First CloudFront

CDN.

Initial setup

AWS Console or CLI: create-distribution with --origin-domain-name pointing at your S3 bucket, ALB, or origin. Default config sets sane initial parameters.

Distribution takes 5-15 minutes to deploy globally. PoP propagation is gradual; status moves from In Progress to Deployed.

Get the assigned domain (d123abc.cloudfront.net). Test access via curl; verify content serves through CloudFront.

Origin configuration

S3 origin: enable Origin Access Identity (OAI) so CloudFront is the only path. Restrict bucket policy to OAI principal.

ALB origin: configure the ALB security group to accept traffic from the CloudFront IP ranges. AWS publishes the IP list; or use AWS-managed prefix list pl-3b927c52.

Custom origin: HTTPS origin protocol enforced for production. HTTP-only origins are debugging aids only.

Cache behaviours

Default cache behaviour applies to all paths. Override per path pattern: /api/* might bypass cache; /static/* might cache aggressively.

TTL settings: minimum, default, maximum. Origins set Cache-Control headers; behaviour parameters bound them.

Cache key: query strings, cookies, headers. Default ignores query strings; many apps need them included. Be explicit; the default is usually wrong.

Custom domain and TLS

Add custom domain: requires ACM certificate in us-east-1 (regional restriction for CloudFront). Validate via DNS.

Update Route 53 with an ALIAS record pointing the custom domain at the CloudFront distribution.

Test the certificate chain with openssl s_client -servername yoursite.com. Verify the chain is complete.

Operating the distribution

Monitor cache hit rate. Below 70% suggests aggressive cache key inclusion or short TTLs.

Set up CloudFront access logs to S3 for analytics and debugging. Athena queries reveal traffic patterns.

Invalidations cost money: $0.005 per path beyond the first 1000 monthly. Use versioned filenames where possible to avoid invalidations.