Amazon CloudFront: Delivering millisecond performance to global audiences

Users of today’s web applications expect instant responses, seamless interactions, and flawless experiences, no matter where they are located. Even the slightest delay can impact user engagement. Delivering content within milliseconds is a business imperative for modern web applications serving global audiences, whether it’s an e-commerce platform processing millions of transactions or a streaming service delivering live content.

Amazon CloudFront has long been recognized for its ability to accelerate website performance through its globally distributed network of edge locations, intelligent caching strategies, and enhanced content delivery protocols. CloudFront serves content from locations closest to end users and reduces the load on application servers, thereby delivering faster page loads, improving user experiences, and reducing infrastructure costs for businesses. In this post, we discuss recent improvements we have made in CloudFront to accelerate dynamic web applications.

The evolution of performance: What’s new in CloudFront

CloudFront enhances TLS connection times for your applications. There are two parts to this. First, CloudFront terminates TLS connections at CloudFront edge locations, close to end users, rather than at distant origin servers that run your applications in AWS Regions or on-premises. Because of this, CloudFront dramatically reduces the latency associated with the TLS handshake process. This edge termination means users experience faster initial connections because the cryptographic negotiation happens over a much shorter network path. Second, CloudFront maintains secure persistent connections to your origins, eliminating the time needed to establish new connections for every request. We constantly optimize these connections to deliver better performance.

TLS 1.3 to origins: Faster, more secure connections

CloudFront now supports TLS 1.3 when connecting to your origins, providing enhanced security and improved performance for origin communications. This upgrade offers stronger encryption algorithms, reduced handshake latency, and a better overall security posture for data transmission between CloudFront edge locations and your origin servers.

TLS 1.3 provides faster connection establishment through a reduced number of round trips during the handshake process, reducing the average TLS handshake time between CloudFront Edge Points of Presence (PoPs) and the customer’s applications in the AWS regions (aka Origins) that support TLS 1.3 by 36%. CloudFront maintains backward compatibility with lower TLS versions for origins that haven’t yet upgraded. This enhancement particularly benefits applications such as financial services, healthcare, and e-commerce platforms that handle sensitive data, as shown in the following figure.

Intelligent connection pooling

CloudFront’s multi-tiered caching architecture uses a hierarchy of cache layers to improve performance and reduce the load on origin servers. CloudFront now has 750+ global PoPs and 1140+ embedded PoPs in ASNs of Internet Service Providers (ISPs) to deliver content from a location closest to your users. This edge fleet is now supported by 15 Regional Edge Caches boosted by Origin Shield to provide wider mid-tier cache and enhanced connections.

When a user requests content, CloudFront first checks the closest edge cache. If the content isn’t there, then the request moves up the tiers until it reaches an origin-facing cache such as Origin Shield or a Regional Edge Cache. If the content is not cached, CloudFront fetches the content from the origin and caches it for future requests.

CloudFront uses advanced connection pooling between these caching layers to boost application performance.

• TCP Connection Pools: Persistent connections between layers reduce the overhead of establishing new connections.
• HTTP Keepalive: Maintains open connections for multiple requests, removing repeated handshake delays.
• TLS Connection Pooling: Reuses secure connections to minimize encryption overhead.

TCP Fast Open: Removing round-trip delays

TCP connections often need to be re-established multiple times during a playback session or browsing experience. A traditional TCP session establishment adds two round-trip times (RTT) of delay. CloudFront now supports TCP Fast Open between CloudFront Edge PoPs and the Origin Shield, which allows subsequent connection between these layers to be established with only 1 RTT—cutting the connection time by up to 25%, as shown in the following figure. This reduces first byte latency above the 99th percentile.

HTTPS DNS records: Accelerating the first connection

CloudFront now supports Amazon Route 53 HTTPS DNS records across its global network, so clients can discover the optimal HTTP protocol during the initial DNS resolution phase rather than in a subsequent connection step. Browsers and applications can use this innovation to learn about HTTP/3 support immediately during DNS lookups, thereby reducing protocol negotiation delays after TLS connections are established. Applications automatically upgrade to the fastest available protocol, thus reducing first byte latency especially in mobile networks with higher latencies or lossy networks.

Intelligent network routing: Always finding the fastest path

Network layer performance is fundamental to delivering high-performance web applications. CloudFront continuously runs experiments to measure performance for peering connections from thousands of internet service providers across the globe. This real-time experimentation and adjustment mean that your content always takes the fastest possible path to reach your users, adapting to changing network conditions and routing around congestion or outages automatically.

Conclusion

Customers regularly see an improvement of over 30% in the first byte latency when they use CloudFront to deliver their applications. You can accelerate and protect your applications in a few minutes by using a unified interface to set up CloudFront, DNS using Amazon Route53, TLS certificates using Amazon Certificate Manager, and security with AWS WAF. This CloudFront post contains a detailed walk through.

Whether you’re building a new application or enhancing an existing one, the CloudFront combination of global reach, intelligent caching, advanced protocol support, and automatic optimization delivers the best performance for your users.