🌍 AWS CloudFront — Complete DevOps Interview Deep Dive

✅ Part 1 — What CloudFront Actually Is (Real View)

✅ Q1 — What is CloudFront in practical production terms?

CloudFront is a global edge delivery network that caches and serves content from edge locations close to users. It sits in front of origins like S3, ALB, API Gateway, or custom servers. It reduces latency, offloads origin load, and adds security controls. It’s not just for static files — it’s also an edge security and routing layer.

✅ Q2 — Real production use cases of CloudFront

Real-world uses:

• Static website delivery from S3
• Fronting ALB/EKS apps globally
• API acceleration
• File download distribution
• Video/media delivery
• WAF + DDoS protection layer
• Signed URL private content delivery
• Fintech frontend asset delivery
• Edge auth / geo restriction

In fintech — often used for frontend + document delivery + WAF shield.

✅ Part 2 — Origins & Architecture Patterns

✅ Q3 — What can be used as CloudFront origin?

Common origins:

• S3 bucket
• Application Load Balancer
• API Gateway
• EC2/custom HTTP server
• Media servers

CloudFront can have multiple origins and route by path pattern.

✅ Q4 — Multi-origin routing — why powerful?

You can route:

• /static/* → S3
• /api/* → ALB
• /media/* → media server

This allows one domain with split backend architecture. Reduces DNS complexity and centralizes edge control.

✅ Part 3 — Caching Behavior (Interview Critical)

✅ Q5 — How CloudFront caching actually works?

CloudFront caches responses at edge based on cache key — which can include path, headers, cookies, query strings. TTL controls how long content stays cached. If not in cache → forwarded to origin. Cache behavior rules define what is cached and how.

✅ Q6 — Cache key design — why important?

Bad cache key = bad caching. Including unnecessary headers or cookies explodes cache variants → low hit ratio. Good design keeps cache key minimal. High cache hit ratio = lower cost + better performance.

✅ Q7 — TTL strategy — how do you design it?

Static assets → long TTL + versioned filenames. APIs → low TTL or no cache. Semi-static → medium TTL. Invalidation should be rare — versioning preferred over invalidation.

✅ Part 4 — Performance Powers

✅ Q8 — How CloudFront improves performance besides caching?

• Edge TLS termination
• TCP optimization
• HTTP/2 & HTTP/3 support
• Persistent origin connections
• Compression
• Global edge network routing

Even non-cached dynamic content can be faster via edge routing.

✅ Q9 — CloudFront vs regional load balancer — difference?

ALB is regional. CloudFront is global edge network. CloudFront reduces user latency worldwide. ALB does not.

✅ Part 5 — Security Powers (Big Interview Topic)

✅ Q10 — Security features of CloudFront

• AWS WAF integration
• Shield DDoS protection
• Geo restriction
• Signed URLs & cookies
• Origin access control (S3 private)
• TLS enforcement
• Header filtering
• Bot control (via WAF)

It often becomes the edge security layer.

✅ Q11 — How do you make S3 private but serve via CloudFront?

Use Origin Access Control (or OAI legacy). S3 bucket blocks public access. Only CloudFront can read it. Users must go through CloudFront.

✅ Q12 — Signed URLs — when used?

Used for private content like:

• invoices
• reports
• paid downloads
• time-limited access

URL expires after time or IP rule.

✅ Part 6 — Edge Compute

✅ Q13 — Lambda@Edge — what is it?

Runs Lambda at CloudFront edge locations. Can modify request/response at edge. Used for auth, redirects, header rewrite, A/B routing. More powerful but slower and heavier than CloudFront Functions.

✅ Q14 — CloudFront Functions vs Lambda@Edge

Functions:

• lighter
• faster
• cheaper
• JS only
• simple logic

Lambda@Edge:

• full Lambda power
• more latency
• more cost
• heavier logic

✅ Part 7 — Limits & Constraints

✅ Q15 — Key CloudFront limits interviewers expect you to know

• distribution count limits
• cache behavior limits
• header size limits
• function size limits
• invalidation limits
• request body size limits

Also invalidations are rate-limited and cost money.

✅ Part 8 — Cost Tradeoffs

✅ Q16 — What drives CloudFront cost?

• data transfer out
• request count
• invalidations
• edge compute
• regional pricing differences

Cache hit ratio strongly affects cost.

✅ Q17 — When CloudFront saves money?

High cache hit → reduces origin traffic → reduces ALB/API costs. Especially static-heavy apps.

✅ Part 9 — Failure & Debugging Patterns

✅ Q18 — Origin works but CloudFront returns error — debug steps?

Check:

• origin health
• origin SSL config
• header forwarding
• cache behavior rules
• WAF blocking
• origin timeout
• path pattern mismatch

Many issues are behavior rule misroutes.

✅ Q19 — Stale content issue — how fix?

Use versioned filenames. Or invalidation. Prefer versioning — invalidation is slow + costs money.

✅ Part 10 — When NOT to Use CloudFront

✅ Q20 — When should you avoid CloudFront?

Avoid when:

• internal-only apps
• real-time low-latency internal APIs
• non-cacheable streaming control APIs
• small regional-only apps