brief introduction
This guide is suitable for technical partners who are initially exposed to Amazon Cloud Technology's CloudFront service and expect to start building content distribution acceleration.
This article walks you through five steps on how to create a minimal architecture example for content acceleration with CloudFront.
Step 1: Create an S3 bucket to store content
Step 2: Create CloudFront basic configuration
Step 3: Test and use Rroute53 to accelerate domain name access
Step 4: View CloudFront Metrics and set alarms
Step 5: Enable CloudFront logs and store them in an S3 bucket for backup
Through this guide, you will learn how to use CloudFront to quickly build a content distribution network and demonstrate the distribution effect.
Let's start building a CloudFront-accelerated static website in five steps. The minimum architecture diagram of the content acceleration completed in this article is as follows:
What is Amazon Cloud Technology CloudFront?
CloudFront is a content delivery network (CDN) service provided by Amazon Cloud Technology. It is a network system that distributes data and content around the world to provide a faster and more reliable user access experience.
The goal of CloudFront is to bring content close to end users, thereby reducing latency and network congestion, and providing fast content delivery. It provides faster response time by deploying server nodes at edge locations (Edge Location) around the world, caching data closer to users, and providing responses from the edge locations closest to users when users request content .
CloudFront supports various types of content, including static and dynamic web content, video and audio streaming, application acceleration and security features, and more. It also provides features such as content compression, SSL/TLS encryption, access control, logging and reporting, and more.
Using CloudFront can help websites and applications provide high-speed, highly available, and secure content delivery services while reducing the load on origin servers. It also provides seamless integration with other Amazon services such as S3 buckets, EC2 instances, and Lambda functions, among others.
step one:
Build an S3 bucket to store content
Amazon S3 (Amazon Simple Storage Service) is a scalable object storage service provided by Amazon Cloud Technology. It allows developers to store and retrieve large amounts of data in a safe and reliable manner.
CloudFront supports the distribution of object storage content of other cloud vendors or third-party origin sites. It is worth mentioning that in Amazon Cloud Technology's network, CloudFront and S3 exchange data through the backbone network. Using CloudFront and S3 together, Provides you with a content delivery experience with lower costs and better availability and performance.
In this guide, in order to quickly build and demonstrate the effect of content distribution, we will use S3 object storage as the content provider.
First, let's go to the home page of the S3 interface and click Create Bucket:
Initially configure your bucket:
*In order to improve the security of the content, it is recommended to set the public access permission (public access) of the bucket to Block. In the next steps, we will access the content of the bucket through other methods.
S3 has many powerful customization functions, which are not expanded here, and other settings remain the default configuration, and click Create Bucket at the bottom of the initialization page.
After creating the S3 bucket, on the S3 homepage, search for the bucket you created according to the initialized storage name and click to enter:
Click to upload the content to be distributed:
After the upload is complete, you can enter the storage bucket to view the content uploaded in the above steps:
Open this resource in the S3 bucket to check whether it is accessible (as shown in the figure below), congratulations! At this point, you have quickly completed the construction of a minimal static source site!
Step two:
Build CloudFront basic configuration
Next, we will quickly build a CloudFront distribution (Distribution) configuration, enter the CloudFront home page and create a configuration:
On the CloudFront configuration initialization page, you will see all the basic configuration elements that a CloudFront configuration needs to have, namely:
Origin –
The source server can support various types of Amazon cloud technology services, including but not limited to S3 / EC2 / ELB / API Gateway, etc., and can support third-party source sites.
Default cache behavior –
Default cache behavior, in this setting, you can quickly and flexibly formulate cache behavior/enable transmission compression/allow request method/access control and other functions.
Function associations –
For the edge computing function, CloudFront supports the "code as logic" approach to help you better realize the customized requirements that need to be implemented in actual business, such as edge authentication, redirection, and device judgment.
Web Application Firewall (WAF) -
Here, you can quickly and easily enable Amazon Cloud Technology WAF on the initialization page. Amazon Cloud Technology WAF can help you defend against malicious traffic attacks from the Internet, and can seamlessly integrate with CloudFront without complex architecture transformation. For Amazon WAF settings, we separately provide a series of small guides for WAF deployment. For details, please refer to:
Amazon Cloud Technology WAF Deployment Guide (1) WAF Principle, Default Deployment and Log Storage
https://aws.amazon.com/cn/blogs/china/aws-waf-deployment-guide-1-waf-principle-default-deployment-and-log-storage/
Settings –
Other configurations, such as selecting the CloudFront region to be used/enabling HTTP3/enabling IPv6, etc. as required.
