3.6 CloudFront, Route 53, and Global Accelerator
Key Takeaways
- CloudFront is a CDN with 400+ edge locations that caches content close to users for low latency — it integrates with S3, ALB, EC2, API Gateway, and Lambda@Edge.
- Route 53 provides DNS, domain registration, and health checking with multiple routing policies (simple, weighted, latency, failover, geolocation, geoproximity, multivalue).
- Global Accelerator uses the AWS global network to route traffic to optimal endpoints, providing static anycast IPs and instant failover — ideal for non-HTTP use cases.
- CloudFront Origin Access Control (OAC) restricts S3 bucket access so that content can only be accessed through CloudFront, not directly from S3.
- Use CloudFront for caching web content (HTTP/HTTPS); use Global Accelerator for non-cacheable TCP/UDP traffic requiring static IPs and deterministic routing.
CloudFront, Route 53, and Global Accelerator
Quick Answer: CloudFront = CDN for caching content at edge locations (HTTP/HTTPS). Route 53 = DNS with health checks and routing policies. Global Accelerator = AWS backbone network for non-cacheable traffic (TCP/UDP) with static IPs. Use CloudFront for websites/APIs; Global Accelerator for gaming, IoT, or when you need static IP addresses.
Amazon CloudFront
CloudFront is AWS's Content Delivery Network (CDN) with 400+ edge locations worldwide.
CloudFront Origins
| Origin | Use Case |
|---|---|
| S3 bucket | Static content (images, CSS, JS, video) |
| ALB | Dynamic web application |
| EC2 instance | Custom application server |
| API Gateway | REST APIs |
| Custom HTTP server | Any HTTP origin (on-premises, other cloud) |
| Lambda@Edge | Run code at edge locations |
| MediaStore | Video streaming |
Key CloudFront Features
| Feature | Description |
|---|---|
| Edge caching | Cache content at 400+ edge locations globally |
| HTTPS | Free TLS/SSL via ACM; HTTP to HTTPS redirect |
| Custom headers | Add headers to origin requests (authentication) |
| Geo-restriction | Allow/block access from specific countries |
| Price classes | Reduce cost by limiting edge locations (All, 200, 100) |
| Lambda@Edge | Run Lambda functions at edge locations for request/response manipulation |
| CloudFront Functions | Lightweight JavaScript functions for simple request/response manipulation |
| Field-level encryption | Encrypt specific POST form fields at edge |
| Real-time logs | Stream access logs to Kinesis Data Streams |
CloudFront + S3: Origin Access Control (OAC)
OAC ensures S3 content is accessible ONLY through CloudFront:
- Create a CloudFront distribution with S3 as origin
- Enable OAC (replaces legacy OAI)
- Update S3 bucket policy to allow only the CloudFront distribution
- Users cannot bypass CloudFront to access S3 directly
On the Exam: "Ensure S3 content can only be accessed via CloudFront" → Origin Access Control (OAC). Note: OAI (Origin Access Identity) is the legacy method.
CloudFront Cache Behavior
| Setting | Description |
|---|---|
| TTL | How long objects stay in cache (min, default, max) |
| Cache key | What makes each cached object unique (URL, headers, query strings, cookies) |
| Cache policy | Define what is included in the cache key |
| Origin request policy | Define what is forwarded to the origin |
| Invalidation | Force removal of cached objects (costs per invalidation path) |
Amazon Route 53
Route 53 is AWS's DNS service providing domain registration, DNS routing, and health checking.
Routing Policies
| Policy | Description | Use Case |
|---|---|---|
| Simple | Single resource, no health checks | Basic DNS routing |
| Weighted | Split traffic by percentage | Blue/green deployments, canary releases |
| Latency-based | Route to lowest-latency Region | Multi-Region applications |
| Failover | Active-passive with health checks | Disaster recovery |
| Geolocation | Route based on user location | Content localization, compliance |
| Geoproximity | Route by distance with traffic biasing | Shift traffic between Regions |
| Multivalue answer | Up to 8 healthy records (simple load balancing) | Small-scale load distribution |
Route 53 Health Checks
| Type | Monitors |
|---|---|
| Endpoint | HTTP/HTTPS/TCP health of a specific resource |
| Calculated | Aggregates results of multiple health checks (AND/OR logic) |
| CloudWatch alarm | Health based on CloudWatch alarm state |
AWS Global Accelerator
Global Accelerator routes traffic through the AWS global network (instead of the public internet) for improved performance and availability.
Global Accelerator vs. CloudFront
| Feature | CloudFront | Global Accelerator |
|---|---|---|
| Type | CDN (content caching) | Network layer optimization |
| Caching | Yes (caches at edge) | No caching |
| IP addresses | Dynamic (DNS name) | 2 static anycast IPs |
| Protocols | HTTP/HTTPS | TCP, UDP |
| Best for | Cacheable web content | Non-cacheable traffic, gaming, IoT, VoIP |
| Failover | DNS-based (slower) | Instant failover (BGP-based) |
| Health checks | Origin health checks | Endpoint health checks with instant failover |
On the Exam: "Static IP addresses for a global application" → Global Accelerator. "Cache web content at edge locations" → CloudFront. "Gaming application with real-time UDP traffic" → Global Accelerator.
A company hosts a static website in S3 and wants to serve it globally with low latency while preventing direct access to the S3 bucket. What should they implement?
A real-time multiplayer gaming application uses UDP and needs static IP addresses for client connections. Which service should be used?
Which Route 53 routing policy routes traffic to the AWS Region with the lowest network latency for the requesting user?