Mastering AWS Edge Networking: CloudFront and Global Accelerator

This study guide focuses on optimizing application performance and availability by leveraging the AWS Global Infrastructure, specifically through Edge Locations and specialized networking services.

Learning Objectives

By the end of this guide, you should be able to:

• Distinguish between Amazon CloudFront and AWS Global Accelerator use cases.
• Explain how Edge Locations reduce latency for global users.
• Design architectures that integrate Route 53, WAF, and Shield with edge services.
• Determine the appropriate caching strategy for static and dynamic content.

Key Terms & Glossary

• Edge Location: A site that CloudFront uses to cache copies of your content for faster delivery to users at any location.
• Origin: The source of truth for your content (e.g., an S3 bucket, an EC2 instance, or an ELB).
• Distribution: A link between an origin and a domain name, created to tell CloudFront where you want content to be delivered from.
• Anycast IP: A networking technique where multiple nodes share the same IP address; traffic is routed to the "nearest" node geographically.
• Time To Live (TTL): The amount of time a resource is cached at an edge location before CloudFront checks the origin for updates.

The "Big Idea"

In traditional networking, every user request must travel across the public internet to reach your server's region, which introduces high latency and potential bottlenecks. The Big Idea of AWS Edge Networking is to "bring the AWS network to the user." By using CloudFront for content caching or Global Accelerator for optimized routing, you minimize the distance data travels over the unpredictable public internet, moving it onto the high-speed, private AWS global fiber network as quickly as possible.

Formula / Concept Box

Hierarchical Outline

1. The Global Infrastructure
   • Regions & Availability Zones: Core compute locations.
   • Edge Locations: Points of Presence (PoPs) used by edge services.
   • Regional Edge Caches: Larger caches located between original servers and edge locations.
2. Amazon CloudFront
   • Origins: S3, ELB, EC2, or Custom (on-premise).
   • Behaviors: Path-based routing (e.g., /images/* to S3, /api/* to ELB).
   • Security: Integration with AWS WAF and AWS Shield.
3. AWS Global Accelerator
   • Static IPs: Provides two global static Anycast IPs.
   • Performance: Uses the AWS internal network to bypass internet congestion.
   • Health Checks: Automatically reroutes traffic to healthy endpoints in different regions.

Visual Anchors

CloudFront Content Delivery Flow

Network Path Comparison

This diagram illustrates the difference between the standard internet path and the optimized AWS Global Accelerator path.

\begin{tikzpicture} % Standard Internet Path \draw[thick, gray, dashed] (0,3) -- (8,3) node[right] {\small Public Internet (Multiple Hops)}; \node[draw, circle, fill=blue!20] (U) at (0,3) {User}; \node[draw, rect, fill=red!20] (S) at (8,3) {Server};

\end{tikzpicture}

Definition-Example Pairs

• Static Content Caching: Storing files that don't change often at an edge location.
  • Example: A news website stores its logo (logo.png) on CloudFront so users in Sydney don't have to download it from a server in New York every time the page loads.
• Dynamic Acceleration: Optimizing the connection for data that cannot be cached.
  • Example: A real-time bidding platform uses CloudFront's optimized connection to the origin to reduce the TCP handshake time for personalized API responses.
• Anycast IP Routing: Using one IP address to reach the nearest entry point.
  • Example: A global gaming company gives players one IP address. A player in Tokyo hits the Tokyo edge, while a player in London hits the London edge, both using the same IP.

Worked Examples

Scenario 1: Low-Latency Static Website

Problem: You have an S3 bucket in us-east-1 hosting a static website. Users in Europe report slow load times. Solution:

1. Create a CloudFront Distribution.
2. Set the S3 Bucket as the Origin.
3. Configure Origin Access Control (OAC) to ensure users can only access the S3 content through CloudFront.
4. Update Route 53 to point your domain (e.g., www.example.com) to the CloudFront distribution domain name using an Alias record. Result: European users now fetch site assets from local European edge locations.

Scenario 2: High-Availability Multi-Region API

Problem: A banking application uses a VoIP service that requires consistent IP addresses for firewall allow-listing and must failover between us-west-2 and eu-central-1 instantly. Solution:

1. Deploy the application behind Application Load Balancers (ALB) in both regions.
2. Provision an AWS Global Accelerator.
3. Add both ALBs as endpoints to the Accelerator.
4. The Accelerator provides two static IPs to give to the VoIP service providers. Result: If us-west-2 goes down, Global Accelerator detects the health check failure and directs traffic to eu-central-1 within seconds using the same static IPs.

Checkpoint Questions

1. Which service should you use if your application uses a non-HTTP protocol like UDP?
   • Answer: AWS Global Accelerator (CloudFront is for HTTP/HTTPS).
2. How can you prevent users from bypassing CloudFront and accessing your S3 origin directly?
   • Answer: Use Origin Access Control (OAC) and update the S3 Bucket Policy to only allow the CloudFront service principal.
3. True or False: CloudFront can be used to cache dynamic content.
   • Answer: True. While it doesn't cache the unique response, it accelerates the path to the origin for dynamic requests.
4. What is the benefit of Global Accelerator's static IPs for corporate networks?
   • Answer: They allow for easy firewall allow-listing because the entry point IPs never change, even if the backend application scales or moves.