For the above settings, we will expand and discuss in-depth in this small guide series targeting different needs and scenarios, so stay tuned!
You can refer to the following configuration for initial configuration:
Origin
In the part of source server setting, we will use the S3 storage bucket created in step 1 for content service. For security reasons, the public access permission is disabled when setting the S3 storage bucket. At this time, we will set the configuration through CloudFront OAC (Origin Access Control) to let CloudFront get the contents of S3:
Click Create Access Control Settings
After CloudFront is created and initialized later, we will get the Policy Statement, and we will update the Policy Statement to the S3 settings in the next steps.
For other configurations, we refer to the following screenshots and keep the default settings:
After the creation is complete, you will return to the settings page of this Distribution, and then we will perform two key operations:
▪ Update the Policy Statement of S3 so that CloudFront can successfully access the S3 bucket and obtain static content
▪ Apply for an HTTPS certificate to encrypt your Internet traffic
Update the Policy Statement of S3
At this time, the Policy Statement used for S3 access control has also been generated synchronously, click Copy Policy above:
The Policy can also be found in the corresponding Origin configuration of CloudFront:
In the Permissions tab of S3, we find the Bucket Policy and paste the Policy copied in the above steps and save it:
After saving successfully, CloudFront can now access the content in the storage bucket through OAC, and at the same time ensure that our storage bucket is not directly open to the outside world except for CloudFront access.
Apply for an HTTPS certificate,
Encrypt Internet traffic for your accelerated domain name
The Distribution Domain Name (xxxx.CloudFront.net) provided by CloudFront can be used directly and natively supports HTTPS access, but if you need to accelerate your own domain name, you need to add Alternate Domain Name in the settings so that CloudFront can To accelerate the domain name, the specific steps are as follows:
On the Distribution configuration home page, we find the Setting configuration and click Edit.
Fill in the domain name you need to accelerate in the Alternate domain name column, and click the request certificate below:
*In addition to generating free certificates on Amazon, if you have already applied for a certificate, you can also upload it on ACM (Amazon Certificate Manager). Please note that if the certificate needs to be provided to CloudFront for use, please upload the certificate to In us-east-1, this is very important to prevent you from being unable to provide the certificate to CloudFront for associated use after uploading to another region.
Fill in your domain name and select the DNS verification method and continue. The DNS verification method is relatively more convenient and quicker. In addition to the RSA certificate, if you confirm that your client is compatible with the ECDSA algorithm certificate, then you can also choose here ECDSA algorithm, compared with RSA, ECDSA algorithm has the advantages of faster encryption and signature speed/smaller certificate size under the same security level.
After clicking Apply, the page will automatically return to the ACM homepage, click View, and add the corresponding CNAME record and value to the corresponding DNS verification record on your authoritative DNS hosting provider. Here is an example of Route53:
Route53 for record creation:
After the record is created, we return to the corresponding certificate page of ACM, wait for a short period of time, and refresh the page to see that the certificate is successfully issued:
At this point, we go back to the CloudFront Setting page, click the refresh button next to the application certificate, select the certificate successfully applied in the above steps, and save the configuration:
Please note that after you create/change the CloudFront Distribution configuration, CloudFront needs a little time to deploy your configuration to the global Pop. When you see the Last Modified on the Distribution page changes from Deploying to a fixed time, that is Indicates that the configuration change was successfully deployed:
congratulations! After completing these steps, you have a CloudFront Distribution with a basic configuration!
Step three:
Test and use Rroute53 to accelerate domain name access
Next, we will test the CloudFront configuration created in the above steps. After the test is correct, we can access our business domain name at the DNS level, so that end users can access it conveniently and quickly.
