Date post: | 25-Jul-2015 |
Category: |
Documents |
Upload: | amazon-web-services |
View: | 630 times |
Download: | 0 times |
Best Practices for Content Delivery using Amazon CloudFront
Nihar Bihani, Principal Product Manager, Amazon Web Services
March 17, 2015
Our growing global footprint…
North America South America EMEA APAC
53 POPs
Cities37Countries19
Continents5
AWS Region CloudFront Edge Location@cloudfront
We have been busy building features…
• Second Edge Location in Seoul, Korea
• Smooth Streaming Support
• SSL SNI Support• HTTP to HTTPS Redirect• CloudFront Usage Charts
• EDNS- Client-Subnet Support
• Free Tier• AWS CloudTrail Support
• Device Detection, Geo Targeting, Host Header Forwarding, and CORS Support
• Edge Location in Melbourne
Dec13
Feb14
Mar14
Apr14
May14
Jun14
Jul14
Aug14
• Advanced SSL features: Session Tickets, OCSP Stapling and Perfect Forward Secrecy
Sep14
Oct14
• Support for Wildcard cookies
• OPTIONS caching
Jan15
• 5 Cache Stat Reports• Popular Objects Report• More Timely CloudFront
Access Logs
Nov14
Dec14
• Price Drop• Directory path as Origin Name• Locations, Browsers, OS and
Top Referrers
Mar15
• Signed Cookies• Smart TV Detection
@cloudfront
Feb15
Amazon CloudFront: What’s New?
http://aws.amazon.com/cloudfront/whats-new/
@cloudfront
What are Static Assets?
Content is static: Images, JS, CSS, Fonts, Software
It can be distributed to more than one user
State of the object doesn't change for: sec, min, hours,..
Caching is a way to serve static content to more than one user
@cloudfront
#1. Use Amazon S3 for Static Assets
Free data transfer from Amazon S3 to CloudFront
Decrease load on web server
Highly available & scalable
@cloudfront
#2. Control Access to Content on Amazon S3
Origin Access Identity (OAI)
Content can be accessed ONLY via CloudFront
Why use OAI?
• Ensures content is not leaking
• S3 URLs not being used anywhere
@cloudfront
#3. Control Access to Content on CloudFront
Amazon CloudFront Private Content(Paid subscribers, premium customers etc.)
Signed URLs or Signed Cookies
When to use?
• Signed URLs: Marketing email
• Signed Cookies: Streaming, whole site authentication
Access Denied
Access Denied
@cloudfront
#4. Cache at Every Layer: Browser Caching
Set max-age or expiry date in your headers(e.g. Cache-Control: max-age=3600)
HTML5 application cache
Helps eliminate network latency
But… browser cache size is limited(e.g. IE is 8-50M, Chrome is < 80M, Firefox is 50MB, etc.)
@cloudfront
#5. Cache at Every Layer: Edge Caching
Set High TTLs for intermediary caches(e.g. Cache-Control: max-age=3600, s-maxage=86400)
Don’t forward Headers, Query Strings or CookiesNote: You do need to forward the relevant headers if you’re doing CORS
In other words, use CloudFront defaults
@cloudfront
#6. Version Your Objects
Versioning allows for easy updates and roll backs
Use file name or query string to version; no additional API calls are needed
Set High TTLs on objects that change infrequently
Each version is treated as a unique object in the browser cache
@cloudfront
What is Dynamic Content?
Content unique to every request(Example: /index.php)
Content changes frequently (seconds, minutes), but NOT unique for every request(Example: weather updates, API, etc.)
Content changes based on end user request (query string, cookies, headers)(Example: mobile vs. desktop users, search keywords in query string, etc.)
@cloudfront
#7. Cache Everything Possible
CloudFront supports TTLs as low as 0 seconds, no-cache, no-store, etc.
Most content can be cached, even if it is for a few seconds
Benefits of setting a low TTL
• CloudFront supports “If-Modified-Since” and “If-None-Match” when object in the cache has expired
• CloudFront will serve stale content if origin is unavailable and object is in cache
• Helps you offload your origin load
@cloudfront
Cache Everything Possible.. Cont'd
Top 50 objects: CloudFront Popular Objects Report
Find content that can be cached for any period of time: hours, minutes or seconds
@cloudfront
#8. Use Multiple Cache Behaviors
ONLY forward required headers• Example: don’t forward cookies for /images
Avoid forwarding the User-Agent header• Instead use the Is-Mobile-Viewer, Is-Tablet-Viewer, Is-Desktop-Viewer, or Is-SmartTV-Viewer header values
Avoid forwarding ALL cookies• Instead, forward only the select cookies that you use to vary your content
@cloudfront
What is Streaming Media?
