Coggle requires JavaScript to display documents.
Security defaults to HTTPS and allow to attach customer certificate and ACM Certificate in eu-east-1. You can attach WAF web ACL Global distribution you can't pick a specific country, just a general area of the globe (continents). If you want allow-only/block specific countries better to use WAF (event though CloudFront can do something here) Endpoint support for both AWS endpoints as well as non-AWS endpoints (S3 or custom origin like S3 static web site, EC2, ELB, HTTP server ...) Expiring Content To change the cache duration for all files that match the same path pattern, you can change the CloudFront settings for Minimum TTL, Maximum TTL, and Default TTL for a cache behavior To change the cache duration for an individual file use the Cache-Control (max-age and s-maxage directives) and Expires headers. Default is 1 day but you can also force an expiration of content from the cache (Expires header) but you are charged for this Cache-Control: max-age=3600 tells CloudFront to keep the associated object in the cache for 3600 seconds (one hour) Cache-Control max-age and Cache-Control s-maxage directives together - set objects to stay in CloudFront edge caches for a different duration (s-maxage) than in browser caches (max-age) You can use Restrict viewer access to specific private content using Signed-URL or Signed-Cookies (use case: restrict access to documents, business data, media streams, or content that is intended for selected users, for example, users who have paid a fee) Enforce users access to contents through the specified CloudFront (URL) distribution and prevent access it directly by using Amazon S3 URLs Provides two ways to send authenticated requests to an Amazon S3 origin: origin access control (OAC) --> recommend origin access identity (OAI) Enable Standard logging get logs of viewer requests delivered to an Amazon S3 bucket (optionally includes cookies in the standard logs) you must enable access control lists (ACL) for the bucket
To change the cache duration for all files that match the same path pattern, you can change the CloudFront settings for Minimum TTL, Maximum TTL, and Default TTL for a cache behavior To change the cache duration for an individual file use the Cache-Control (max-age and s-maxage directives) and Expires headers. Default is 1 day but you can also force an expiration of content from the cache (Expires header) but you are charged for this Cache-Control: max-age=3600 tells CloudFront to keep the associated object in the cache for 3600 seconds (one hour) Cache-Control max-age and Cache-Control s-maxage directives together - set objects to stay in CloudFront edge caches for a different duration (s-maxage) than in browser caches (max-age)
origin access control (OAC) --> recommend origin access identity (OAI)
In the exam every sort of external customer performance issue can be solved putting CloudFront in front of your application Slow Connection across the globe? Images or Videos are slowly loading? --> Cache it!!! Speed is the main purpose AWS and non-AWS endpoints Geographic restrictions you can use to block individual countries, but WAF is a better tool with more fine grained control Cannot select a specific Edge Location just an area/continent It is the only option to add HTTPS to a static website being hosted in a S3 bucket Improves performance for both cacheable content (such as images and videos) and dynamic content (content upload, API acceleration and dynamic site delivery)
After CloudFront receives a request from a viewer (viewer request) Before CloudFront forwards the request to the origin (origin request) After CloudFront receives the response from the origin (origin answer) Before CloudFront forwards the response to the viewer (viewer answer)
An expiration date and time for the URL (Optional) The date and time the URL becomes valid (Optional) The IP or range address of the computers that can be used to access your content (Optional) Trusted signers (which AWS accounts can create signed URLs)
Trusted key group (recommended) Can leverage APIs to create and rotate keys (and IAM for API security) No need to be root user to use it Configured in CloudFront In your CloudFront distribution, create one or more trusted key groups Create public / private key The private key is used by your applications (e.g. EC2) to sign URLs The public key (uploaded in CloudFront) is used by CloudFront to verify URLs An AWS Account that contains a CloudFront Key Pair (not recommended) Need to manage keys using the root account and the AWS console This can only be done from the AWS Console
