AWS Unpacked #11: CloudFront

5 May 2025
Categories: AWS

Speed up content delivery with Amazon CloudFront

Blog header image
TL;DR
Amazon CloudFront is AWS’s content delivery network (CDN) designed to deliver web content fast and securely around the world. It caches content at edge locations close to users, reducing latency and improving performance. It integrates well with origins like S3 buckets, Application Load Balancers (ALB), and EC2 instances. Key features include georestriction to control content access by location, price classes to manage costs, and cache invalidation to refresh content. AWS Global Accelerator is often compared but serves a different purpose by improving network traffic routing.

What is CloudFront?

Imagine you run a website with visitors all over the world. If your site’s files are stored in one place, say a server in the US, visitors in Asia or Europe will experience delays because data has to travel long distances. CloudFront solves this by creating a network of servers, called edge locations, around the world. It stores (or “caches”) copies of your site’s files close to where users are. When someone visits your site, CloudFront delivers content from the nearest edge location, making everything load much faster.

CloudFront supports many types of content, including:

  • Static files like images, videos, HTML, CSS, and JavaScript
  • Dynamic content such as API responses
  • Streaming video

This all happens behind the scenes, so users get a fast, smooth experience without you having to manage multiple servers worldwide.

How CloudFront Works with Origins

An origin is where your original files live. CloudFront fetches content from your origin, caches it at edge locations, and serves it to users. AWS supports several common origin types:

  • S3 buckets: Great for static content like images or website files.
  • Application Load Balancer (ALB): Used when your backend runs on EC2 instances behind a load balancer.
  • EC2 instances: If you don’t use a load balancer, CloudFront can fetch directly from EC2.

When a user requests a file, CloudFront checks if it’s already cached at the nearest edge location:

  • If yes, it delivers the cached copy immediately.
  • If no, it pulls the file from your origin, caches it at the edge, and then delivers it.

CloudFront and S3: The Classic Setup

Pairing CloudFront with an S3 bucket is one of the most popular setups, especially for static websites or media hosting. Here’s why:

  • Performance: S3 stores your original content, and CloudFront caches it globally for faster access.
  • Security: You can configure S3 to block public access, and only allow CloudFront to access the bucket using Origin Access Control (OAC) by setting up an Origin Access Identity (OAI) — this prevents users from bypassing CloudFront and hitting your bucket directly.
  • Cost Savings: Serving data from CloudFront’s edge locations costs less than direct S3 internet transfers.

In practice, you configure your S3 bucket as the origin in your CloudFront distribution. Users then access your website or files through CloudFront’s domain, not directly via S3 URLs.

Using ALB and EC2 as Origins for Dynamic Content

Static content is great, but many applications have dynamic elements that change based on user input or time, like personalized dashboards or APIs.

CloudFront can work with:

  • Application Load Balancers (ALB): These distribute incoming requests across multiple EC2 instances to handle traffic efficiently.
  • EC2 Instances: Your app servers that process requests and generate responses.
  • Origins inside a VPC: CloudFront can now securely connect to ALB or EC2 instances that live inside a private Virtual Private Cloud (VPC) using private connectivity features like AWS PrivateLink and Origin Access Control (OAC).

This means you can keep your backend servers private and not expose them directly to the internet, while still using CloudFront to deliver dynamic content efficiently and securely. CloudFront can cache some of the responses, like repeated API results or static assets, to reduce load on your backend and improve response times.

Key things to note:

  • CloudFront forwards user requests to ALB/EC2 or other origins if the content isn’t cached or is dynamic.
  • You can configure cache behaviors to control which requests get cached and which go straight to your backend.
  • When using VPC origins, CloudFront communicates privately and securely without exposing your backend to the public internet.
  • CloudFront helps improve availability by automatically routing users to the nearest edge location and can also handle failover scenarios when paired with Route 53.

Georestriction: Control Access by Location

Sometimes you need to restrict access to content based on the user’s country — this could be for legal reasons, licensing agreements, or regional compliance.

CloudFront’s georestriction feature lets you:

  • Whitelist (Allowlist): Only allow users from specified countries to access your content.
  • Blacklist (Blocklist): Block users from specified countries.

CloudFront does this by detecting the user’s IP address and matching it to a country. This is useful for content owners who must comply with regional rules or want to limit usage to specific markets.

