Module 3

CDN & DNS

Accelerate delivery with CloudFront, manage DNS with Route 53, and secure traffic with ACM certificates.

CloudFrontRoute 53ACMSSL/TLS

What You'll Learn

Make your app production-ready by adding a CDN for global delivery, DNS for a custom domain, and SSL certificates for HTTPS โ€” all free or near-free on AWS.

AzureAWSNotes
Azure Front DoorCloudFrontBoth are global CDNs; Front Door has more routing features
Azure CDNCloudFrontCloudFront is more full-featured than Azure CDN
Azure DNSRoute 53Route 53 also does domain registration
App Service CertsACMACM is free and auto-renewing!

Step 1: ACM โ€” Free SSL Certificates

AWS Certificate Manager (ACM) provides free, auto-renewing SSL/TLS certificates. No renewal headaches, no cost.

๐Ÿ’ก Tip

Critical rule: ACM certificates for CloudFront mustbe created in us-east-1, regardless of where your other resources are.

DNS Validation

When you request a cert, ACM gives you a CNAME record. Add it to your DNS (Route 53) and ACM auto-validates. No email verification needed.

bash
# Request a certificate (must be in us-east-1 for CloudFront)
aws acm request-certificate \
  --domain-name example.com \
  --subject-alternative-names "*.example.com" \
  --validation-method DNS \
  --region us-east-1

Step 2: CloudFront โ€” Global CDN

CloudFront caches your content at 400+ edge locations worldwide. Users access the nearest edge instead of hitting your ALB directly.

How It Works

  1. User visits https://yourdomain.com
  2. Route 53 resolves to CloudFront's edge
  3. CloudFront checks its cache for the response
  4. Cache miss โ†’ CloudFront fetches from your ALB (origin)
  5. Response is cached and returned to the user

Cache Behavior for APIs

Since our app is a dynamic API, we use the CachingDisabledcache policy โ€” every request goes to the origin. CloudFront still adds HTTPS and edge optimizations.

โ˜๏ธ Azure Parallel

Azure Front Door works similarly but includes built-in WAF and more advanced routing rules. CloudFront requires a separate AWS WAF service.

Step 3: Route 53 โ€” DNS Management

Route 53 is AWS's DNS service. It translates domain names to AWS resources using Alias records โ€” a special AWS record type that's free and auto-updates.

Alias vs CNAME

๐Ÿ”— CNAME

Standard DNS. Costs per query. Can't be used at zone apex (e.g., example.com).

โšก Alias

AWS-specific. Free. Works at zone apex. Auto-resolves to the correct IP.

yaml06-acm-cloudfront-route53.yaml
DNSRecord:
  Type: AWS::Route53::RecordSet
  Properties:
    HostedZoneId: !Ref HostedZoneId
    Name: !Ref DomainName
    Type: A
    AliasTarget:
      DNSName: !GetAtt CloudFrontDistribution.DomainName
      HostedZoneId: Z2FDTNDATAQYW2  # CloudFront's fixed zone ID
๐Ÿงช

Hands-On: Test the Full HTTPS Flow

After deploying Stack 6 (requires a registered domain):

bash
# Verify SSL certificate
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | \
  openssl x509 -noout -subject -dates

# Test HTTPS endpoints
curl https://yourdomain.com/health
curl https://yourdomain.com/api/tasks

# Check CloudFront headers
curl -I https://yourdomain.com/health
# Look for: X-Cache: Hit from cloudfront (on second request)

Key Takeaways

  • ACM certificates are free and auto-renew โ€” always use them
  • CloudFront adds HTTPS, caching, and DDoS protection in one service
  • Use Alias records in Route 53 (free, works at zone apex)
  • This stack is optional for learning โ€” you can skip it if you don't have a domain