Lab: Optimizing Global Performance with AWS Edge Services
Design a solution that incorporates edge network services to optimize user performance and traffic management for global architectures
Lab: Optimizing Global Performance with AWS Edge Services
This hands-on lab guides you through the implementation of AWS edge networking services—Amazon CloudFront and AWS Global Accelerator—to optimize performance and availability for global users. You will learn to distinguish between Layer 7 content delivery (CloudFront) and Layer 4 network path optimization (Global Accelerator).
Prerequisites
- AWS Account: An active AWS account with AdministratorAccess permissions.
- AWS CLI: Installed and configured on your local machine (
aws configure). - Resource Naming: Use the prefix
brainybee-lab-for all resources created today. - Basic Networking Knowledge: Understanding of VPCs, Subnets, and Application Load Balancers (ALB).
Learning Objectives
- Configure an Amazon CloudFront distribution to cache static content from an S3 origin.
- Provision an AWS Global Accelerator to provide a static entry point for a regional Application Load Balancer.
- Compare the latency improvements and traffic management capabilities of both edge services.
- Implement origin security using CloudFront Origin Access Control (OAC).
Architecture Overview
The following diagram illustrates the two traffic paths we will build: one for static content via CloudFront and one for dynamic traffic via Global Accelerator.
Step-by-Step Instructions
Step 1: Deploy the Static Content Origin (S3)
We will create a private S3 bucket to host an index.html file that will be served via CloudFront.
# Create a unique bucket name
BUCKET_NAME=brainybee-lab-static-$(date +%s)
# Create the bucket in us-east-1
aws s3 mb s3://$BUCKET_NAME --region us-east-1
# Create a dummy index.html
echo "<html><body><h1>Hello from CloudFront Edge!</h1></body></html>" > index.html
# Upload to S3
aws s3 cp index.html s3://$BUCKET_NAME/▶Console alternative
- Navigate to
.
2. Enter a name like brainybee-lab-static-uniqueid.
3. Keep
enabled. 4. Click
and upload an index.html file.
Step 2: Create a CloudFront Distribution with OAC
CloudFront will cache the S3 content. We will use Origin Access Control (OAC) to ensure users cannot bypass CloudFront to access the bucket directly.
# 1. Create OAC (Origin Access Control)
aws cloudfront create-origin-access-control --origin-access-control-config '{"Name": "lab-oac", "SigningBehavior": "always", "SigningProtocol": "sigv4", "OriginAccessControlOriginType": "s3"}'
# 2. Create the distribution (Note: This requires a complex JSON config, console is recommended for the initial creation of the policy)[!TIP] In a production ANS-C01 scenario, always prefer OAC over the legacy OAI (Origin Access Identity) as OAC supports AWS Signature Version 4 and SSE-KMS.
▶Console alternative
- Navigate to
. 2.
: Select your S3 bucket. 3.
: Select
. 4. Click
and accept defaults. 5.
: Redirect HTTP to HTTPS. 6. Click
. 7.
Copy the generated S3 Bucket Policy from the yellow banner and apply it to your S3 bucket permissions.
Step 3: Deploy AWS Global Accelerator
Global Accelerator provides two static IP addresses that route traffic over the AWS internal network to your regional ALB.
# Create the Accelerator
aws globalaccelerator create-accelerator --name "brainybee-accelerator" --ip-address-type IPV4▶Console alternative
- Navigate to
.
2. Name: brainybee-accelerator.
3. Add a
: Port 80, Protocol TCP. 4. Add an
: Region us-east-1.
5. Add an
: Choose your ALB (ensure you have one running or create a basic one first). 6. Click
.
Checkpoints
| Checkpoint | Action | Expected Result |
|---|---|---|
| CloudFront Connectivity | Run curl -I https://<your-cf-id>.cloudfront.net/index.html | HTTP/2 200 and X-Cache: Miss from cloudfront (first hit) then Hit from cloudfront (second hit). |
| S3 Security | Run curl https://<bucket-name>.s3.amazonaws.com/index.html | 403 Forbidden (Confirming OAC is working). |
| Global Accelerator | Run dig <accelerator-dns-name> | Two static AWS Anycast IP addresses are returned. |
Analysis: Performance Comparison
Consider the latency reduction achieved through these edge services. Below is a conceptual representation of the latency difference between standard Internet routing and AWS Edge routing.
\begin{tikzpicture}[scale=1] \draw[->, thick] (0,0) -- (8,0) node[right] {Time (ms)}; \draw[->, thick] (0,0) -- (0,4) node[above] {User Distance};
% Public Internet Line
\draw[red, thick] (0,0.5) .. controls (3,2) and (5,3.5) .. (7.5,3.8) node[right] {Public Internet (High Jitter)};
% AWS Backbone Line
\draw[blue, thick] (0,0.5) -- (7.5,1.5) node[right] {AWS Backbone (Low Latency)};
\node at (4, -0.8) {\textbf{Figure 1: Network Path Latency Optimization}};\end{tikzpicture}
Troubleshooting
| Error | Cause | Fix |
|---|---|---|
Access Denied on CloudFront | S3 Bucket policy is missing OAC permission. | Go to S3 > Permissions > Bucket Policy and ensure cloudfront.amazonaws.com has s3:GetObject permission. |
| Accelerator Pending | The DNS/Health checks are initializing. | Wait 3-5 minutes for the accelerator status to reach Deployed. |
| CF Changes Not Showing | Content is cached at the edge. | Create a CloudFront Invalidation for path /*. |
Clean-Up / Teardown
[!WARNING] Remember to run these commands to avoid ongoing charges. Global Accelerator has a fixed hourly charge regardless of traffic.
- Delete Global Accelerator: You must first disable it, then remove the listener and endpoint group before deleting the accelerator.
bash
# CLI commands for deletion are multi-step; use the console for rapid teardown: # 1. Disable Accelerator # 2. Delete Listener # 3. Delete Accelerator - Delete CloudFront: Disable the distribution first, wait for the status to be
Disabled, then delete. - Delete S3 Bucket:
bash
aws s3 rb s3://$BUCKET_NAME --force
Stretch Challenge
Task: Implement a Geolocation-based routing policy using Route 53 that points to your CloudFront distribution for users in Europe and a different origin for users in North America.
Question to consider: Why would you use Route 53 Geolocation routing in front of CloudFront if CloudFront already uses Latency-based routing to find the nearest edge location?
Cost Estimate
| Service | Estimated Cost |
|---|---|
| Amazon CloudFront | First 1TB of data transfer out is Free. |
| AWS Global Accelerator | $0.025 per hour fixed fee + Data Transfer Premium. |
| Amazon S3 | $0.023 per GB (Standard storage). |
Concept Review
| Feature | Amazon CloudFront | AWS Global Accelerator |
|---|---|---|
| Layer | Layer 7 (HTTP/HTTPS) | Layer 4 (TCP/UDP) |
| Primary Use | Caching static/dynamic content | Improving packet path for apps (Gaming, VoIP, APIs) |
| IP Addresses | Dynamic (DNS-based) | Static Anycast IPs (2 per accelerator) |
| Termination | Terminates TLS at the Edge | Terminates TCP at the Edge (if using TCP) |
| Protocol Support | HTTP/S, WebSockets | TCP, UDP |
[!IMPORTANT] For the ANS-C01 exam, remember: CloudFront is for content (caching), while Global Accelerator is for network (routing over AWS backbone).