Can leverage APIs to create and rotate keys (and IAM for API security) No need to be root user to use it Configured in CloudFront In your CloudFront distribution, create one or more trusted key groups Create public / private key The private key is used by your applications (e.g. EC2) to sign URLs The public key (uploaded in CloudFront) is used by CloudFront to verify URLs
Need to manage keys using the root account and the AWS console This can only be done from the AWS Console
Public - Bucket must allow public access Origin Access Control (OAC) settings (recommended) - bucket can restrict access to only CloudFront Origin access control Bucket policy must allow access to CloudFront IAM service principal role Origin Access Identity (OAI) to access the S3 bucket this is legacy option Origin access identity Bucket policy must allow read access to the OAI
Origin access control Bucket policy must allow access to CloudFront IAM service principal role
Origin access identity Bucket policy must allow read access to the OAI
Path pattern - determines which requests apply to this cache behavior, based on the request’s URI path Default behavior path is /* You can have multiple behaviors more specific e.g. /images/* or /api/* Compress objects automatically - automatically compress certain files that it receives from the origin before delivering them to the viewer only if the viewer supports it, as specified in the Accept-Encoding header Viewer Viewer protocol policy HTTP and HTTPS Redirect HTTP to HTTPS HTTPS only Allowed HTTP methods - includes PUT, POST to allow files upload to the Edge locations and AWS manages to transfer to the origin Restrict viewer access - viewers must use CloudFront signed URLs or signed cookies to access your content Cache key and origin requests: Cache policy and origin request policy (recommended) Cache policy: TTL settings (default, min, max) Cache key settings (viewer requests that CloudFront includes in the cache key: HTTP headers, URL query strings, and cookies) Compression support (enable CloudFront to request and cache compressed objects in the Gzip or Brotli , when the viewer supports it) Origin request policy - in case of cache miss, it allows to to control the headers, query and cookies that's included in an origin request in addition to those defined in the cache policy thus without affecting the cache hit ratio Legacy cache settings: Headers, Query strings, Cookies Settings Alternate domain name (CNAME) - optionally add the custom domain names that you use in URLs for the files served by this distribution Custom SSL certificate - CloudFront has its own certificate but you can optionally associate a certificate from AWS Certificate Manager
Default behavior path is /* You can have multiple behaviors more specific e.g. /images/* or /api/*
Viewer protocol policy HTTP and HTTPS Redirect HTTP to HTTPS HTTPS only Allowed HTTP methods - includes PUT, POST to allow files upload to the Edge locations and AWS manages to transfer to the origin Restrict viewer access - viewers must use CloudFront signed URLs or signed cookies to access your content
HTTP and HTTPS Redirect HTTP to HTTPS HTTPS only
Cache policy and origin request policy (recommended) Cache policy: TTL settings (default, min, max) Cache key settings (viewer requests that CloudFront includes in the cache key: HTTP headers, URL query strings, and cookies) Compression support (enable CloudFront to request and cache compressed objects in the Gzip or Brotli , when the viewer supports it) Origin request policy - in case of cache miss, it allows to to control the headers, query and cookies that's included in an origin request in addition to those defined in the cache policy thus without affecting the cache hit ratio Legacy cache settings: Headers, Query strings, Cookies
Cache policy: TTL settings (default, min, max) Cache key settings (viewer requests that CloudFront includes in the cache key: HTTP headers, URL query strings, and cookies) Compression support (enable CloudFront to request and cache compressed objects in the Gzip or Brotli , when the viewer supports it) Origin request policy - in case of cache miss, it allows to to control the headers, query and cookies that's included in an origin request in addition to those defined in the cache policy thus without affecting the cache hit ratio
TTL settings (default, min, max) Cache key settings (viewer requests that CloudFront includes in the cache key: HTTP headers, URL query strings, and cookies) Compression support (enable CloudFront to request and cache compressed objects in the Gzip or Brotli , when the viewer supports it)
Alternate domain name (CNAME) - optionally add the custom domain names that you use in URLs for the files served by this distribution Custom SSL certificate - CloudFront has its own certificate but you can optionally associate a certificate from AWS Certificate Manager
