What is AWS CloudFront?


What is Amazon CloudFront?

Secure delivery to viewers around the world through low-latency, high-speed transmission
High-Speed Content Delivery Network (CDN) service
CDN service.

As a managed service, you are guaranteed to be up and running.

Image content on the origin server (the server from which images are delivered) is copied to more than 100 edge locations around the world and delivered from there.

CloudFront is used for requirements such as efficient and high-speed delivery of video content globally.



origin server

The server from which the distribution
The server from which the delivery is made.
EC2 or S3.


edge location

Region, different from AZ, refers to an AWS data center.

Route 53, CloudFront, AWS WAF, etc. are in place.

In addition, there are more than 50 locations worldwide that exist for efficient use of DNS and content distribution services.



A web browser that accesses content.


Explanation of the official AWS website





CloudFront Features

CloudFront is a service that
Keep caches in edge locations that are close to the user
This allows for fast content delivery.

Typically, the
CloudFront edge servers that can deliver the fastest to viewers
which can deliver to viewers the fastest.

From the user's perspective, it reduces the waiting time for data acquisition.

Rather than delivering from an origin server, the
CloudFront edge servers
CloudFront edge servers are faster to deliver than origin servers.


High speed

Closest to the user
Edge servers
The images and other data are delivered from the edge server, which is closest to the user.




Edge servers
Caching of content is performed at the

Since you don't go to the origin server to see the file each time, but to the edge server to see the cached file, you can use the

Delivery is possible without overloading the origin server.


If data is not on the edge server

If the data does not exist at the edge location, it is first retrieved and delivered from the origin server, and then

The next and subsequent edges are processed from the cached edges.


CloudFront provides fast content delivery by keeping the cache in edge locations that are closer to the user.


Typically, the
The edge processing is performed by the CloudFront edge server that can deliver most quickly to the viewer.


Behavior when a user accesses the system for the first time

For images that users access for the first time, CloudFront
retrieves the data from the origin server and keeps a cache on the CloudFront server at the edge location.


If a user accesses that image again
the content is delivered from an edge server that is closer to the user, utilizing cached data on the cache server.




For S3, place the file by specifying the region.

When accessed from the other side of the world, network latency (delay) alone can be several hundred milliseconds.



use case




What is an object URL?

To provide access to private media files only to paying members without changing the current object URLs, CloudFront's signed cookies feature allows you to manage user permissions to access private files.


What is a signed URL?

CloudFront's signed URLs and signed cookies provide the same basic functionality, allowing you to control who can access the content delivered by CloudFront


Use a signed URL if

  • - I want to use RTMP distribution. Signed cookies are not supported by RTMP distributions.
  • - I want to restrict access to individual files, such as application installation downloads.
  • - User is using a client that does not support cookies.


Use a signed cookie if you

  • - We want to provide access to multiple files that are restricted, such as all files of a video in HLS format, or all files in the subscriber area of a web site.
  • -CURRENT OBJECT Current object URL is not desired to be changed.


To improve usability, it is preferable to deploy the image processing on CloudFront instead of Auto Scaling, because the image acquisition requests are increasing.


For distribution to specific users

Create a CloudFront signed URL or signed cookie to restrict access to files in the Amazon S3 bucket, then create a special CloudFront user called an Origin Access Identity (OAI) to associate with the distribution.


Next, configure permissions so that CloudFront can use OAI to access and serve files to users. For example, you can control the date and time when users will no longer be able to access content, and enforce the authentication that can be used to access content.


Referer restrictions on CloudFront cannot be enforced without configuring WAF, and the control by WEB ACL of WAF is called Referer restriction.


If you create a pre-signed URL in S3, you can share a specific project within the validity period of that URL. This is used for restricted sharing of objects.


Audits applications that use Web delivery for PCI compliance


If you are running PCI or HIPAA compliant workloads under the AWS liability sharing model, it is important to record Cloud Front usage data for the past 365 days for audit purposes.


Cloud Front access logs should be enabled to record usage data so that requests sent to the Cloud Front API can be captured.


Cooperation with S3


CloudFront Related Services