Best Practices for Content Delivery using Amazon CloudFront

Nihar Bihani, Principal Product Manager, Amazon Web Services

March 17, 2015

Agenda

Amazon CloudFront: Quick Overview

Best Practices for Whole Website Delivery

Q&A

@cloudfront

Our growing global footprint…

North America South America EMEA APAC

53 POPs

Cities37Countries19

Continents5

AWS Region CloudFront Edge Location@cloudfront

We have been busy building features…

• Second Edge Location in Seoul, Korea

• Smooth Streaming Support

• SSL SNI Support• HTTP to HTTPS Redirect• CloudFront Usage Charts

• EDNS- Client-Subnet Support

• Free Tier• AWS CloudTrail Support

• Device Detection, Geo Targeting, Host Header Forwarding, and CORS Support

• Edge Location in Melbourne

Dec13

Feb14

Mar14

Apr14

May14

Jun14

Jul14

Aug14

• Advanced SSL features: Session Tickets, OCSP Stapling and Perfect Forward Secrecy

Sep14

Oct14

• Support for Wildcard cookies

• OPTIONS caching

Jan15

• 5 Cache Stat Reports• Popular Objects Report• More Timely CloudFront

Access Logs

Nov14

Dec14

• Price Drop• Directory path as Origin Name• Locations, Browsers, OS and

Top Referrers

Mar15

• Signed Cookies• Smart TV Detection

@cloudfront

Feb15

Amazon CloudFront: What’s New?

http://aws.amazon.com/cloudfront/whats-new/

@cloudfront

Dynamic

StaticVideo

User Input

SSL

Amazon CloudFront: Whole Site Delivery

@cloudfront

A typical web application has…

Static Assets

Dynamic Content

Streaming Media

@cloudfront

Static Assets

@cloudfront

What are Static Assets?

Content is static: Images, JS, CSS, Fonts, Software

It can be distributed to more than one user

State of the object doesn't change for: sec, min, hours,..

Caching is a way to serve static content to more than one user

@cloudfront

#1. Use Amazon S3 for Static Assets

Free data transfer from Amazon S3 to CloudFront

Decrease load on web server

Highly available & scalable

@cloudfront

#2. Control Access to Content on Amazon S3

Origin Access Identity (OAI)

Content can be accessed ONLY via CloudFront

Why use OAI?

• Ensures content is not leaking

• S3 URLs not being used anywhere

@cloudfront

#3. Control Access to Content on CloudFront

Amazon CloudFront Private Content(Paid subscribers, premium customers etc.)

Signed URLs or Signed Cookies

When to use?

• Signed URLs: Marketing email

• Signed Cookies: Streaming, whole site authentication

Access Denied

Access Denied

@cloudfront

#4. Cache at Every Layer: Browser Caching

Set max-age or expiry date in your headers(e.g. Cache-Control: max-age=3600)

HTML5 application cache

Helps eliminate network latency

But… browser cache size is limited(e.g. IE is 8-50M, Chrome is < 80M, Firefox is 50MB, etc.)

@cloudfront

#5. Cache at Every Layer: Edge Caching

Set High TTLs for intermediary caches(e.g. Cache-Control: max-age=3600, s-maxage=86400)

Don’t forward Headers, Query Strings or CookiesNote: You do need to forward the relevant headers if you’re doing CORS

In other words, use CloudFront defaults

@cloudfront

#6. Version Your Objects

Versioning allows for easy updates and roll backs

Use file name or query string to version; no additional API calls are needed

Set High TTLs on objects that change infrequently

Each version is treated as a unique object in the browser cache

@cloudfront

Dynamic Content

@cloudfront

What is Dynamic Content?

Content unique to every request(Example: /index.php)

Content changes frequently (seconds, minutes), but NOT unique for every request(Example: weather updates, API, etc.)

Content changes based on end user request (query string, cookies, headers)(Example: mobile vs. desktop users, search keywords in query string, etc.)

@cloudfront

#7. Cache Everything Possible

CloudFront supports TTLs as low as 0 seconds, no-cache, no-store, etc.

Most content can be cached, even if it is for a few seconds

Benefits of setting a low TTL

• CloudFront supports “If-Modified-Since” and “If-None-Match” when object in the cache has expired

• CloudFront will serve stale content if origin is unavailable and object is in cache

• Helps you offload your origin load

@cloudfront

Cache Everything Possible.. Cont'd

Top 50 objects: CloudFront Popular Objects Report

Find content that can be cached for any period of time: hours, minutes or seconds

@cloudfront

#8. Use Multiple Cache Behaviors

ONLY forward required headers• Example: don’t forward cookies for /images

Avoid forwarding the User-Agent header• Instead use the Is-Mobile-Viewer, Is-Tablet-Viewer, Is-Desktop-Viewer, or Is-SmartTV-Viewer header values

Avoid forwarding ALL cookies• Instead, forward only the select cookies that you use to vary your content

@cloudfront

Streaming Media

@cloudfront

What is Streaming Media?

