3.6 CloudFront, Route 53, and Global Accelerator
Key Takeaways
- CloudFront is a CDN with 400+ edge locations that caches HTTP/HTTPS content close to users and integrates with S3, ALB, EC2, API Gateway, and Lambda@Edge.
- Route 53 provides DNS, registration, and health checks with routing policies: simple, weighted, latency, failover, geolocation, geoproximity, and multivalue answer.
- Global Accelerator routes TCP/UDP traffic over the AWS backbone with two static anycast IPs and near-instant BGP failover - it does not cache content.
- CloudFront Origin Access Control (OAC) locks an S3 origin so it is reachable only through CloudFront, not directly.
- Decision rule: cacheable web/API content -> CloudFront; non-cacheable TCP/UDP or static-IP needs -> Global Accelerator; DNS routing and failover logic -> Route 53.
Quick Answer: CloudFront = CDN caching HTTP/HTTPS at 400+ edge locations. Route 53 = DNS with health checks and routing policies. Global Accelerator = AWS backbone routing for TCP/UDP with two static anycast IPs and instant failover. Use CloudFront for websites/APIs, Global Accelerator for gaming/VoIP/static-IP needs, and Route 53 to steer DNS.
Amazon CloudFront
CloudFront is AWS's content delivery network (CDN) caching at 400+ global edge locations to cut latency and offload origins. Supported origins include S3, ALB, EC2, API Gateway, MediaStore, and any custom HTTP server (on-prem or other cloud).
| Feature | Description |
|---|---|
| Edge caching | Serve cached objects from the nearest edge |
| Free HTTPS | TLS via ACM, HTTP-to-HTTPS redirect |
| Geo-restriction | Allow/block by country |
| Price classes | All, 200, or 100 to trade reach for cost |
| Lambda@Edge | Run Lambda at edge for request/response logic |
| CloudFront Functions | Lightweight JS for header/URL rewrites |
| Field-level encryption | Encrypt sensitive POST fields at the edge |
Origin Access Control (OAC)
OAC ensures an S3 origin is reachable only through CloudFront: create the distribution with OAC, then set the bucket policy to allow only that distribution. Users cannot bypass CloudFront to hit S3 directly. OAC replaces the legacy Origin Access Identity (OAI) and is the current best-practice answer.
Cache Behavior
The cache key (URL plus selected headers, query strings, and cookies) determines uniqueness; tune it with cache policies and origin request policies. TTL controls freshness, and invalidations force-evict objects but cost per path - prefer versioned object names over frequent invalidations.
Amazon Route 53
Route 53 is AWS's authoritative DNS with domain registration and health checking.
| Policy | Behavior | Typical use |
|---|---|---|
| Simple | One record, no health checks | Basic mapping |
| Weighted | Split traffic by percentage | Canary / blue-green |
| Latency-based | Lowest-latency Region for the user | Multi-Region apps |
| Failover | Active-passive with health checks | Disaster recovery |
| Geolocation | Route by user's country/continent | Localization, compliance |
| Geoproximity | Route by distance with bias shifting | Gradually shift Region traffic |
| Multivalue answer | Up to 8 healthy records | Simple client-side LB |
Health checks come in three kinds: endpoint (HTTP/HTTPS/TCP), calculated (AND/OR of other checks), and CloudWatch-alarm-based. Latency-based and geolocation are easy to confuse: latency picks the fastest Region, geolocation picks by where the user is, which is not always the fastest.
AWS Global Accelerator
Global Accelerator routes user traffic onto the AWS global backbone at the nearest edge, then forwards over AWS's private network to the optimal healthy endpoint.
| Feature | CloudFront | Global Accelerator |
|---|---|---|
| Layer | CDN (caches content) | Network (no caching) |
| Protocols | HTTP/HTTPS | TCP and UDP |
| IP addresses | Dynamic (DNS name) | Two static anycast IPs |
| Failover | DNS-based (TTL delay) | BGP-based, near-instant |
| Best for | Cacheable web content | Gaming, IoT, VoIP, static IP allow-listing |
Reach for Global Accelerator when an answer mentions non-cacheable real-time traffic, UDP, the need for static IPs (e.g. firewall allow-listing), or instant regional failover that DNS TTLs cannot provide.
On the Exam: "Cache and serve a static S3 site globally while blocking direct bucket access" -> CloudFront + OAC. "Real-time UDP multiplayer game needing static IPs" -> Global Accelerator. "Send users to the lowest-latency Region" -> Route 53 latency-based routing.
Worked Scenario: Building a Global Front Door
Consider a global media site whose static assets live in S3 and whose dynamic API runs behind an ALB in two Regions. The right design layers all three services. Put CloudFront in front of the S3 assets to cache them at the edge, and lock the bucket with OAC so users cannot bypass the CDN. Use Route 53 latency-based routing to send each user to the nearest healthy Regional API endpoint, with a failover record pair so a Region outage automatically reroutes traffic.
If a separate, non-HTTP service - say a UDP telemetry ingest endpoint - needs static IPs and instant failover, front that one with Global Accelerator rather than CloudFront, because Global Accelerator carries TCP/UDP over the AWS backbone and provides two static anycast IPs.
Common Traps to Avoid
- CloudFront vs Global Accelerator. CloudFront caches HTTP/HTTPS content; Global Accelerator does not cache and handles arbitrary TCP/UDP with static IPs. "Cacheable web content" -> CloudFront; "non-cacheable, static IP, UDP" -> Global Accelerator.
- Latency vs geolocation routing. Latency-based routing picks the fastest Region; geolocation routes by the user's country/continent and may not be fastest. Choose by the literal requirement - speed vs location/compliance.
- OAI vs OAC. OAI is the legacy mechanism; current best practice for restricting an S3 origin to CloudFront is Origin Access Control (OAC).
- Expecting fast DNS failover. DNS-based failover is gated by record TTLs and resolver caching; when the requirement is near-instant failover, Global Accelerator's BGP-based path is the better answer.
- Frequent invalidations. Invalidating CloudFront objects costs per path; for cache-busting, prefer versioned object names over constant invalidations.
A company serves a static website from an S3 bucket and wants global low-latency delivery while ensuring users can reach the content only through the CDN, never directly from S3. What should they implement?
A multiplayer game uses UDP, must give clients a fixed set of IP addresses to allow-list in corporate firewalls, and needs near-instant failover between Regions. Which service is the best fit?
An application is deployed in us-east-1 and ap-southeast-2, and the team wants each user automatically sent to whichever Region gives that user the lowest network latency. Which Route 53 routing policy should they use?