21DIT013 IT442: AC

PRACTICAL: 9
AIM:
Implementing CloudFront for Caching and Application Security.

THEORY:
Amazon CloudFront is a content delivery network (CDN) service that accelerates the delivery
of web content to users globally by caching data at edge locations. It enhances both
performance and security for applications by reducing latency and offering integrated security
features like DDoS protection and secure data encryption.

Below are the key aspects of implementing CloudFront for caching and application security:

1. Global Content Delivery:

• Delivers content to users from edge locations close to them, reducing latency and
improving load times.
2. Caching Static and Dynamic Content:
• Caches both static (images, CSS) and dynamic (API responses) content at edge
locations, minimizing the load on origin servers.
3. DDoS Protection:
• Works with AWS Shield to provide built-in DDoS mitigation, safeguarding
applications from large-scale attacks.
4. SSL/TLS Encryption:
• Ensures secure transmission of data between users and CloudFront by enforcing
HTTPS and SSL/TLS encryption.
5. Web Application Firewall (WAF):
• Integrates with AWS WAF to block malicious traffic, restrict IPs, and protect
against common vulnerabilities like SQL injection and cross-site scripting (XSS).
6. Origin Failover:
• Automatically routes traffic to a backup origin in case the primary origin becomes
unavailable, ensuring high availability.
7. Custom Cache Policies:
• Provides control over cache duration, allowing developers to configure how long
content remains in the cache and when to refresh it.
8. Access Control:
• Offers features like geo-restriction and signed URLs to restrict access based on
location or user permissions.
9. Cost Optimization:
• Reduces costs by caching frequently accessed content, which decreases data
retrieval from the origin server.

DEPSTAR-IT Page 1
21DIT013 IT442: AC

OUTPUT:

Fig 9.1 Verify that the AWS CloudFormation stack creation process for the lab has successfully
completed

Fig 9.2 Connect to the AWS Cloud9 IDE.

DEPSTAR-IT Page 2
21DIT013 IT442: AC

Fig 9.3 Download and extract the files

Fig 9.4 Upgrade the version of Python and the AWS CLI

Fig 9.5 verify the version of AWS and SDK for Python is installed

DEPSTAR-IT Page 3
21DIT013 IT442: AC

Fig 9.6 Configure the Origin settings for the distribution.

Fig 9.7 Configure the Default cache behavior settings.

Fig 9.8 Configure the Cache key and origin requests settings.

DEPSTAR-IT Page 4
21DIT013 IT442: AC

Fig 9.9 Configure the Settings section of the distribution.

Fig 9.10 Create distribution

DEPSTAR-IT Page 5
21DIT013 IT442: AC

Fig 9.11 Update the bucket policy.

Fig 9.12 Retest access to the café website

Fig 9.13 Verify that the CloudFront distribution is now enabled.

DEPSTAR-IT Page 6
21DIT013 IT442: AC

Fig 9.14 Test the CloudFront distribution.

Fig 9.15 Create an IP set for your IP address

DEPSTAR-IT Page 7
21DIT013 IT442: AC

Fig 9.16 Begin to create a web ACL.

Fig 9.17 Add a rule to the web ACL configuration to allow requests from the office IP set.

DEPSTAR-IT Page 8
21DIT013 IT442: AC

Fig 9.18 Update the new web ACL rule to block any requests that don't match the rule.

Fig 9.19 Set the rule priority, configure metrics, and create the web ACL.

DEPSTAR-IT Page 9
21DIT013 IT442: AC

Fig 9.20 Confirm that the web ACL configuration has been applied to the CloudFront distribution.

Fig 9.21 Test the AWS WAF configuration that was applied to the CloudFront distribution.

DEPSTAR-IT Page 10
21DIT013 IT442: AC

Fig 9.22 Create a regional AWS WAF IP set.

Fig 9.23 Create a regional web ACL, Add a rule, Update the new web ACL rule, Set the rule priority,
configure metrics, and create the web ACL

DEPSTAR-IT Page 11
21DIT013 IT442: AC

Fig 9.24 Create a web ACL

Fig 9.25 Check the resources associated with the ACL.

DEPSTAR-IT Page 12
21DIT013 IT442: AC

Fig 9.26 Test the new ACL from computer.

Fig 9.27 Test the new ACL from another network

DEPSTAR-IT Page 13
21DIT013 IT442: AC

Fig 9.28 Create a CloudFront function.

Fig 9.29 Test the function.

DEPSTAR-IT Page 14
21DIT013 IT442: AC

Fig 9.30 Publish the CloudFront function, and associate it with the CloudFront distribution.

Fig 9.31 Test the functionality on the café website.

DEPSTAR-IT Page 15
21DIT013 IT442: AC

Fig 9.32 Confirm the cache settings that are in place on the café website.

Fig 9.33 Analyze the Response Headers information.

DEPSTAR-IT Page 16
21DIT013 IT442: AC

Fig 9.34 Edit the Cache-Control header set on each object in the S3 bucket.

Fig 9.35 Test the effects of updating the caching settings on the CloudFront origin (the S3 bucket).

DEPSTAR-IT Page 17
21DIT013 IT442: AC

Fig 9.36 Wait 3 minutes, and then test again and Notice that x-cache now says RefreshHit from
cloudfron

LATEST APPLICATIONS:
• Live Streaming: Low-latency delivery of live and on-demand video content.
• Real-Time Apps: Accelerates gaming, video conferencing, and IoT services.
• Serverless: Integrates with Lambda@Edge for serverless computing at the edge.
• PWAs: Speeds up Progressive Web Applications with resource caching.
• API Acceleration: Improves API performance by caching frequently accessed data.
• Secure Delivery: Ensures secure content delivery with encryption, WAF, and DDoS
protection.
• AI/ML at the Edge: Enables real-time inference for AI/ML applications at edge
locations.

LEARNING OUTCOME:
I learned how to set up a CloudFront distribution to improve global content delivery and
securely manage S3 bucket access using Origin Access Identity (OAI) and updated bucket
policies. I also gained experience in configuring AWS WAF IP sets and ACLs to restrict access
during development, and successfully associated them with CloudFront and API Gateway.
Additionally, I learned how to create and integrate CloudFront functions to modify requests at
the edge and optimize caching by updating S3 cache-control headers, improving overall content
delivery performance.

REFERENCE:
1. https://awsacademy.instructure.com/courses/85538

DEPSTAR-IT Page 18