No Restrictions Allow List Block List The geo header CloudFront-Viewer-Country is in Lambda@Edge The “country” is determined using a 3rd party Geo-IP database
Block all public access :check: Bucket policy Principal Service: cloudfront.amazonaws.com Action: s3:GetObject Resource: <ARN of the S3 Bucket> Condition: StringEquals: AWS:SourceArn: <ARN of your distribution>
Principal Service: cloudfront.amazonaws.com Action: s3:GetObject Resource: <ARN of the S3 Bucket> Condition: StringEquals: AWS:SourceArn: <ARN of your distribution>
Service: cloudfront.amazonaws.com
StringEquals: AWS:SourceArn: <ARN of your distribution>
AWS:SourceArn: <ARN of your distribution>
Create Origin Access (Security > Origin Access) Add the Origin Access Control to the Origin (Your Distribution > Origin > Select Origin access control settings > Origin access control = your Origin Access > Create control setting) Create control setting
400 Bad Request - problem with the request (e.g. malformed) 403 Access Denied - files must be publicly accessible 404 File Not Found - object doesn't exists Check requested object exists Check user(s) have access to object Check user(s) request(s) is correctly formed
Check requested object exists Check user(s) have access to object Check user(s) request(s) is correctly formed
502 Bad Gateway - CloudFront cannot connect to the origin 503 Service Unavailable - Performance/Capacity issues on origin server 504 Gateway Timeout - Request expiring before a response was received from the origin, also a performance/capacity issue (high traffic)
By default TTL is 24 hours, you can configure a longer period up to 1 year Need to balance TTL between cache hit ratio (performance) and the ability to update content High TTL and frequent content updates lead to users accessing outdated content Low TTL and unfrequent content updates lead to decreased performance with no need
High TTL and frequent content updates lead to users accessing outdated content Low TTL and unfrequent content updates lead to decreased performance with no need
If your CloudFront responds based on (all) request headers or cookies you are often sending the request to the origin (cache miss) instead of serving the content directly --> low cache hit ratio For headers/cookies you forward, CloudFront will forward every combination of header name and value it receives and cache every response from your origin even if identical
To increase Cache Hit Ratio in this scenario we need to restrict what we forward to the origin Just forward the strictly required (specific) cookies/headers to identify an object version This will avoid filling up the cache unnecessarily and optimize Cache Hit Ratio
Forward only the "accept-language" header to identify the pdf file written in the language the client is able to understand
CloudFront to forward the applicable headers to your custom origin CloudFront-Is-Desktop-Viewer CloudFront-Is-Mobile-Viewer CloudFront-Is-SmartTV-Viewer CloudFront-Is-Tablet-Viewer Based on the value of the User-Agent header, CloudFront sets the value of these headers to true or false before forwarding the request to your origin
CloudFront-Is-Desktop-Viewer CloudFront-Is-Mobile-Viewer CloudFront-Is-SmartTV-Viewer CloudFront-Is-Tablet-Viewer
to cache different versions of your objects based on the language specified in the request configure CloudFront to forward the Accept-Language header to your origin
to cache different versions of your objects based on the country that the request came from configure CloudFront to forward the CloudFront-Viewer-Country header to your origin CloudFront automatically converts the request IP address into a two-letter country code
to cache different versions of your objects based on the protocol of the request, HTTP or HTTPS configure CloudFront to forward the CloudFront-Forwarded-Proto header to your origin
Identifying requests from CloudFront Determining which requests come from a particular distribution Enabling cross-origin resource sharing (CORS) Controlling access to content
enabled Cross-Origin Resource Sharing (CORS) on S3 bucket add the Origin header to requests that it sends to your origin configure your origin to return the Access-Control-Allow-Origin header for every request configuring CloudFront to respect CORS settings
Cache statistics reports Total requests – Shows the total number of requests for all HTTP status codes and methods Percentage of viewer requests by result type (hit, miss) Bytes transferred to viewers HTTP status codes – Shows viewer requests by HTTP status code Percentage of GET requests that didn't finish downloading Popular objects report 50 most popular objects and statistics about those objects Top referrers report Top 25 referrers and statistics Usage reports Number of requests Data transferred by protocol Data transferred by destination Viewers reports Devices Browser Operating systems Locations