On the CloudFront Distribution interface you built, you can find the content of the Distribution domain name:
In order to make it easier for users to build applications, CloudFront's Distribution domain name can be directly accessed and used. The following can be directly entered in the browser to see the specific display effect of the domain name, that is, the resource path in the S3 bucket:
If you have your own domain name, such as the domain name we applied for the certificate in Step 2 above, you can perform a test of binding CloudFront. Here is a test example:
% curl -I https://cf-demo.xxxx.xxxx/infra.png --resolve cf-demo.xxxx.xxxx:443:`dig +short "您的Distribution domain name"|tail -1`
HTTP/2 200
content-type: image/png
content-length: 672609
date: Fri, 02 Jun 2023 05:47:38 GMT
last-modified: Fri, 02 Jun 2023 05:28:19 GMT
etag: "e42046c9775f2b946c4be11e8ad60f84"
x-amz-server-side-encryption: AES256
accept-ranges: bytes
server: AmazonS3
x-cache: Miss from cloudfront
via: 1.1 c7d8533dd1f090a380bfdd0ea4d626c6.cloudfront.net (CloudFront)
x-amz-cf-pop: HKG62-C2
x-amz-cf-id: x8OmTQJWIrtw8Q4CnkVu6eGbfy_jI70KO3XE3OxVfQgYUqT47MGHHQ==Swipe left to see more
In the above curl test case, we can see that we use our own domain name and successfully get the resources in the S3 bucket through CloudFront. Here we use the HEAD method for concise output.
*Please note that the test cases here only show the connectivity check results. If your business environment has other complex business logic, please conduct a complete regression test.
After the test is correct, we can access the business domain name on the authoritative DNS we use. We need to modify the CNAME record of our own domain name to point to the Distribution domain name of CloudFront. Route53 is used as an example here.
After successfully adding the CNAME record, check the DNS record to see if it has been successfully accessed
jsnwong@b0be837ca33a ~ % dig cf-demo.xxxxx.xxxxxx
; <<>> DiG 9.10.6 <<>> cf-demo.xxxxx.xxxxx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2665
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cf-demo.jsnwong.vic1992.com. IN A
;; ANSWER SECTION:
cf-demo.xxxxx.xxxxx. 300 IN CNAME dvcxxxxxxtxx.CloudFront.net.
dvc5ax351ytxx.CloudFront.net. 60 IN A 18.65.202.76
dvc5ax351ytxx.CloudFront.net. 60 IN A 18.65.202.100
dvc5ax351ytxx.CloudFront.net. 60 IN A 18.65.202.102
dvc5ax351ytxx.CloudFront.net. 60 IN A 18.65.202.4
;; Query time: 98 msec
;; SERVER: 172.17.192.154#53(172.17.192.154)
;; WHEN: Thu May 18 14:02:11 CST 2023
;; MSG SIZE rcvd: 162Swipe left to see more
congratulations! At this point, you can directly access your domain name and fully enjoy the high-performance/high-availability CDN acceleration service provided by CloudFront for your domain name!
Step four:
CloudFront Metrics view and alarm settings
Native CloudFront provides a variety of metrics for customers to use, as shown in the following table:
_ |
A |
B |
C |
D |
1 |
standard Metrics |
Remark |
Additional Metrics (enabled on demand) |
Remark |
2 |
Requests |
Request Statistics |
4xx Error rate |
4xx detailed statistics, such as 401/403, etc. |
3 |
Data transfer |
DTO Statistics |
5xx Error rate |
5xx detailed statistics, such as 502/503, etc. |
4 |
Error rate |
4xx/5xx statistics |
Origin latency |
Back to source delay |
5 |
_ |
_ |
Cache hit rate |
cache hit rate |
For Additional Metrics, if necessary, in the CloudFront Console, Telemetry – Monitoring, find the Distribution that needs to enable Additional Metrics and enable it.
On the CloudFront page, you can quickly and easily view the corresponding Metrics of the Distribution you created. At the same time, you can also view the metrics in Cloudwatch and set alarms.
Please note that CloudFront Metrics data is stored in region us-east-1. If you choose Cloudwatch as the entry point, please switch to us-east-1 to view the corresponding metrics of CloudFront.
Next, we will configure alarm settings for the CloudFront Distribution built in the above steps, here we take 4xx alarms as an example.
On the CloudWatch page, in Metrics – All metrics, find the CloudFront indicator entry, or use your Distribution ID to search, find the 4xx indicator corresponding to the Distribution and check it:
After checking, we come to the Graphed metrics tab and click the bell icon in Actions:
In the process of building an alarm, you can choose the sensitivity of the alarm setting according to your business needs. For the principle of CloudWatch alarms, for details, please refer to: Using Amazon CloudWatch alarms
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html
Take the following figure as an example, the period is 1 minute, the threshold is 90, and the datapoints to alarm is 1 out of 1, which means: once a 4xx status code occurs in a certain minute and exceeds the threshold value of 90, an alarm will be triggered, which is a relative High sensitivity alarm.
