6.2.3. CloudFront, Lambda@Edge, and Global Accelerator
š” First Principle: CloudFront and Global Accelerator both move traffic processing closer to users ā but they do it in fundamentally different ways for different traffic types. CloudFront caches HTTP/HTTPS content at edge locations. Global Accelerator routes any TCP/UDP traffic through the AWS network from the nearest edge, without caching. Choosing the wrong service for a workload either doesn't improve performance or adds unnecessary complexity.
CloudFront Core Architecture:
CloudFront Key Configurations:
| Setting | Purpose |
|---|---|
| Cache Policy | Controls what's cached and for how long (TTL, headers, query strings, cookies) |
| Origin Request Policy | Controls what CloudFront forwards to the origin (headers, cookies, query strings) |
| Cache Behavior | Per-path routing rules ā /api/* to ALB, /static/* to S3 |
| OAC (Origin Access Control) | Restricts S3 bucket access to CloudFront only (replaces legacy OAI) |
| Signed URLs/Signed Cookies | Time-limited, user-specific access to protected content |
| Price Class | Which edge locations to use (all, Americas+Europe, Americas+Europe+Asia) |
Cache Invalidation: When you update content at the origin, CloudFront serves the cached (old) version until TTL expires. Force immediate cache clearing by creating an invalidation (/* for all objects, or specific paths). Invalidations have a cost ($0.005 per 1,000 paths) ā minimize them by using versioned file names (e.g., app.v3.js) instead of overwriting files.
Lambda@Edge: Runs Lambda functions at CloudFront edge locations ā code executes for every request/response without going back to the origin. Four hook points:
| Hook | When It Runs | Use Cases |
|---|---|---|
| Viewer Request | After CloudFront receives request, before cache check | Auth, URL rewriting, A/B testing |
| Origin Request | Before CloudFront forwards to origin (cache miss only) | Add headers, modify request |
| Origin Response | After origin responds, before CloudFront caches | Modify response headers, error handling |
| Viewer Response | Before CloudFront returns to user | Add security headers, modify cookies |
CloudFront Functions (lighter alternative to Lambda@Edge): Run at all 400+ CloudFront edge locations (Lambda@Edge runs at only ~13 regional edge caches), execute in sub-millisecond, cost less, but support only JavaScript and have limited access (no network calls, no file I/O). Use for simple URL rewrites, header manipulation, and JWT validation at the edge.
| | Lambda@Edge | CloudFront Functions | |:|:-----------:|:-------------------:| | Languages | Node.js, Python | JavaScript only | | Execution locations | Regional edge caches (~13) | All edge locations (400+) | | Max execution time | 5 sec (viewer), 30 sec (origin) | 1ms | | Network access | ā Yes | ā No | | Cost | Higher | Lower |
AWS Global Accelerator:
Global Accelerator provides two static Anycast IP addresses that route traffic to the nearest AWS edge location, then forward it over the AWS private network to your endpoint (ALB, NLB, EC2, or Elastic IP) in the target region.
| Feature | CloudFront | Global Accelerator |
|---|---|---|
| Content caching | ā Yes | ā No |
| Protocol support | HTTP/HTTPS | TCP, UDP (any protocol) |
| Static IP | ā (uses DNS) | ā Two static Anycast IPs |
| Health check + failover | Via origin health checks | ā Built-in, 30-second detection |
| Gaming / IoT / VoIP | ā Not ideal | ā Ideal |
Use CloudFront for cacheable web content. Use Global Accelerator for non-HTTP traffic, applications needing static IPs for whitelisting, or when you need sub-second failover between regions.
ā ļø Exam Trap: Global Accelerator does not cache content ā it only improves routing by using the AWS backbone instead of the public internet. If a question describes slow image loading for global users, the answer is CloudFront (caches images at the edge). If a question describes a gaming application needing low-latency UDP connections from global players to a server in us-east-1, the answer is Global Accelerator (routes UDP traffic, no caching involved).
Reflection Question: A video streaming company serves HLS video segments (.ts files) from S3 to global viewers. Peak traffic causes high egress costs and buffering for users in Asia. What service reduces both cost and latency, what configuration restricts S3 access to only that service, and how do you force cache refresh when a video segment is re-encoded?