Keep in mind, georestriction is not foolproof — users using VPNs or proxies can sometimes bypass restrictions.

Price Classes: Manage Your Costs

CloudFront has over 400 edge locations worldwide, but delivering content from every one can add up in cost.

AWS offers Price Classes so you can limit the edge locations CloudFront uses, balancing cost and performance:

  • Price Class 100: Only edge locations in the US, Canada, and Europe. Cheapest option but limited global reach.
  • Price Class 200: Includes Price Class 100 plus locations in South America, Asia, and the Middle East.
  • Price Class All: All edge locations worldwide. Best performance, highest cost.

Choosing the right price class depends on your user base. For example, if your customers are mainly in the US and Europe, Price Class 100 might be enough.

Cache Invalidation: Refreshing Content When Needed

CloudFront caches files for a period defined by Time-to-Live (TTL) settings. If you update content (like fixing a bug or changing an image), cached copies at the edge won’t update until TTL expires, which could mean users see outdated content.

Cache invalidation allows you to:

  • Explicitly remove files from the cache at all edge locations.
  • Force CloudFront to fetch fresh content from the origin on the next request.

Invalidation can be requested via AWS Console, CLI, or API, but beware:

  • The first 1,000 invalidation paths per month are free; beyond that, AWS charges extra.
  • Invalidations take some time to propagate — it’s not instant.

To avoid frequent invalidations, many developers use versioned file names (like app_v2.js) so CloudFront treats updated files as new content.

AWS Global Accelerator: Speeding Up Your Applications with Global Networking

What is AWS Global Accelerator?

AWS Global Accelerator is a networking service designed to improve the availability and performance of your applications by routing user traffic through the AWS global network infrastructure. Think of it as a smart traffic controller that directs your users’ requests over the fastest, most reliable paths to your application endpoints — no matter where they are in the world.

The Problem Global Accelerator Solves

When users access your application (hosted on EC2, ALB, or even Elastic IPs), their traffic travels over the public internet. This path can be unpredictable—subject to congestion, packet loss, and variable latency—which can slow down your app and hurt user experience. Global Accelerator solves this by:

  • Providing fixed static IP addresses that act as the front door for your application.
  • Routing incoming user traffic onto the AWS private global network, which is faster, more reliable, and less congested than the public internet.
  • Automatically redirecting traffic to healthy endpoints in multiple regions, improving availability and failover.

Understanding how IP addresses work here is key.

  • Unicast IP: This is a “one-to-one” IP address that routes traffic to a single, specific endpoint. Traditional setups use unicast IPs — but this means users might connect to a far or congested path.
  • Anycast IP: This is a “one-to-nearest” IP address. The same IP is advertised from multiple locations globally, and user requests automatically route to the closest (lowest latency) AWS edge location.

How Global Accelerator Uses Anycast

Global Accelerator assigns you two static Anycast IP addresses. These IPs are advertised from multiple AWS edge locations worldwide. When users send traffic to these IPs, the internet automatically routes the request to the nearest AWS edge location, which then forwards it via the AWS private network to your application endpoints.

This reduces latency and improves performance by shortening the network path.

What Does Global Accelerator Work With?

Global Accelerator can direct traffic to various AWS resources, including:

  • Application Load Balancers (ALB)
  • Network Load Balancers (NLB)
  • Elastic IP addresses (EIPs) attached to EC2 instances
  • Elastic IP addresses in AWS Global IP ranges

This flexibility lets you accelerate a wide range of applications and workloads.

Key Features of AWS Global Accelerator

  • Smart Routing: Uses health checks and routing algorithms to send user traffic to the best available endpoint (based on performance and health).
  • Health Checks: Continuously monitors endpoint health and automatically reroutes traffic away from unhealthy endpoints to keep your app available.
  • Static Anycast IP Addresses: Your users get a fixed set of IPs to connect to, simplifying DNS and firewall rules.
  • DDoS Protection: Integrated with AWS Shield Standard, Global Accelerator protects against distributed denial-of-service attacks by leveraging AWS’s global edge network.
  • Security: Supports Transport Layer Security (TLS) to encrypt traffic from users to the edge, and you can also configure AWS WAF for additional application layer protection.
  • Failover & High Availability: Automatically reroutes traffic across regions or endpoints for resilience during outages.
  • No Caching: Unlike CloudFront, Global Accelerator does not cache content — it focuses on fast and reliable routing of live traffic.

