6.3.3. CloudFront Caching and Troubleshooting
š” First Principle: A CloudFront cache miss is equivalent to routing the request all the way to the origin ā which defeats the purpose of having a CDN. Troubleshooting CloudFront is fundamentally about two questions: why is the cache hit rate lower than expected, and why are users seeing incorrect or stale content?
Cache Hit Ratio Optimization:
Low cache hit ratios (CloudFront CacheHitRate metric below ~85% for static content) indicate something is making cache keys unnecessarily unique:
| Cause | Fix |
|---|---|
| Query strings vary per request (session IDs in URL) | Configure cache policy to ignore or remove dynamic query strings |
| Cookies forwarded to origin | Configure cache policy to forward only necessary cookies |
| Too many Vary header values | Control which headers vary the cache key |
| TTL too low | Increase default TTL in cache policy |
| Content changes frequently | Use versioned file names instead of invalidations |
CloudFront X-Cache Header:
Responses from CloudFront include the X-Cache header:
Hit from cloudfrontā served from edge cacheMiss from cloudfrontā cache miss, fetched from originRefreshHit from cloudfrontā expired cache entry refreshedError from cloudfrontā origin returned an error
Common CloudFront Error Scenarios:
| Error | Cause | Fix |
|---|---|---|
| 502 | CloudFront couldn't connect to origin | Check origin health, security groups, ALB listener |
| 503 | Origin returned 503 | Check origin capacity |
| 504 | Origin didn't respond within timeout | Increase CloudFront origin timeout; optimize origin response time |
| Stale content | TTL not expired | Create invalidation; use versioned file names going forward |
| Viewer gets wrong content | Cache key collision | Ensure cache key includes all varying dimensions (headers, cookies, query strings) |
ā ļø Exam Trap: CloudFront invalidations are not instant ā they propagate to all edge locations and typically complete in a few minutes, but not immediately. During the propagation window, some edge locations may still serve stale content. For time-critical updates, the better practice is versioned file names ā app-v2.js instead of overwriting app.js. Viewers always get the latest version because the file name changes, and old versions expire from cache naturally.
Reflection Question: An e-commerce site deployed a CloudFront distribution for their product catalog (images and JSON). The cache hit rate is 12% ā much lower than expected. Investigation shows that each request URL includes a unique session ID as a query string (?session=abc123). What configuration change fixes the low cache hit rate?
