Amazon CloudFront Infrastructure
The Amazon CloudFront Global Edge Network
To deliver content to end users with lower latency, Amazon CloudFront uses a global network of 220+ Points of Presence (210+ Edge Locations and 12 Regional Edge Caches) in 88 cities across 45 countries. Amazon CloudFront Edge locations are located in:
Edge locations: Ashburn, VA (6); Atlanta, GA (6); Boston, MA (3); Chicago, IL (6); Dallas/Fort Worth, TX (6); Denver, CO (2); Hayward, CA; Hillsboro, OR (3); Houston, TX (4); Jacksonville, FL; Los Angeles, CA (5); Miami, FL (4); Minneapolis, MN; Montreal, QC; New York, NY (2); Newark, NJ (7); Palo Alto, CA; Philadelphia, PA (2); Phoenix, AZ (2); Salt Lake City, Utah; San Jose, CA (2); Seattle, WA (3); Toronto, ON (2); Vancouver, BC ; Querétaro, MX (2)
Regional Edge caches: Virginia; Ohio; Oregon
Edge locations: Amsterdam, The Netherlands (2); Athens, Greece; Berlin, Germany (2); Brussels, Belgium; Bucharest, Romania; Budapest, Hungary; Copenhagen, Denmark; Dublin, Ireland; Dusseldorf, Germany; Frankfurt, Germany (10); Hamburg, Germany; Helsinki, Finland; Lisbon, Portugal; London, England (9); Madrid, Spain (3); Manchester, England (2); Marseille, France; Milan, Italy (3); Munich, Germany (2); Oslo, Norway; Palermo, Italy; Paris, France (5); Prague, Czech Republic; Rome, Italy; Sofia, Bulgaria; Stockholm, Sweden (3); Vienna, Austria; Warsaw, Poland; Zurich, Switzerland (2)
Regional Edge caches: Dublin, Ireland; Frankfurt, Germany; London, England
Edge locations: Bangalore, India (3); Bangkok, Thailand (2); Chennai, India (2); Hong Kong, China (3); Hyderabad, India (4); Kolkata, India; Kuala Lumpur, Malaysia (2); Mumbai, India (3); Manila, Philippines; New Delhi, India (4); Osaka, Japan; Seoul, South Korea (4); Singapore (4); Taipei, Taiwan(3); Tokyo, Japan (16)
Regional Edge caches: Mumbai, India; Singapore; Seoul, South Korea; Tokyo, Japan
Edge locations: Auckland, NZ (2); Melbourne, AU (2); Perth, AU; Sydney, AU (4);
Regional Edge caches: Sydney
Edge locations: Bogota, Colombia; Buenos Aires, Argentina; Rio de Janeiro, Brazil (2); Santiago, Chile; São Paulo, Brazil (2)
Regional Edge caches: São Paulo, Brazil
Edge location: Dubai, United Arab Emirates; Fujairah, United Arab Emirates; Manama, Bahrain; Tel Aviv, Israel
Edge locations: Cape Town, South Africa; Johannesburg, South Africa; Nairobi, Kenya
Edge locations: Beijing; Shenzhen; Shanghai; Zhongwei
Protection against Network and Application Layer Attacks
Amazon CloudFront, AWS Shield, AWS Web Application Firewall (WAF), and Amazon Route 53 work seamlessly together to create a flexible, layered security perimeter against multiple types of attacks including network and application layer DDoS attacks. All of these services are co-resident at the AWS edge and provide a scalable, reliable, and high-performance security perimeter for your applications and content. With CloudFront as the “front door” to your application and infrastructure, you are moving the primary attack surface away from your critical content, data, code and infrastructure. Learn more about AWS Best Practices for DDoS Resiliency.
SSL/TLS Encryptions and HTTPS
With Amazon CloudFront, you can deliver your content, APIs or applications via SSL/TLS, and advanced SSL features are enabled automatically. You can use AWS Certificate Manager (ACM) to easily create a custom SSL certificate and deploy to your CloudFront distribution for free. ACM automatically handles certificate renewal, eliminating the overhead and costs of a manual renewal process. Additionally, CloudFront provides a number of SSL optimizations and advanced capabilities such as full/half bridge HTTPS connections, OCSP stapling, Session Tickets, Perfect Forward Secrecy, TLS Protocol Enforcements and Field-Level Encryption.
With Amazon CloudFront, you can restrict access to your content through a number of capabilities. With Signed URLs and Signed Cookies, you can support Token Authentication to restrict access to only authenticated viewers. Through geo-restriction capability, you can prevent users in specific geographic locations from accessing content that you're distributing through CloudFront. With Origin Access Identity (OAI) feature, you can restrict access to an Amazon S3 bucket to only be accessible from CloudFront. Learn more.
