certificate	HTTPS cert (ACM or custom)	ACM cert in us-east-1
WAF Web ACL	Firewall rules (optional)	Block by IP, rate limit, geo-restrict

CloudFront has a two-tier caching architecture. Understanding this is key for optimization:

A distribution can have multiple cache behaviors — each one matches a URL path pattern and defines how CloudFront handles those requests. This lets you send different paths to different origins with different caching rules.

Path Pattern	Origin	Cache Policy	Use Case
/api/*	ALB (dynamic)	No cache (TTL=0)	API calls — always fresh from backend
/static/*	S3 bucket	Cache 1 year (immutable assets)	CSS, JS, images with hash filenames
/images/*	S3 bucket	Cache 24 hours	User-uploaded images — change occasionally
Default (*)	ALB (app server)	Cache 5 minutes	HTML pages — semi-dynamic

You can limit which edge locations CloudFront uses to reduce cost (fewer edges = cheaper but higher latency for excluded regions):

Price Class	Edge Locations Included	Cost	Use When
All Edge Locations	All 450+ worldwide	Highest	Global audience, lowest latency everywhere
200	NA, EU, Asia, Middle East, Africa	Medium	Most apps — excludes only South America + Australia
100	NA + EU only	Lowest	US/EU-focused apps, budget optimization

Price Class	Approx. Cost (per GB, US)	Savings vs All	Trade-off
All (450+ edges)	~$0.085/GB	Baseline	Lowest latency everywhere
200 (most edges)	~$0.080/GB	~6%	Excludes South America + Australia
100 (NA+EU only)	~$0.075/GB	~12%	Higher latency for APAC/SA users

Recommendation: Start with Price Class 200 (covers 95% of users cheaply). Use All only if you have significant traffic from South America or Australia. Price Class 100 is fine for internal tools or US/EU-only apps.

By default, CloudFront gives you d111abc.cloudfront.net. To use your own domain (www.example.com):

Caching is CloudFront's core function. Understanding the cache flow is critical for both the exam and production optimization:

The cache key is how CloudFront identifies a unique cached object. By default, the cache key is just the URL path + query string. But you can customize it to include headers, cookies, or query parameters.

Cache Key Component	Default	Customizable?	Impact
URL Path	Always included	No	/images/logo.png and /images/hero.png are different cache entries
Query Strings	None (ignored)	Yes — include all, none, or specific	?v=1 and ?v=2 can be same or different cache entries
Headers	None	Yes — include specific headers	Accept-Language in key → cache per language
Cookies	None	Yes — include all, none, or specific	Session cookie in key → cache per user (bad!)

TTL (Time To Live) controls how long CloudFront caches an object before checking with the origin for a fresh copy. There are three TTL settings that interact:

TTL Setting	Default	Purpose	How It Works
Minimum TTL	0 seconds	Floor — CloudFront caches at least this long	Even if origin says Cache-Control: max-age=0, CloudFront keeps for Minimum TTL
Default TTL	86400 (24 hours)	Used when origin sends no cache headers	If origin omits Cache-Control/Expires, use this value
Maximum TTL	31536000 (1 year)	Ceiling — CloudFront never caches longer than this	Even if origin says max-age=9999999, capped at Maximum TTL

When you update content at origin, the cached version at edge is stale until TTL expires. To force immediate removal, use invalidation:

Method	How It Works	Cost	Best For
Create Invalidation	Tell CloudFront to remove specific paths from all edges	First 1000/month free, then $0.005 per path	Emergency content update, bug fix deployment
Versioned File Names	Use style.abc123.css — new deploy = new file name = new cache entry	Free (no invalidation needed)	Production best practice for static assets
Wait for TTL	Do nothing — old content expires naturally	Free	Non-urgent changes, short TTL content

Cache Hit Ratio = percentage of requests served from cache (without origin contact). Higher = faster + cheaper. Target: 90%+ for static content.

Factor	Improves Hit Ratio	Worsens Hit Ratio
TTL	Longer TTL (content stays cached)	Short TTL (frequent re-fetches)
Cache Key	Minimal key (URL only)	Including cookies/all headers (cache per user)
Query Strings	Ignore or whitelist specific ones	Include all (random params = cache miss)
Origin Shield	Enabled (collapses duplicate misses)	Disabled (each edge fetches independently)
Content Type	Static assets (highly cacheable)	Personalized/dynamic (per-user responses)

CloudFront separates what affects caching from what's forwarded to origin:

Scenario	Solution	Why
"Content updated but users see old version"	Create invalidation OR use versioned filenames	Edge cache serves stale content until TTL expires
"Low cache hit ratio despite long TTL"	Remove unnecessary items from cache key (cookies, headers)	Too many key components = each request is "unique"
"API responses must always be fresh"	Set TTL = 0 OR Cache-Control: no-store	Disables caching — every request goes to origin
"Different content per language"	Include Accept-Language header in cache key	Separate cache entries per language
"Origin overloaded during traffic spike"	Enable Origin Shield + increase TTL	Collapses duplicate requests + content stays cached longer

An origin is where CloudFront fetches content when there's a cache miss. It's the source of truth — the actual server or bucket that holds your original content. A distribution can have multiple origins, each handling different path patterns.

