CloudFront Caching Optimization: How to Maximize Performance
Learn how to maximize web performance with Amazon CloudFront cache policies, TTL settings, and compression configuration for SAA-C03 exam.
Related Exam Domains
- Domain 3: Design High-Performing Architectures
Key Takeaway
The key to CloudFront performance optimization is increasing the cache hit ratio. Reduce origin load and improve user response time with proper TTL settings, minimized cache keys, compression enablement, and Origin Shield usage.
Exam Tip
Exam Essential: "Increase cache hit ratio = Minimize cache key + Proper TTL + Same URL for same content"
How Does CloudFront Work?
CloudFront caches content at 450+ edge locations worldwide, responding from the location closest to the user.
[User Request]
│
▼
┌────────────────┐
│ Edge Location │ ─── Cache HIT → Immediate response (fast)
│ (Seoul) │
└────────────────┘
│
│ Cache MISS
▼
┌────────────────┐
│ Origin Shield │ ─── Cache HIT → Protects origin
│ (Optional) │
└────────────────┘
│
│ Cache MISS
▼
┌────────────────┐
│ Origin │ ─── S3, ALB, EC2, etc.
│ (Origin Server)│
└────────────────┘
Why Cache Hit Ratio Matters
| Cache Hit Ratio | Effect |
|---|---|
| High (90%+) | Reduced origin load, cost savings, fast responses |
| Low (below 50%) | Origin overload, high costs, slow responses |
Exam Tip
CloudWatch Metric: Monitor cache hit ratio with the CacheHitRate metric.
Understanding Cache Policies
Cache policies define what values to include in the cache key and TTL settings.
What is a Cache Key?
The cache key is the identifier CloudFront uses to look up requests in the cache.
Default Cache Key: URL path + Query string
Example:
/images/logo.png → Cache Key A
/images/logo.png?v=1 → Cache Key B (treated as different object!)
Why Minimizing Cache Key Matters
The more values included in the cache key, the lower your cache hit ratio.
| Included in Cache Key | Result |
|---|---|
| All headers | ❌ Very low hit ratio |
| All cookies | ❌ Different cache per user |
| Unnecessary query strings | ❌ Same content cached differently |
| Minimal values | ✅ High hit ratio |
Managed Cache Policies
AWS provides managed cache policies for common use cases:
| Policy Name | Use Case | TTL |
|---|---|---|
| CachingOptimized | Static content (recommended) | Default 24 hours, max 1 year |
| CachingDisabled | Disable caching | 0 |
| Elemental-MediaPackage | Media streaming | - |
Exam Tip
Static Content: Use CachingOptimized policy Dynamic Content: Use CachingDisabled + Origin Request Policy
TTL (Time To Live) Optimization
TTL determines how long a cached object remains valid.
TTL Setting Priority
1. Origin's Cache-Control/Expires headers
2. CloudFront cache policy Min/Max/Default TTL
Recommended TTL by Content Type
| Content Type | Recommended TTL | Reason |
|---|---|---|
| Static assets (JS, CSS, images) | 1 year (31536000 sec) | When filename includes hash |
| HTML pages | 5 min to 1 hour | May change frequently |
| API responses | 0-60 sec | Real-time requirements |
| Video/Audio | 1 day to 1 week | Large size, high caching benefit |
Cache-Control Header Settings
You can control TTL directly from the origin:
# 1 year caching (static assets)
Cache-Control: max-age=31536000, public
# No caching (dynamic content)
Cache-Control: no-cache, no-store, must-revalidate
# 5 minute caching + revalidation
Cache-Control: max-age=300, must-revalidate
Cache Invalidation
A method to forcibly refresh the cache when content changes.
Invalidation Methods
# Invalidate via AWS CLI
aws cloudfront create-invalidation \
--distribution-id E1234567890ABC \
--paths "/images/*" "/css/*"
Invalidation Costs
| Item | Cost |
|---|---|
| First 1,000 paths/month | Free |
| Per additional path | $0.005 |
Invalidation vs Versioning
| Method | Pros | Cons |
|---|---|---|
| Invalidation | Immediate effect | Costs, propagation time |
| Versioning | Immediate effect, no cost | URL change required |
Versioning Example:
/css/style.css → /css/style.abc123.css (include hash)
Exam Tip
Best Practice: Include hash in filename for static assets and use long TTL. Use invalidation only for emergencies.
Enabling Compression
CloudFront supports Gzip and Brotli compression.
Compression Benefits
| File Type | Original Size | Gzip | Brotli |
|---|---|---|---|
| JavaScript | 100KB | 30KB | 25KB |
| CSS | 50KB | 12KB | 10KB |
| HTML | 80KB | 20KB | 16KB |
Compression Configuration
Enable compression in cache behavior:
- CloudFront Console → Distribution → Edit Behavior
- Enable Compress objects automatically
- Enable
EnableAcceptEncodingGzip,EnableAcceptEncodingBrotliin cache policy
Exam Tip
Compression is effective for text-based content (HTML, CSS, JS, JSON). Don't apply to already-compressed files (JPEG, PNG, ZIP).
Leveraging Origin Shield
Origin Shield is an additional caching layer that further reduces origin load.
Standard Configuration:
[User] → [Edge Location] → [Origin] (many requests)
Origin Shield Configuration:
[User] → [Edge Location] → [Origin Shield] → [Origin] (fewer requests)
Origin Shield Selection Criteria
| Scenario | Origin Shield Recommendation |
|---|---|
| Global users + single origin | ✅ Strongly recommended |
| High origin costs (EC2, Lambda) | ✅ Recommended |
| Already Multi-Region origins | ⚠️ Optional |
Origin Shield Region Selection
Choose the region closest to your origin:
- S3 bucket in ap-northeast-2 → Origin Shield in ap-northeast-2
- ALB in us-east-1 → Origin Shield in us-east-1
SAA-C03 Exam Focus Points
- ✅ Improve cache hit ratio: "Minimize cache key, exclude unnecessary headers/cookies"
- ✅ TTL strategy: "Long TTL for static assets + versioning"
- ✅ Origin Shield: "Reduce origin load, for global users"
- ✅ Compression: "Enable Gzip/Brotli for text-based content"
- ✅ Invalidation: "Use for urgent updates, has cost"
Exam Tip
Sample Exam Question: "A website targeting global users has high origin server load. How do you increase cache hit ratio and reduce origin load?" → Answer: Enable Origin Shield + Exclude unnecessary headers/cookies in cache policy
Frequently Asked Questions
Q: What's an appropriate cache hit ratio?
Target 90%+ for static content, 70-80% when mixed with dynamic content. Monitor with CloudWatch's CacheHitRate metric.
Q: Is invalidation applied immediately?
After submitting an invalidation request, it typically takes a few minutes to propagate to all edge locations worldwide. Use only for emergencies; versioning is recommended for regular updates.
Q: What happens when S3 and CloudFront cache settings conflict?
CloudFront respects the origin's (S3) Cache-Control headers. However, they only apply within the CloudFront cache policy's Min/Max TTL range.
Q: Does Origin Shield incur additional costs?
Yes. Additional fees apply for requests processed through Origin Shield. However, reduced origin requests may result in overall cost savings.
Q: What's the difference between Lambda@Edge and CloudFront Functions?
CloudFront Functions are suitable for lightweight operations (header manipulation) at viewer request/response. Lambda@Edge is suitable for complex logic at origin request/response.