Why Use Global Accelerator Over CloudFront?

While CloudFront is a CDN that caches and delivers content closer to users, Global Accelerator optimizes network paths for applications where caching isn’t possible or desirable (like APIs, gaming, or real-time apps). It improves global availability and latency by leveraging the AWS global network for traffic routing.

Comparison: AWS Global Accelerator vs CloudFront

Feature / Aspect AWS Global Accelerator AWS CloudFront
Primary Purpose Improve network routing, availability, and latency for live traffic Content Delivery Network (CDN) that caches content close to users
Caching No caching Caches static and dynamic content at edge locations
IP Addresses Provides two static anycast IP addresses Uses regional edge caches with domain names (no static IPs)
Protocols Supported TCP, UDP, and TLS HTTP, HTTPS, WebSocket, RTMP
Use Cases APIs, gaming, real-time applications, static or dynamic content without caching Static websites, media streaming, software downloads, APIs with caching
Routing Routes over AWS global network to optimal endpoint based on health and performance Routes to nearest edge location and fetches content from origin or cache
Health Checks Yes, continuously monitors endpoints Limited to origin health checks
DDoS Protection Integrated AWS Shield Standard Integrated AWS Shield Standard
Security Features TLS termination, supports AWS WAF TLS termination, supports AWS WAF
Failover Automatic rerouting to healthy endpoints across regions Supports origin failover and cache failover
Pricing Model Charged per accelerator and data transfer Charged per data transfer, requests, and invalidation

Comparing CloudFront and Cross-Region Replication: What’s the Difference?

Both CloudFront and Cross-Region Replication (CRR) in S3 are AWS features that help improve access to your content, but they solve different problems and work in different ways.

Aspect CloudFront Cross-Region Replication (CRR)
Purpose Content Delivery Network (CDN) to cache and deliver content fast globally Automatically replicate S3 objects to another AWS region for redundancy and disaster recovery
How it works Copies content to edge locations worldwide, serving users from the nearest cache Copies S3 objects asynchronously from a source bucket in one region to a destination bucket in another region
Content delivery speed Improves speed by caching content near users (edge locations) No caching; content is accessed from whichever region the request is directed to
Use case Improve performance and reduce latency for global end users accessing websites, APIs, or streaming content Increase data durability and availability; enable compliance and disaster recovery by having copies of data in multiple regions
Data freshness Cached content can be stale until invalidated or TTL expires Replication is near real-time but not instant; replication delays can occur
Cost Costs involve data transfer out, requests, and cache invalidations Charges for storage in both regions and replication data transfer
Access method Users access content via CloudFront domain; cache is transparent to users Users access S3 buckets directly or via custom endpoints in each region
Security Can restrict access to origin (e.g., S3) and secure delivery via SSL and signed URLs Replication encrypts data and can be configured to maintain permissions in destination bucket
Ideal for Speeding up content delivery to a distributed audience worldwide Backup, compliance, and availability across geographic regions; disaster recovery

Best Practices

  • Always use Origin Access Identity (OAI) with S3 to restrict direct access.
  • Set cache TTLs thoughtfully — balance between performance and freshness.
  • Use versioning on static assets to minimize the need for invalidations.
  • Leverage Lambda@Edge to customize content delivery (e.g., redirect based on headers).
  • Monitor CloudFront metrics and logs to optimize cache hit ratios.
  • Use georestriction carefully to avoid blocking legitimate traffic unintentionally.
  • Choose your price class based on user location to control costs.
  • Cache invalidation is not free after the first 1,000 paths per month — don’t overuse it.
  • Georestriction relies on IP geolocation, which isn’t 100% reliable.
  • Dynamic content is typically not cached unless explicitly configured.
  • AWS Global Accelerator does not replace CloudFront; it complements it but does not cache content.
  • Using price classes limits edge locations and may impact latency for users outside those regions.

About the Author

Dawie Loots is a data scientist with a keen interest in using technology to solve real-world problems. He combines data science expertise with his background as a Chartered Accountant and executive leader to help organizations build scalable, value-driven solutions.

Related Articles

AWS Unpacked #8: Application Integration and Decoupling

April 14, 2025

AWS Unpacked #4: Storage

March 17, 2025

AWS Unpacked #10: Route 53

April 28, 2025
Back to Blog