Total requests – Shows the total number of requests for all HTTP status codes and methods Percentage of viewer requests by result type (hit, miss) Bytes transferred to viewers HTTP status codes – Shows viewer requests by HTTP status code Percentage of GET requests that didn't finish downloading
50 most popular objects and statistics about those objects
Top 25 referrers and statistics
Number of requests Data transferred by protocol Data transferred by destination
Devices Browser Operating systems Locations
Remove files from your origin, CloudFront will continue to serve the content until it expires Invalidate the file - incur in cost Use file versioning - serve a different version of the file that has a different name (you can update existing file and use the same file name, but this will need to wait for the old version to expire and a user request the file)
Is an additional caching layer that can help reduce the load on your origin and help protect its availability Better Cache hit ratio - Centralized caching layer in front of your origin to help increase cache hit ratio and collapse simultaneous requests for the same object coming across multiple regions Reduced origin load - Reduce the number of simultaneous requests that are sent to your origin for the same object Better network performance - enable Origin Shield in the AWS Region that has the lowest latency to your origin
Viewers that are spread across different geographical regions Origins that provide just-in-time packaging for live streaming or on-the-fly image processing On-premises origins with capacity or bandwidth constraints Workloads that use multiple CDN
Use your own SSL certificates with Amazon CloudFront at no additional charge with SNI Custom SSL CloudFront delivers your content from each edge location and offers the same security as the Dedicated IP Custom SSL feature Create CloudFront distribution and configure it to serve HTTPS requests using dedicated IP addresses in order to associate your alternate domain names with a dedicated IP address in each CloudFront edge location
Simple database caching solution Not a database itself Multithreading No Snapshots No Replication Data Partitioning (sharding) Sub-Millisecond Latency No failover or Multi-AZ No Backups
Supported as a caching solution Function as a standalone no-sql database Snapshots Replication Advanced Data Structure Data Partitioning Sub-Millisecond Latency Failover and Multi-AZ support Supports backups
DAX: specific for DynamoDB ElastiCache: it is more flexible as it can be placed in front of any database, but it really excels working with RDS
In the exam favor answers that include database caching DAX is a cache only and only for DynamoDB, ElastiCache Memcached just a cache, ElastiCache Redis also an in-memory database Do not need into details for the exam Redis appears also as a standalone database in exam quetions Use Cases: Read heavy applications: social network, gaming, media sharing, Q&A portal Compute intensive applications: recommendation engine
Read heavy applications: social network, gaming, media sharing, Q&A portal Compute intensive applications: recommendation engine
Lazy Loading / Cache aside is easy to implement and works for many situations as a foundation, especially on the read side Write-through is usually combined with Lazy Loading as targeted for the queries or workloads that benefit from this optimization Setting a TTL is usually a good idea, except when you’re using Write- through
Choose a cluster creation method: Easy Create, Configure and Create, Restore from backups Easy Create Production (cache.r6g.xlarge 26.32 GiB memory Up to 10 Gigabit network performance) Dev/Test (cache.r6g.large 13.07 GiB memory Up to 10 Gigabit network performance) Demo (cache.t4g.micro 0.5 GiB memory Up to 5 Gigabit network performance) Configure and Create a new cluster Cluster mode - Scale your cluster dynamically with no downtime (see here): Enabled: cluster mode enables replication across multiple shards (up to 500) with up to 6 nodes per shard for enhanced scalability and availability Disabled: the Redis cluster will have a single shard (node group) with one primary node and up to 5 read replicas or a single node if replication is disabled Location: AWS Cloud: use the AWS Cloud for your ElastiCache instances On premises: create your ElastiCache instances on an Outpost (through AWS Outposts) Multi-AZ: provides enhanced HA through automatic failover to a read replica, cross AZs, in case of a primary node failover Cluster settings: engine version, port, parameter groups, node type, number of replicas Encryption at rest Encryption in transit Enable automatic backups Maintenance window Logs (Show logs and Engine logs) Restore from backups