Live Streaming (e.g. a concert)
On Demand Streaming (e.g. a recent movie)
Audio Streaming (e.g. podcasts or music)
Typically involves delivering the manifest file, media files, and player
@cloudfront
#9. Set The Right TTLs
Manifest File• Set Low TTL (e.g. 2 seconds)
Media Files• High TTLs (e.g. 60 seconds)
Media Player• Static: Store in Amazon S3 and distribute via CloudFront
• Set High TTL (e.g. 24 hours)
@cloudfront
#10. Use HTTP Based Streaming Protocols
Use CloudFront Web distributions to deliver multi-bitrate streaming
Use CloudFront with media servers running on Amazon EC2 for live streaming (for high-availability and flexibility)
Use Fragmented streaming formats such as Smooth Streaming (native support in CloudFront), HLS, etc.
Don’t forward any headers, cookies, query strings
Use Signed Cookies instead of Signed URLs
@cloudfront
#11. Use Monitoring, Alarming & Notifications
Near Real-Time Monitoring & Alarming via CloudWatch
Six Metrics Available• Requests, Bytes Downloaded, Bytes Uploaded, 4xx Error
Rate, 5xx Error Rate, Total Error Rate
• No additional cost for Monitoring
• Set Alarms and Notifications
@cloudfront
#12. Always Configure Custom Error Pages
Custom error pages help improve customer experience
Deliver error pages from Amazon S3
Set low error caching minimum TTL (e.g. 15 seconds)
@cloudfront
#13. Design for Failure
What happens if the origin fails to respond to CloudFront?
CloudFront
@cloudfront
Design for Failure …Cont’d
Failures can be detected by Route 53 health checks
CloudFront
@cloudfront
Design for Failure …Cont’d
The traffic shifts to the healthy instances or load-balancers instead
CloudFront
@cloudfront
#14. More Caching = Higher Availability
Cache everything possible!
If your origin server is unavailable and you don’t have a backup origin server, or you don’t configure custom error pages…
CloudFront will automatically serve the stale object (if object is in cache), for the duration of error caching minimum TTL
@cloudfront
#15. Use End-to-End HTTPS
CloudFront supports HTTPS between browser and edge, as well as between edge and origin
Set match-viewer for your Origin protocol policy
Configure HTTP to HTTPS redirect for each cache behavior
@cloudfront
BROWSER EDGE ORIGIN
Full-Bridge
#16. Use AWS IAM and AWS CloudTrail
Create IAM users to regulate access to the Amazon CloudFront APIs (or console)
Use AWS CloudTrail to record CloudFront API calls history for security analysis, resource change tracking, and compliance auditing
No additional CloudFront cost for using these services
@cloudfront
#17. Multiple Options to Optimize SSL Costs
Use the *.cloudfront.net SSL certificate
Two options for Custom SSL: SNI vs. Dedicated IP
Use CloudFront Reports to identify Browser/OS Version
Seamlessly switch between SSL Options
@cloudfront
Optimizing SSL Costs …Cont’d
SSL certificate pricing is per IAM certificate ID
You may associate a single SSL certificate with multiple distributions under the same AWS account
If you have multiple second level domains that you serve over SSL, use a single UCC certificate with all domains listed
For multiple third level domains served over SSL, use a wildcard certificate
@cloudfront
#18. Use Price Classes to Optimize Delivery Costs
Price Class
• Price Class All – Use All Edge Locations
• Price Class 200 – Use Edge Locations in US, EU, Asia & Japan
• Price Class 100 – Use Edge Locations in US and EU ONLY
Use the more appropriate Price Class where applicable
• If your end users are primarily in the US & EU
• Use the viewer location report to determine viewer geo distribution
• Switching between Price Classes is seamless
@cloudfront
#19. Domain Sharding
Most browsers open a limited number of parallel connections to the same domain
Shard assets over multiple domains; however it’s a balancing act
Use multiple CNAME aliases to serve content from a CloudFront distribution
Use CloudFront Wildcard CNAMEs & Use Wildcard SSL Certificate
@cloudfront
#20. Use Route 53 ALIAS Records
Use Amazon Route 53 to route queries to your CloudFront distribution
Why use Route 53 ALIAS records?
• DNS queries to ALIAS records are free of charge
• Unlike CNAMEs, you can create an ALIAS record for your zone apex
• Using an ALIAS record results in less DNS lookups when resolving your CNAME to your CloudFront distribution
@cloudfront
#21. Use Reports to Personalize Your Content
Geo-targeting to personalize content for your end users
How can you do that?• Viewer reports shows top countries
• Use CloudFront to detect & forward end users’ country code
@cloudfront
#22. Turn-On Amazon CloudFront Access Logs
No additional cost for Amazon CloudFront’s logging functionality
Run additional analytics for deep dive into your usage
Request IDs included in the logs can help when working with AWS to debug an issue
Cookies & query strings may be logged even if you choose not to forward these to the origin
@cloudfront
Join our Monthly Office Hour series
Register Here: http://aws.amazon.com/cloudfront/webinars/
Topic Date & Time Link
March CloudFront Office Hours (Streaming) 3/26/2015 10AM PT Register
April CloudFront Office Hours (Topic TBD) 4/15/2015 10AM PT Register
May CloudFront Office Hours (Topic TBD) 5/20/2015 10AM PT Register
June CloudFront Office Hours (Topic TBD) 6/17/2015 10AM PT Register
Q & A
@cloudfront