CloudFront infrastructure and processes are all compliant with PCI-DSS Level 1, HIPAA, and ISO 9001, ISO 27001, SOC (1, 2 and 3) to ensure secure delivery of your most sensitive data.
Increase application availability
Web applications often need to contend with spikes in traffic during peak periods of activity. By using Amazon CloudFront, you can cache your content in CloudFront’s edge locations worldwide and reduce the workload on your origin by only fetching content from your origin when needed. This reduced workload on your origin helps you increase the availability of your application.
Enabling redundancy for origins
CloudFront also allows you to set up multiple origins to enable redundancy in your backend architecture. You can use CloudFront’s native origin failover capability to automatically serve your content from a backup origin when your primary origin is unavailable. The origins you set up with origin failover can be any combination of AWS origins like EC2 instances, Amazon S3 buckets, or Media Services, or non-AWS origins like an on-premises HTTP server.
Network optimizations for optimal performance
Amazon CloudFront is continuously measuring internet connectivity, performance and computing to find the best way to route requests to our network; taking into account performance, load, operational status, and other factors to deliver the best experience in real-time. Amazon CloudFront is also running on the AWS global network backbone, that allows for efficient transmission of requests between the CloudFront Edge locations and otherAWS services, across regions and applications. Network-layer optimizations such as TCP fast open, request collapsing, keep-alive connections and much more, enable the Amazon CDN to accelerate both static and dynamic content for improved user performance.
Dynamic or static content
Modern websites and applications are a rich mixture of dynamic, personalized and static content. Microservices also expose increasing numbers of APIs and requests between components. Amazon CloudFront is optimized for both, providing extensive flexibility for optimizing cache behavior, coupled with network-layer optimizations for latency and throughput. CloudFront supports the WebSocket protocol as well as the HTTP protocol with the following HTTP methods: GET, HEAD, POST, PUT, DELETE, OPTIONS, and PATCH. This means you can improve the performance of dynamic websites that have web forms, comment and login boxes, “add to cart” buttons, WebSocket-based applications, or other features that upload data from end users. It also means you can now use a single domain name to deliver your whole website through CloudFront thereby accelerating both the download and upload parts of your website.
Large libraries and media assets
As the global network infrastructure has grown and improved, cache retention has emerged as a key contributor to performance. The content delivery network (CDN) is architected to keep objects longer in cache and to reduce cache churn. Techniques like tiered caching and de-duplication optimization of objects in cache help maximize cache retention.
Programmable and DevOps Friendly
Full-featured APIs and DevOps Tools
Amazon CloudFront provides developers with a full-featured API to create, configure and maintain your CloudFront distributions. In addition, developers have access to a number of tools such as AWS CloudFormation, CodeDeploy, CodeCommit and AWS SDKs to configure and deploy their workloads with Amazon CloudFront.
Your CloudFront Distribution can be configured with multiple behaviors which govern how CloudFront will process your request and what features will be applied. Take control of how CloudFront caches, how CloudFront communicates with your origin, customize what headers and metadata are forwarded to your origin, create content variants with flexible cache-key manipulation, support for various compression modes, and other customizations. With built-in device detection, CloudFront can detect the device type (Desktop, Tablet, Smart TV, or Mobile device) and pass that information in the form of new HTTP Headers to your application to easily adapt content variants or other responses. Amazon CloudFront can also detect the country-level location of the requesting user for further customization of the response.
Lambda@Edge helps web developers, mobile developers and Amazon CloudFront customers run their code closer to their users. Using Lambda@Edge allows you to respond to requests at the lowest latency across AWS locations globally. For web or mobile requests, the compute request from your users can be delivered closer to them, improving their overall experience. You pay only for the compute time you use. There is no charge when your code is not running. Learn more. >>
Pay-as-you-go publicly available pricing and committed-traffic private pricing
With Amazon CloudFront pay-as-you-go pricing, you pay only for what you use. There is no minimum fee. For customers who are willing to make certain minimum traffic commitments, we also offer private committed pricing.
Learn more about Amazon CloudFront pricing.
Free data Transfer between AWS cloud services and Amazon CloudFront for origin fetches
If you use AWS origins such as Amazon S3, Amazon EC2 or Elastic Load Balancing, you don’t pay for any data transferred from your origin to CloudFront Edge locations (this type of data transfer is known as origin fetch).
To learn more about all Amazon CloudFront features and how to configure them, please refer to the Amazon CloudFront Developer Guide.
As part of the AWS Free Usage Tier, you can get started with Amazon CloudFront for free. Upon sign-up, new AWS customers receive 50 GB Data Transfer Out and 2,000,000 HTTP and HTTPS Requests each month for one year.
Instantly get access to the AWS Free Tier.
Follow our Getting Started Guide to start your first Amazon CloudFront distribution in a few clicks.