Sunday, June 29, 2025

CloudFront vs. Global Accelerator.

Here is twtech comparison of Amazon CloudFront and AWS Global Accelerator, including what each does, how they differ, and when to use them:

 The concept: Amazon CloudFront

A Content Delivery Network (CDN) that caches and distributes static and dynamic web content (like HTML, CSS, JS, images, video) to users around the globe.

✅ Key Features:

  • Caching at edge locations to reduce latency.
  • Supports HTTPS, custom domains, and origin failover.
  • Works closely with S3, EC2, Elastic Load Balancers, and Lambda@Edge.
  • Can serve dynamic content, not just static.

✅ Use Cases:

  • Accelerating websites and APIs.
  • Serving static content from S3.
  • Streaming video.
  • Securing content delivery with signed URLs or headers.

 The concept: AWS Global Accelerator

A network layer accelerator that uses AWS’s global network to improve the availability and performance of twtech global applications (does not cache content).

✅ Key Features:

  • Assigns static anycast IP addresses to your app.
  • Automatically routes traffic through the optimal AWS edge location to the nearest healthy regional endpoint.
  • Improves performance (especially for TCP/UDP apps) and resiliency.

✅ Use Cases:

  • Improving latency and availability of non-HTTP applications (e.g., gaming, VoIP, financial apps).
  • Routing traffic to nearest application endpoint in multi-region deployments.
  • Replacing Route 53 + Load Balancer setups for global apps.

 CloudFront vs. Global Accelerator

Feature

CloudFront

Global Accelerator

Type

CDN

Network traffic accelerator

Content Caching

✅ Yes

❌ No

Optimized for

HTTP/HTTPS traffic

TCP/UDP traffic

Latency Improvement

✅ Yes (via caching)

✅ Yes (via network optimization)

Static IP Addresses

❌ No

✅ Yes (Anycast IPs)

Ideal for

Websites, APIs, video, static content

Multiplayer games, VoIP, real-time apps

 When to Use Each:

  • ✅ Use CloudFront if  serving web content, APIs, or static files and want to reduce latency with caching.
  • ✅ Use Global Accelerator if running a global application that requires low-latency access to regional endpoints (especially for non-HTTP traffic or needing static IPs).

Does twtech Needs both

Yes:

 In some advanced architectures, twtech may use Global Accelerator to route users to the nearest CloudFront distribution or Application Load Balancer for maximum performance and availability.


Project: Hands-on

How twtech creates s3 bucket to hold files for distribution via:  CloudFront distribution.

Create a bucket: twtech-cloudfront-s3






Slelect and Upload some objects (files) into the bucket: twtech-cloudfront-s3

Objects don’t have permission to be seen publicly: Access Denied

How twtech used CloudFront to make objects in private bucket accessible without making  accessible in the public.

Search aws services: CloudFront 


NB:

CloudFront is a global service.

Create a CloudFront distribution: twtech-cloudfront-distribution

Assign a name: twtech-cloudfront-distribution

Select Custom domain (optional)  or insert a custom domain and  check domain

Domain: twtechapp.com

Use twtech custom domain with free HTTPS to provide a secure, friendly URL for your app. 

twtech can add a custom domain later if twtech does not have a Route 53 zone in this account.



Specify origin


Origin

S3 origin

Choose an AWS origin, or enter your origin's domain name

From:


To: select bucket location

S3 origin from cloudfront: twtech-cloudfront-s3.s3.us-east-2.amazonaws.com

 

Proceed with configuration of cloudfront distribution: twtech-cloudfront-distributiion


CloudFront can automatically create a certificate for the following domains: enabled

  *.twtech.click

Create a wildcard certificateThis certificate will be valid for *.twtech.clcik

Create a wildcat certificate for domain :twtech.clcik

If custom domain names have been registered, select one: twtech.click


View certificate created for domain: twtechapp.com


TLS certificate is issued by us-east-1 region: N. Virginia


Review and create CloudFront distribution: twtech-cloudfront-distribution




It takes a couple of minutes to be fully deployed:


How twtech updates the s3 bucket policy(twtech-cloudfront-s3):  so that CloudFront distriburion can access the bucket.

Select the bucket and click open: twtech-cloudfront-s3

In the bucket (twtech-cloudfront-s3), navigate to permissions tab.



Scroll down to Bucket policy to: edit if policy is not auto generated.

From:



To:

Delete the entire script and use that policy generated by aws cloudfront: origin

Edit: origin




Copy the policy genetated by aws and then cancel the page:

 twtech-cloudfront-s3-policy

#  json

{

        "Version": "2008-10-17",

        "Id": "PolicyForCloudFrontPrivateContent",

        "Statement": [

            {

                "Sid": "AllowCloudFrontServicePrincipal",

                "Effect": "Allow",

                "Principal": {

                    "Service": "cloudfront.amazonaws.com"

                },

                "Action": "s3:GetObject",

                "Resource": "arn:aws:s3:::twtech-cloudfront-s3/*",

                "Condition": {

                    "StringEquals": {

                      "AWS:SourceArn": "arn:aws:cloudfront::98xxxx:distribution/E3H6YAxxxxx"

                    }

                }

            }

        ]

      }

How twtech accesses the bucket policy generated by aws cloudfront under: orgin 


Navigate to bucket permission tab to edit the bucket policy: so that cloudfront can have access to its objects.

Scroll down and edit Bucket policy:



From:

To: Copy and paste the policy genetated by aws under: cloudfront orgin


Paste policy and Save changes:




How twtech accesses objects globally in the bucket from cloudfron distribution: twtech-cloudfront-distribution



Distribution domain name: https://dnhouzyyxxxx1.cloudfront.net

AccessDenied: the path to every object in the bucket must be added to access it.

twtech accesses the object be adding the path of the object to the Distribution domain name:

https://dnhouzyyfhnz1.cloudfront.net/papa.jpg


https://dnhouzyyfhnz1.cloudfront.net/pat-atem.jpg

     

https://dnhouzyyfhnz1.cloudfront.net/Patpaddy3.jpg

NB:

twtech-Objects are secured with the TLS ceritificate issued by aws CMA(certificate management authority) for security (governance and compliance)

Connection is secured with a TLS certificated attached to a domain name:  it is issued by aws to encrypt traffic.



NB:

How twtech may choose to create a distribution in the test environment without the TLS cerficate.

However, aws redirects traffic to https: secured connection


 From:


To: 


How to use the distribution domain name with the object context path to access the ojects in bucket.

NB: aws redirects traffic to https: secured connection

https://d1c1iqjz6s0tbi.cloudfront.net/twtech-object-name

https://d1c1iqjz6s0tbi.cloudfront.net/papa.jpg

 


https://d1c1iqjz6s0tbi.cloudfront.net/pat-atem.jpg


https://d1c1iqjz6s0tbi.cloudfront.net/Patpaddy3.jpg

 



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Kubernetes Clusters | Upstream Vs Downstream.

  The terms "upstream" and "downstream" in the context of Kubernetes clusters often refer to the direction of code fl...