DEV Community

Wakeup Flower
Wakeup Flower

Posted on

3 features of CloudFront

#aws

1 — Routing to Multiple Origins Based on Content Type

Amazon CloudFront allows you to serve different kinds of content from different origins within the same distribution.

  • Why: This helps optimize performance and cost.
  • How: You create multiple origins in your CloudFront distribution and configure cache behaviors to decide which origin serves which request.

Example:

  • Static content (/images/*, /css/*, /js/*) → served from Amazon S3.
  • Dynamic content (/api/*) → served from Application Load Balancer (ALB) or EC2 instances.

Cache behavior rules decide which origin handles which request based on path patterns.

Diagram:

Client Request → CloudFront → Path matches → Origin
/images/*         → S3 Bucket
/api/*            → ALB
Enter fullscreen mode Exit fullscreen mode

2 — Origin Failover (High Availability)

CloudFront origin failover lets you make your distribution highly available by automatically switching to a backup origin when the primary origin fails.

  • Why: To ensure your application stays available even if one origin fails.
  • How:
  1. Create at least two origins.
  2. Create an origin group with a primary and a secondary origin.
  3. Configure cache behavior to use this origin group.

Failure triggers can be:

  • Connection errors
  • Specific HTTP status codes (e.g., 500, 502, 503, 504)

Example:

Origin Group:
Primary → ALB in us-east-1
Secondary → ALB in us-west-2

If primary ALB fails → CloudFront automatically routes to secondary ALB
Enter fullscreen mode Exit fullscreen mode

3 — Field-Level Encryption

CloudFront field-level encryption lets you encrypt specific sensitive fields in incoming POST requests right at the edge (CloudFront location closest to the user).

  • Why: To protect sensitive data early before it travels through your backend systems.
  • How:
  1. Choose which fields to encrypt (up to 10).
  2. Configure CloudFront with a public encryption key.
  3. CloudFront encrypts those fields before sending the request to your origin.
  4. Only services with the matching private key can decrypt those fields.

Example:
If your form collects:

  • "name"
  • "email"
  • "creditCardNumber"

You may choose to encrypt "creditCardNumber" only.
CloudFront encrypts this at the edge before sending it to your backend.

Flow:

User → CloudFront (encrypts sensitive fields) → Backend
Enter fullscreen mode Exit fullscreen mode

Key point:
Field-level encryption protects specific fields — not the entire request.

Summary Table

Feature Purpose Example Use Case
Multiple origins based on content Serve different content types from different sources Static files from S3, APIs from ALB
Origin failover High availability and redundancy Primary origin fails → switch to backup
Field-level encryption Encrypt sensitive fields close to the user Encrypt credit card numbers in a form

Top comments (0)