CloudFront can front an API Gateway endpoint for additional caching, edge security (WAF), and custom domain support:

API Gateway Type	CloudFront Integration	Notes
Edge-Optimized API	Already has built-in CloudFront (AWS-managed)	Adding your own CF = double CDN. Usually not needed.
Regional API	Add CloudFront distribution in front	Best approach — full control over caching, WAF, custom domain.
HTTP API	Add CloudFront distribution in front	Cheapest API GW option + CloudFront for edge features.

Origin Groups enable automatic failover between a primary and secondary origin. If the primary returns specific error codes (5xx, 4xx), CloudFront retries the request against the secondary.

Origin Type	Best For	OAC Support	Protocol	Notes
S3 (REST)	Static files	✅ Yes	HTTPS	Private bucket. Most secure.
S3 (Website)	Static site with redirects	❌ No	HTTP only	Public bucket. Custom origin.
ALB	Dynamic apps, APIs	❌ (use custom header)	HTTP/HTTPS	Must be public-facing ALB.
EC2	Legacy single-instance	❌	HTTP/HTTPS	Needs public IP. No HA.
API Gateway	Serverless APIs	❌	HTTPS	Use Regional type.
Custom Origin	Any HTTP server (on-prem, other cloud)	❌	HTTP/HTTPS	Any public HTTP endpoint.

OAC (Origin Access Control) is the modern way to restrict S3 bucket access so that only CloudFront can read your objects. Users cannot bypass CloudFront and access S3 directly.

For private content that only authorized users should access (paid content, premium downloads), use signed URLs or cookies:

Feature	Signed URL	Signed Cookie
Scope	One specific file/URL	Multiple files (entire path pattern)
Use When	Individual file download (video, PDF)	Entire premium section (/premium/*)
How	App generates URL with signature + expiry	App sets cookies; CloudFront validates
Expiry	Set per URL (minutes to days)	Set in cookie (same flexibility)
Client Change	URL changes (link is unique per user/time)	URL stays same; auth is in cookie
Exam Tip	"Restrict single file" → Signed URL	"Restrict multiple files" → Signed Cookie

Setting	Options	Recommended	Notes
Viewer Protocol Policy	HTTP+HTTPS, Redirect HTTP→HTTPS, HTTPS Only	Redirect HTTP→HTTPS	User-facing. Always force HTTPS.
Origin Protocol Policy	HTTP Only, HTTPS Only, Match Viewer	Depends on origin	S3 REST = HTTPS. ALB = HTTPS. S3 website = HTTP only.

Attach AWS WAF (Web Application Firewall) to CloudFront for Layer 7 protection at the edge — before traffic reaches your origin:

Layer	Protection	Cost	What It Does
AWS Shield Standard	L3/L4 DDoS	Free (automatic)	Absorbs volumetric attacks (SYN floods, UDP reflection) at edge
AWS Shield Advanced	L3/L4/L7 DDoS	$3,000/month	Enhanced detection, DRT team support, cost protection credits
AWS WAF	L7 (application)	Per-rule pricing	Rate limiting, bot mitigation, IP blocking at edge

Response Headers Policies let you add, modify, or remove HTTP headers in CloudFront responses — without changing your origin. Essential for security headers:

Field-Level Encryption (FLE) encrypts specific form field data at the edge before forwarding to your origin — even your own servers never see plaintext sensitive data:

WAF rate-based rules are a common exam pattern — they throttle excessive requests at the edge:

Config	Example	Notes
Threshold	100 requests per 5 minutes per IP	Aggregated at edge across all CloudFront locations
Action	Block request for 10 minutes	Returns 403 Forbidden to client
Scope	Specific URI path (e.g., /login, /api/*)	Don't rate-limit static assets
Protection	Login brute-force, API abuse, scraping	Origin never sees throttled requests

CloudFront can automatically compress responses before sending them to viewers, reducing transfer size by 60-80% for text-based content:

Setting	Detail	Impact
Gzip	Standard compression. Enable in cache behavior.	60-70% smaller for HTML, CSS, JS, JSON
Brotli	Modern, better compression. CloudFront auto-selects based on Accept-Encoding.	15-20% smaller than Gzip
File Types	Text-based: HTML, CSS, JS, JSON, XML, SVG, fonts	Do NOT compress images/video (already compressed)
Min Size	Objects must be > 1000 bytes	Small files don't benefit from compression overhead

