Skip to main content
Skip to main content
Still in beta — questions, comments or suggestions? aramb@aramb.dev
Cloud Fundamentals

Amazon CloudFront: Content Delivery

Learn how Amazon CloudFront caches content at edge locations worldwide to deliver low-latency experiences for users everywhere.

12 min
Introductory

Learning outcomes

By the end of this lesson, you will be able to:

  1. Explain what a Content Delivery Network (CDN) does.
  2. Describe how CloudFront distributions and edge locations work together.
  3. List common CloudFront origins (S3, ALB, custom).
  4. Explain the S3 + CloudFront pattern for static website hosting.
  5. Describe how CloudFront contributes to DDoS protection.

What is a CDN?

A Content Delivery Network (CDN) is a globally distributed network of servers that caches copies of your content closer to your users. Instead of every request traveling to your origin server (which might be in a single Region), users download content from the nearest edge location — dramatically reducing latency.

Think of it like a chain of local libraries. Instead of everyone driving to one central warehouse for a book, each neighborhood has a library with copies of the most popular titles.

Amazon CloudFront

Amazon CloudFront is AWS's CDN service. It has 400+ edge locations in cities around the world.

When a user requests content:

  1. The request goes to the nearest edge location.
  2. If the content is cached there (a "cache hit"), it's returned immediately.
  3. If it's not cached (a "cache miss"), CloudFront fetches it from the origin, caches it at the edge, and returns it to the user.
  4. Subsequent requests from nearby users are served from the cache.

Tip

Edge locations are not the same as AWS Regions or Availability Zones. There are far more edge locations than Regions — they exist specifically for low-latency content delivery.

Distributions and origins

A CloudFront distribution is the configuration that tells CloudFront what content to serve and where to get it from.

Common origins

OriginUse case
Amazon S3 bucketStatic websites, images, CSS, JavaScript
Application Load Balancer (ALB)Dynamic web applications
Custom origin (any HTTP server)On-premises servers or non-AWS hosting

You can have multiple origins in a single distribution and use behaviors to route different URL paths to different origins (e.g., /api/* → ALB, /* → S3).

The S3 + CloudFront pattern

This is the most common static hosting pattern on AWS — and a frequent exam topic:

User → CloudFront Edge Location → S3 Bucket (origin)

How it works:

  1. Store your static website files (HTML, CSS, JS, images) in an S3 bucket.
  2. Create a CloudFront distribution with that S3 bucket as the origin.
  3. Users access your site through the CloudFront URL (or your custom domain via Route 53).
  4. CloudFront caches the files at edge locations worldwide.

Benefits:

  • Low latency — users download from the nearest edge location.
  • Reduced S3 costs — fewer direct requests to S3 because most are served from cache.
  • HTTPS support — CloudFront provides free SSL/TLS certificates.
  • Global reach — 400+ edge locations without deploying to multiple Regions.

Note

You can restrict the S3 bucket so it's only accessible through CloudFront (using an Origin Access Control). This prevents users from bypassing CloudFront and hitting S3 directly.

CloudFront and DDoS protection

CloudFront provides a layer of DDoS (Distributed Denial of Service) protection by default:

  • Traffic is absorbed across hundreds of edge locations instead of hitting a single origin.
  • AWS Shield Standard is automatically enabled for all CloudFront distributions at no extra cost — protecting against common Layer 3/4 attacks.
  • For advanced protection, AWS Shield Advanced adds Layer 7 protection and 24/7 access to the AWS DDoS Response Team.

CloudFront + Shield + WAF is AWS's recommended stack for protecting web applications from attacks.

Amazon API Gateway

Amazon API Gateway

What it is: Managed service for creating, publishing, and maintaining REST, HTTP, and WebSocket APIs.

Key pattern: API Gateway + Lambda = serverless API backend. API Gateway handles routing, throttling, caching, and authentication; Lambda executes business logic.

When to use: Building APIs without managing servers, integrating with Cognito for auth, or throttling requests to protect backends.

AWS Global Accelerator

AWS Global Accelerator and Amazon CloudFront both use the AWS global network and edge locations, but they serve different purposes.

Global Accelerator vs CloudFront

Primary use
CloudFront: Content delivery (caching)
Global Accelerator: Application acceleration (no caching)
Protocols
CloudFront: HTTP/HTTPS only
Global Accelerator: Any TCP or UDP protocol
Best for
CloudFront: Web content, videos, APIs
Global Accelerator: Gaming, VoIP, IoT MQTT
Static IP addresses
CloudFront: No - uses dynamic edge locations
Global Accelerator: Yes - provides 2 static anycast IPs
Failover speed
CloudFront: DNS propagation time
Global Accelerator: Immediate (no DNS changes)
DDoS protection
CloudFront: AWS Shield Standard (free)
Global Accelerator: AWS Shield Standard (free)

When to choose Global Accelerator:

  • Your application uses non-HTTP protocols (gaming UDP, IoT MQTT, VoIP)
  • You need static IP addresses for firewall whitelisting
  • You require immediate failover without waiting for DNS propagation
  • Your application needs deterministic routing to specific endpoints

Global Accelerator vs CloudFront

Use CloudFront when...

  • HTTP/HTTPS content delivery
  • Caching at edge locations
  • Static/dynamic web content

Use Global Accelerator when...

  • TCP/UDP traffic (not just HTTP)
  • Gaming, VoIP, IoT protocols
  • AWS backbone routing without caching
  • Static IP addresses needed

Edge locations vs Regions — a quick refresher

ConceptWhat it isCount
RegionA cluster of data centers (AZs) where you deploy resources~30+ worldwide
Availability ZoneOne or more discrete data centers within a Region2–6 per Region
Edge LocationA site used by CloudFront (and Route 53) for low-latency content delivery400+ worldwide

Edge locations are much more numerous than Regions because they only need to cache and serve content — not run full compute and storage services.

Micro-activity: Match the CloudFront Concept

Micro-Activity

Match each concept to its role

Examples

Choose one, then match it on the right

Characteristics

Select an example first

0 of 5 matched so far.

Summary

  • A CDN caches content at locations close to users for low-latency delivery.
  • CloudFront is AWS's CDN with 400+ edge locations.
  • Common origins: S3, ALB, and custom HTTP servers.
  • S3 + CloudFront is the standard pattern for global static website hosting.
  • CloudFront includes AWS Shield Standard for baseline DDoS protection.

Knowledge Check

Knowledge Check
1 / 4

What happens when a user requests content that is already cached at a CloudFront edge location?

Next lesson

Lesson 5: Hybrid Connectivity — Direct Connect and VPN