CloudFront Design Considerations – Network Design – ANS-C01 Study Guide

CloudFront Design Considerations

Design requirements for connecting to AWS CloudFront locations should take geography, technical, and political constraints into consideration. Global Internet connectivity is controlled by the BGP routing protocol that is widely distributed and divided into autonomous systems that are controlled by different entities. This leaves us with little influence on how traffic gets routed with BGP across the Internet and ultimately to our content stored in AWS. What BGP does offer us is resiliency with the ability to route around failed nodes or suboptimal paths but no direct end-user control of steering the data over a path we may prefer.

At the political level, many regulations control where user data can be stored. These are often referred to as data sovereignty laws, and with more than 100 countries having laws that protect user’s data, we must take into consideration where the data is stored and accessed when evaluating CloudFront designs.

What we can do is leverage the extensive AWS CloudFront edge footprint of more than 400 locations throughout the world. This gives us the capability to connect to a preferred edge node based on our requirements and off of the public Internet. Once in the AWS network, we gain a higher level of control as to how and where our data is accessed.

In Chapter 2, “Domain Name Services,” and Chapter 3, “Hybrid and Multi-Account DNS,” we will go into detail about the AWS DNS service called Route 53 and how to leverage its extended capabilities to connect to your CloudFront locations using routing policies. CloudFront supports geo-restrictions and geolocation that can be used to allow or prevent connections based on location and that are useful when meeting data sovereignty requirements.

As we discussed earlier in this chapter, Global Accelerator is used to route traffic onto the AWS network from the Internet as soon as possible for traffic engineering. For private networks, the AWS Cloud WAN services allow you to do traffic engineering using software-defined networking. Cloud WAN is a managed wide-area networking service that allows you to build and manage networks that connect your private network with the AWS global cloud network. Multiregional VPC connections and the ability to replace parts of your internal network with the AWS backbone are advantages of using this service. Cloud WAN has a single point of control and dynamic routing with a single dashboard for monitoring and event displays. Cloud WAN offers dynamic routing that is not part of the Transit Gateway and can be integrated with SD-WAN vendors such as Cisco, DXC, VMware Fortinet, and others.

Summary

In this first chapter, we introduced you to the Domain 1, Network Design, objectives for the Advanced Networking specialty certification. We started with a deep dive into the AWS CloudFront global content distribution network.

The CloudFront architecture was explained in detail including the edge locations, regional edge caches, and content sources.

You learned about content caching at the edge locations, protocols supported, and encryption using SSL/TLS, as well as security and how to invalidate data stored in cache.

From there, this chapter covered global traffic management with the Global Accelerator network service, including what it is, how it operates along with the variants of the service, and the custom routing accelerator.

Next we went into detail on the family of ELB services offered by AWS. We detailed the application, network, and gateway load balancers. You learned which is the best load balancer to use based on your requirements.

Finally, you learned about how applications communicate using standard APIs. We covered the details of the AWS Managed API service called API Gateway.