Origin Shield adds a centralized caching layer between Regional Edge Caches and your origin. It collapses duplicate origin fetches from multiple edges into a single request:

Run code at the edge without touching your origin — for URL manipulation, auth, personalization, A/B testing:

Feature	CloudFront Functions	Lambda@Edge
Runtime	JavaScript only	Node.js, Python
Execution Time	<1 ms (ultralight)	Up to 5-30 seconds
Triggers	Viewer Request / Viewer Response only	All 4 events (Viewer + Origin Request/Response)
Network Access	❌ No	✅ Yes (call APIs, DBs)
Scale	Millions of RPS (massive)	Thousands of RPS
Cost	~$0.10 per million invocations	~$0.60 per million + duration
Use Cases	URL rewrite, header manipulation, simple redirects, cache key normalization	Auth with external IdP, A/B testing, image transformation, SSR

Lambda@Edge is powerful but has significant limitations compared to standard Lambda functions:

Restriction	Detail	Workaround
No environment variables	Cannot use env vars like standard Lambda	Hardcode values, or fetch from SSM Parameter Store at cold start
Body size limit	Request/response body limited to 1 MB (1,048,576 bytes)	For larger payloads, modify at origin instead
No VPC access	Cannot access VPC resources (RDS, ElastiCache, etc.)	Call external APIs or use DynamoDB (public endpoint)
Limited runtimes	Node.js 18/20 and Python 3.9/3.11/3.12 only	No Go, Java, Ruby, .NET at edge
Execution time	Viewer events: max 5s. Origin events: max 30s.	Keep logic lightweight; offload heavy work to origin
No /tmp (viewer)	Viewer events have no /tmp; origin events have 512 MB /tmp	Use in-memory processing for viewer events
Region	Must be deployed in us-east-1 (replicated globally)	Always create Lambda@Edge functions in N. Virginia

CloudFront supports HTTP/3 (QUIC) — a UDP-based protocol that reduces connection setup time and handles packet loss better than TCP. Benefits:

• 0-RTT connection: repeat visitors connect instantly (no TCP+TLS handshake)
• Better on mobile: handles network switches (WiFi→cellular) without reconnecting
• Faster on lossy networks: single lost packet doesn't block entire stream (unlike HTTP/2)
• Enable per-distribution. Falls back to HTTP/2 if client doesn't support QUIC.

CloudFront offers two logging options with different latency and delivery targets:

Feature	Standard Logs	Real-Time Logs
Latency	Minutes to hours	5-10 seconds
Delivery	S3 bucket (free storage cost)	Kinesis Data Streams (extra cost)
Use Case	Analytics, auditing, historical archives	Real-time monitoring, security alerting, live dashboards
Fields	20+ fields per log line	Configurable (choose specific fields)
Sampling	All requests (no sampling)	Configurable sampling rate (1-100%)
Cost	Free (you pay for S3 storage)	Kinesis pricing + per log line

Setup: S3 bucket (private, Block Public Access ON) + CloudFront distribution with OAC + ACM cert in us-east-1 + Route 53 Alias record. Result: global HTTPS static site for pennies/month.

Key insight: even for dynamic content, CloudFront helps via TLS optimization (terminate HTTPS at edge = fewer round-trips), connection reuse to origin, and Shield/WAF protection.

Front a Regional API Gateway with CloudFront for WAF protection, edge caching of GET responses, and custom domain management:

Combine multiple origins with origin groups for high availability:

Behavior	Primary Origin	Secondary Origin (Failover)	Result
/static/*	S3 us-east-1	S3 eu-west-1 (CRR replica)	Static files survive region failure
/api/*	ALB us-east-1	ALB eu-west-1	API fails over to DR region
Default	ALB us-east-1	S3 "maintenance" page	App down → users see maintenance page

Scenario	Architecture	Key Config
"Static site with custom domain + HTTPS"	Route 53 → CloudFront → S3 (OAC)	ACM cert in us-east-1. S3 private.
"Reduce latency for global API"	Route 53 → CloudFront → API GW (Regional)	Cache GET responses. WAF for protection.
"Serve dynamic app faster globally"	Route 53 → CloudFront → ALB	TTL=0 for dynamic. Still benefits from TLS+Shield.
"Premium content for paying users only"	CloudFront + Signed URLs	App generates signed URL. CF validates signature.
"High availability for static content"	CloudFront + Origin Group (S3 + S3 replica)	CRR between buckets. Origin Group failover.
"Block specific countries"	CloudFront Geo-Restriction	Deny list by country code. Or WAF for complex rules.