Production (cache.r6g.xlarge 26.32 GiB memory Up to 10 Gigabit network performance) Dev/Test (cache.r6g.large 13.07 GiB memory Up to 10 Gigabit network performance) Demo (cache.t4g.micro 0.5 GiB memory Up to 5 Gigabit network performance)
Cluster mode - Scale your cluster dynamically with no downtime (see here): Enabled: cluster mode enables replication across multiple shards (up to 500) with up to 6 nodes per shard for enhanced scalability and availability Disabled: the Redis cluster will have a single shard (node group) with one primary node and up to 5 read replicas or a single node if replication is disabled
Enabled: cluster mode enables replication across multiple shards (up to 500) with up to 6 nodes per shard for enhanced scalability and availability Disabled: the Redis cluster will have a single shard (node group) with one primary node and up to 5 read replicas or a single node if replication is disabled
AWS Cloud: use the AWS Cloud for your ElastiCache instances On premises: create your ElastiCache instances on an Outpost (through AWS Outposts)
Restore from backups
Location: AWS Cloud: use the AWS Cloud for your ElastiCache instances On premises: create your ElastiCache instances on an Outpost (through AWS Outposts) Cluster Settings: engine version, port, parameter groups, node type, number of nodes 1-40 (a node is a partition of your data) Encryption in transit Maintenance window
CPU Utilization threshold violation - scale out adding nodes Swap Usage or Virtual Memory > 50MB - allocate more memory Freeable Memory close < 100MB or Swap Usage > Freeable Memory node memory is under pressure addd memory Evictions - if non-expired items are being removed from cache, either add additional nodes or increases size of the nodes Concurrent Connection - if too many connections then check your application
Allows your Redis cluster to serve requests even while scaling Scale up – Increase read and write capacity by adjusting the node type of your Redis cluster to use a larger node type Scale down – Reduce read and write capacity by adjusting the node type down to use a smaller node type
IAM (max 15 minutes, no MULTI EXEC commands) Redis AUTH command require a AUTH token/password before allowing clients to run commands include the parameters --auth-token --transit-encryption-enabled and others ... it can be allowed after the cluster is created and requires TLS is enable 2 options to modifying the auth token: ROTATE strategy adds an additional AUTH token to the server while retaining the previous token SET strategy updates the server to support just a single AUTH token
require a AUTH token/password before allowing clients to run commands include the parameters --auth-token --transit-encryption-enabled and others ... it can be allowed after the cluster is created and requires TLS is enable 2 options to modifying the auth token: ROTATE strategy adds an additional AUTH token to the server while retaining the previous token SET strategy updates the server to support just a single AUTH token
--auth-token --transit-encryption-enabled and others ...
ROTATE strategy adds an additional AUTH token to the server while retaining the previous token SET strategy updates the server to support just a single AUTH token
increase/decrease the number of your cluster's partitions, requires key spaces remapping temporarily increases the number of cache misses on the cluster
Create a new cache cluster with the new node type In your application, update the endpoints to the new cluster's endpoints Delete the old cache cluster Memcached clusters always start out empty unless your application populates it
allows your cluster to continue serving requests during the scaling process allows you to change the number of node groups (shards) in the replication group by adding or removing node groups (shards) the online process causes some degradation in performance the offline process takes your cluster offline for a significant portion of the process
You delete the item explicitly in the cache Item is evicted because the memory is full and it’s not recently used (LRU) You set an item time-to-live (or TTL)
Masks complex architecture by using the same static IPs app architecture can changes with no user impacts Speed up connections with Global Accelerator traffic is routed through AWS's global network infrastructure Routes user to the most appropriate endpoint based on user physical location Supports TCP and UDP Endpoint group is associated with a AWS Region. Endpoint groups include one or more endpoints in the Region Weighted Pools you can create weighted groups behind the IPs to test new features or handle failure in your environment Endpoints are NLB, ALB, EC2 and Elastic IP
