Category: Best Practices

Today, Amazon CloudFront is launching Invalidation by Cache Tag, a new capability that transforms how developers manage cached content. With this feature, you can invalidate groups of related cached objects using a single invalidation request, regardless of URL structure—making cache management more precise, efficient, and developer-friendly. In this post, we discuss the benefits of this […]

Introduction This post is intended for networking engineers and architects evaluating AWS VPN options (200-level content). It assumes familiarity with basic AWS networking concepts such as virtual private clouds (VPCs), virtual private gateways (VGWs), and transit gateways (TGWs). If you are new to AWS VPN, the AWS VPN User Guide provides foundational context. Organizations implementing […]

Following our previous post, Exploring Data Transfer Costs for AWS Network Load Balancers, this post explores architectural patterns to help optimize these expenses. Understanding inter-zone data transfer costs When network traffic flows across Amazon Web Services (AWS) Availability Zones (AZs), whether from clients to Network Load Balancers (NLBs) or from NLBs to targets, AWS applies […]

The Kubernetes SIG Network and Security Response Committee has announced that Ingress NGINX will be retired in March 2026. If your organization runs workloads on Kubernetes — whether on Amazon Elastic Kubernetes Service (Amazon EKS), self-managed clusters on EC2, or hybrid environments — this upcoming change requires immediate planning and attention. This change impacts approximately […]

Introduction This post demonstrates how to migrate your Amazon CloudFront public origins to Amazon Virtual Private Cloud (Amazon VPC) origins using different strategies. You can also use VPC origins with cross-accounts to support security-first architectures. When designing network architecture for CloudFront workloads, organizations must choose between centralized or distributed models. In a centralized architecture, a […]

Uploading files to Amazon Simple Storage Service (Amazon S3) is a common requirement for modern applications. Although the concept is clear, there are several ways to implement S3 uploads, each with distinct trade-offs in security, user experience, and scalability. Understanding these patterns and their best-fit scenarios is essential for making informed architectural decisions that align […]

As organizations scale globally, balancing user experience with operational costs becomes increasingly complex. Integrating Amazon CloudFront with Application Load Balancer (ALB) addresses this challenge by reducing latency by serving content from over 750 edge locations worldwide and maintaining persistent TCP connections between CloudFront and ALB origins while reducing Data Transfer Out (DTO) expenses through the […]

Geo-restriction is a critical security control for blocking traffic from high-risk regions. Learn how to implement geographic filtering using Amazon CloudFront, Route 53, AWS WAF, and AWS Network Firewall—and discover when to use each service for your specific architecture needs.

Amazon Web Services (AWS) Site-to-Site VPN is a fully managed service that can create a secure connection between your data center or branch office and your AWS resources using IP Security (IPSec) tunnels. A Site-to-Site VPN connection consists of two VPN tunnels for redundancy. As a managed service, Site-to-Site VPN periodically applies updates to your […]

In this post, we provide prescriptive guidance for building resilient and scalable multi-tenant Software-as-a-Service (SaaS) network architectures to address common challenges such as managing overlapping IP addresses, complex CIDR planning, and scaling connectivity to thousands of customers. We explore multiple architectural approaches using Amazon VPC Lattice with TCP resources, and conclude with detailed implementation guidance […]