Live Streaming (e.g. a concert)

On Demand Streaming (e.g. a recent movie)

Audio Streaming (e.g. podcasts or music)

Typically involves delivering the manifest file, media files, and player

@cloudfront

#9. Set The Right TTLs

Manifest File• Set Low TTL (e.g. 2 seconds)

Media Files• High TTLs (e.g. 60 seconds)

Media Player• Static: Store in Amazon S3 and distribute via CloudFront

• Set High TTL (e.g. 24 hours)

@cloudfront

#10. Use HTTP Based Streaming Protocols

Use CloudFront Web distributions to deliver multi-bitrate streaming

Use CloudFront with media servers running on Amazon EC2 for live streaming (for high-availability and flexibility)

Use Fragmented streaming formats such as Smooth Streaming (native support in CloudFront), HLS, etc.

Don’t forward any headers, cookies, query strings

Use Signed Cookies instead of Signed URLs

@cloudfront

Availability Best Practices

@cloudfront

#11. Use Monitoring, Alarming & Notifications

Near Real-Time Monitoring & Alarming via CloudWatch

Six Metrics Available• Requests, Bytes Downloaded, Bytes Uploaded, 4xx Error

Rate, 5xx Error Rate, Total Error Rate

• No additional cost for Monitoring

• Set Alarms and Notifications

@cloudfront

#12. Always Configure Custom Error Pages

Custom error pages help improve customer experience

Deliver error pages from Amazon S3

Set low error caching minimum TTL (e.g. 15 seconds)

@cloudfront

#13. Design for Failure

What happens if the origin fails to respond to CloudFront?

CloudFront

@cloudfront

Design for Failure …Cont’d

With Amazon Route 53 you can health check your origin

@cloudfront

Design for Failure …Cont’d

Failures can be detected by Route 53 health checks

CloudFront

@cloudfront

Design for Failure …Cont’d

The traffic shifts to the healthy instances or load-balancers instead

CloudFront

@cloudfront

#14. More Caching = Higher Availability

Cache everything possible!

If your origin server is unavailable and you don’t have a backup origin server, or you don’t configure custom error pages…

CloudFront will automatically serve the stale object (if object is in cache), for the duration of error caching minimum TTL

@cloudfront

Security Best Practices

@cloudfront

#15. Use End-to-End HTTPS

CloudFront supports HTTPS between browser and edge, as well as between edge and origin

Set match-viewer for your Origin protocol policy

Configure HTTP to HTTPS redirect for each cache behavior

@cloudfront

BROWSER EDGE ORIGIN

Full-Bridge

#16. Use AWS IAM and AWS CloudTrail

Create IAM users to regulate access to the Amazon CloudFront APIs (or console)

Use AWS CloudTrail to record CloudFront API calls history for security analysis, resource change tracking, and compliance auditing

No additional CloudFront cost for using these services

@cloudfront

Performance & Cost Best Practices

@cloudfront

#17. Multiple Options to Optimize SSL Costs

Use the *.cloudfront.net SSL certificate

Two options for Custom SSL: SNI vs. Dedicated IP

Use CloudFront Reports to identify Browser/OS Version

Seamlessly switch between SSL Options

@cloudfront

Optimizing SSL Costs …Cont’d

SSL certificate pricing is per IAM certificate ID

You may associate a single SSL certificate with multiple distributions under the same AWS account

If you have multiple second level domains that you serve over SSL, use a single UCC certificate with all domains listed

For multiple third level domains served over SSL, use a wildcard certificate

@cloudfront

#18. Use Price Classes to Optimize Delivery Costs

Price Class

• Price Class All – Use All Edge Locations

• Price Class 200 – Use Edge Locations in US, EU, Asia & Japan

• Price Class 100 – Use Edge Locations in US and EU ONLY

Use the more appropriate Price Class where applicable

• If your end users are primarily in the US & EU

• Use the viewer location report to determine viewer geo distribution

• Switching between Price Classes is seamless

@cloudfront

#19. Domain Sharding

Most browsers open a limited number of parallel connections to the same domain

Shard assets over multiple domains; however it’s a balancing act

Use multiple CNAME aliases to serve content from a CloudFront distribution

Use CloudFront Wildcard CNAMEs & Use Wildcard SSL Certificate

@cloudfront

#20. Use Route 53 ALIAS Records

Use Amazon Route 53 to route queries to your CloudFront distribution

Why use Route 53 ALIAS records?

• DNS queries to ALIAS records are free of charge

• Unlike CNAMEs, you can create an ALIAS record for your zone apex

• Using an ALIAS record results in less DNS lookups when resolving your CNAME to your CloudFront distribution

@cloudfront

Analytics Best Practices

@cloudfront

#21. Use Reports to Personalize Your Content

Geo-targeting to personalize content for your end users

How can you do that?• Viewer reports shows top countries

• Use CloudFront to detect & forward end users’ country code

@cloudfront

#22. Turn-On Amazon CloudFront Access Logs

No additional cost for Amazon CloudFront’s logging functionality

Run additional analytics for deep dive into your usage

Request IDs included in the logs can help when working with AWS to debug an issue

Cookies & query strings may be logged even if you choose not to forward these to the origin

@cloudfront

Join our Monthly Office Hour series

Register Here: http://aws.amazon.com/cloudfront/webinars/

Topic Date & Time Link

March CloudFront Office Hours (Streaming) 3/26/2015 10AM PT Register

April CloudFront Office Hours (Topic TBD) 4/15/2015 10AM PT Register

May CloudFront Office Hours (Topic TBD) 5/20/2015 10AM PT Register

June CloudFront Office Hours (Topic TBD) 6/17/2015 10AM PT Register

Q & A

@cloudfront