If your business is not highly sensitive and can tolerate a certain error rate, you can consider adjusting the corresponding parameters to make the alarm reasonable, such as:
The period is 1 minute, the threshold is 90, and the datapoints to alarm is 10 out of 7, which means: in 10 minutes, if 4xx status code occurs in 7 minutes (continuous or discontinuous) and is greater than the threshold 90, An alarm is triggered.
In the next step, we choose to create a new topic, name this topic, and confirm the recipients who need to receive alerts:
Click Next after creating:
Give your alert a name and fill in the necessary alert content:
The last step is to review the Alert configuration and create an Alert:
Please note that after creating an alarm, if you set the receiver as an email address, you will receive a subscription confirmation email at this time, and you need to click confirm subscription to receive the alarm:
Alert test, continuously requesting an object that does not exist to trigger a 4xx alert:
Example of an alert:
congratulations! So far, you have created an alarm for your Distribution, so that you can receive the alarm information at the first time when there is an exception, and maintain high availability of the business.
Step five:
Enable CloudFront standard logs
and stored in S3 bucket for backup
In addition to using CloudWatch Metrics to monitor CloudFront service conditions, for some special scenarios, if you need to use other services of Amazon Cloud Technology for some customized data query requirements, you can choose to save CloudFront logs to S3 for convenience Do more extra operations.
Here you can create an S3 storage bucket dedicated to logs according to the guidance of step 1. Please note that it is not recommended that you mix the S3 bucket that provides website content with logs to avoid the risk of log leakage due to operation errors.
After creating the S3 bucket for storing logs, we next enter the Distribution interface where the standard log service needs to be enabled, and click Edit in Setting.
Find Standard logging, click on to enable it, and select the S3 bucket dedicated to storing CloudFront logs. Since the S3 bucket was created in step 1, we have not enabled the ACL function. At this time, you can click Enable ACLs in the error message to automatically enable the ACL of S3 .
Enabled successfully! Then click Save Configuration at the bottom.
So far, you have completed all the basic configuration operations of CloudFront!
Summarize
Through the above five steps, we have completed the enablement and configuration of Amazon Cloud Technology CloudFront, and learned how to access/monitor/alarm settings/basic log archiving. For users with advanced requirements for CloudFront, you can refer to the follow-up articles in the CloudFront Deployment Guide to choose a solution that is more suitable for you.
Amazon cloud technology
CloudFront deployment mini-guide series articles
Amazon CloudFront Deployment Guide (2) - Advanced Deployment:
https://aws.amazon.com/cn/blogs/china/amazon-cloudfront-deployment-handbook-part-two/
Amazon CloudFront Deployment Guide (3) - Continuous Deployment:
https://aws.amazon.com/cn/blogs/china/amazon-cloudfront-deployment-handbook-part-three/
Amazon CloudFront Deployment Handbook (4) - CloudFront Function Basics and Diagnosis: https://aws.amazon.com/cn/blogs/china/amazon-cloudfront-deployment-handbook-part-four/
Amazon CloudFront Deployment Handbook (Part 5) - Using Amazon Edge Technology to Optimize In-Game Resource Update Release: https://aws.amazon.com/cn/blogs/china/amazon-cloudfront-deployment-handbook-part-five/
Amazon CloudFront Deployment Handbook (6) - Lambda@Edge Basics and Diagnosis: https://aws.amazon.com/cn/blogs/china/amazon-cloudfront-deployment-handbook-part-six/
The author of this article
Wang Junxing
Amazon Cloud Technology Edge Product Architect, responsible for the technical promotion of Amazon Cloud Technology Edge services in China. He has many years of practical experience in the field of CDN content distribution and WAF, focusing on edge service design and experience optimization.
Cui Junjie
Senior Product Solution Architect of Amazon Cloud Technology, responsible for cloud edge security related service products of Amazon Cloud Technology. Provide Amazon cloud users with product consultation related to DDoS defense/website front-end security defense/domain name security. Have an in-depth understanding of Cloudfront, Shield, WAF, Route53, Global Accelerator and other cloud edge security related products. Years of working experience in computer security, data centers and networking.
I heard, click the 4 buttons below
You will not encounter bugs!