Solves the IP caching issue, this may appears in questions Speeds things up Weighting allows to move traffic according to our requirements 2 Static IPs that are not going to change and are serviced by independent network zones. Also bring your own IPs
Improve the availability and performance of your applications running on ALB, NLB, EC2 routes traffic across regional endpoints based on geo-proximity and endpoint health blue/green deployment, A/B testing, and multi-Region deployment
scenarios where you need custom application logic to direct one or more users to a specific destination and port among many VoIP, real-time gaming with specific routing needs
NLB ALB EC2 Elastic IP
In-Memory caching for DynamoDB, it can reduce response times from milli-seconds to micro-seconds It is highly available and lives inside the VPC you specify You are in control: node size, node count, TTL for the data, maintenance windows for changes and updates Up to 11 nodes per cluster (the primary node plus a maximum of 10 read replicas) All nodes need to have the same size Deploy across AZs 3 nodes are required for a DAX cluster to be fault-tolerant Same Region as the DynamoDB Table You need to have a primary node and you can add replica nodes Scaling: Add more nodes to the cluster. This increases the overall read throughput of the cluster. Use a larger node type. Provides more capacity and can increase throughput. You must create a new cluster with the new node type
Up to 11 nodes per cluster (the primary node plus a maximum of 10 read replicas) All nodes need to have the same size Deploy across AZs 3 nodes are required for a DAX cluster to be fault-tolerant Same Region as the DynamoDB Table
Add more nodes to the cluster. This increases the overall read throughput of the cluster. Use a larger node type. Provides more capacity and can increase throughput. You must create a new cluster with the new node type
Supports server-side encryption. With encryption at rest, the data persisted by DAX on disk will be encrypted DAX writes data to disk as part of propagating changes from the primary node to read replicas Supports encryption in transit
DAX writes data to disk as part of propagating changes from the primary node to read replicas
Your application can access DAX by specifying the endpoint for the DAX cluster The DAX client software works with the cluster endpoint to perform intelligent load balancing and routing DAX client directs application's DynamoDB API requests to the DAX cluster. If DAX can process one of these API requests directly, it does so. Otherwise, it passes the request through to DynamoDB
DAX can respond to the following API calls: GetItem, BatchGetItem, Query and Scan Eventually consistent reads: cache miss: DAX pass to DynamoDB, return results to application and writes into the primary node cache Strongly consistent reads: DAX pass to DynamoDB, results are not cached
cache miss: DAX pass to DynamoDB, return results to application and writes into the primary node cache
DAX pass to DynamoDB, results are not cached
Following DAX API operations are considered "write-through": BatchWriteItem, UpdateIte, DeleteItem and PutItem With these operations, data is first written to the DynamoDB table, and then to the DAX cluster The operation is successful only if the data is successfully written to both the table and to DAX
Write-through Good to keep cache in sync Keep cache in sync only if other apps do not write directly do the table Write-around Good if you need to write large quantities of data Reduces write latency, but cache is not in sync
Good to keep cache in sync Keep cache in sync only if other apps do not write directly do the table
Good if you need to write large quantities of data Reduces write latency, but cache is not in sync
CloudFront - external caching ElastiCache - internal caching for databases DAX (DynamoDB Accelerator) - internal caching dedicated to DynamoDB Global Accelerator - help speed up external connections
AWS loves caches, whenever possible pick a solution that includes caching Put caches everywhere Caches help with speed but also helps with failures Internal vs External one or the other, do not confuse
1 Can it cached?2 If yes, what kind of caching should be used?3 How is the content in the cache get updated? (usually with TTL, but also with purge)4 Does it add anything besides speed? CloudFront is the only option to add HTTPS to a static website being hosted in a s3 bucket Always favor answers that include caching as it is usually seen only in the positive (no cost consideration) Global Accelerator is the solution whenever the scenario talks about IP caching. It is the primary use in the exam If you see in-memory database there are two options: Redis and DynamoDB. If the scenario offers DynamoDB pick that option Redis has more features over Memcached Backups are supported only Redis not on Memcached and DAX