CloudFront is a content delivery network (CDN). A CDN is a global cache that stores copies of your data on edge caches, which are positioned as close to your customers as possible. It has three main benefits: lower latency, higher transfer speeds, and reduced load on the content server.

AWS Global Content Delivery Network (CDN):

  • Low latency
  • High transfer speeds from the origin



  • Origin:
    • The server or service that hosts your content (original version of your content)
    • Can be an S3 bucket, web server, or Amazon MediaStore.
  • Distribution:
    • Points edge locations and regional caches back to the origin
    • Configuration of logging, availability, and limitations
    • The “configuration” entity within CloudFront. It’s where you configure all aspects of a specific “implementation” of CloudFront from.
  • Edge Locations:
    • The location of your cached objects, located all over the globe
    • Current total is 169 in 30 countries
    • The local infrastructure that hosts caches of your data. Positioned in over 150 locations globally in over 30 countries.
  • Regional Edge Caches:
    • Location of cached objects that are not as frequently accessed
    • Current total is 11 in 30 countries
    • Larger versions of edge locations. Less of them but have more capacity and can serve larger areas

Caching Process

  • Create a distribution and point at one or more origins. A distribution has a DNS address that is used to access it.
  • The DNS address directs clients at the closest available edge location.
  • If the edge location has a cached copy of your data, it’s delivered locally from that edge location.
  • If it’s not cached, the edge location attempts to download it from either a regional cache or from the origin (known as an origin fetch).
  • As the edge location receives the data, it immediately begins forwarding it and caches it for the next visitor.

Process (alternative description)

  • When an edge location receives a request, it checks to see if it is cached locally
  • If so, the content is delivered
  • If not, the edge location can query the regional edge cache or the origin
  • When receiving these requested objects, the edge location immediately starts to forward to the end user

Content can expire, be discarded, and be recached. Or you can explicitly invalidate content to remove it from caches.

Making Changes to Content

  • You can simply delete from the origin and wait for content at the edge locations to reach the expiration period.
  • You can invalidate content to have it removed before the expiration, but it does cost more.

By default, CloudFront is fully publicly accessible – anyone with the DNS endpoint address can access content cached by the distribution.

A distribution can be configured to be private where each access requires a signed URL or cookie. This is done by setting the trusted signers on the distribution.

Private distributions can be bypassed by going straight to the origin (e.g., an S3 bucket).

An origin access identity (0A1) is a virtual identity that can be associated with a distribution. An S3 bucket can then be restricted to only allow this OAI to access it — all other identities can be denied.