amazon-web-services - 在 AWS Application LB 之上添加 AWS Cloudfront 有什么好处？

Question

我参加过 AWS 培训，他们向我们解释说，一个好的做法是通过 Cloudfront 缓存所有动态内容，将 TTL 设置为 0，即使负载均衡器前面有一个 LB。所以它可能是这样的:

Route 53 -> CloudFront -> Application LB

我看不到这种架构的任何优势，而不是直接(仅适用于动态内容):

Route 53 -> Application LB

我不明白这一点，因为 Cloudfront 会将所有流量始终发送到 LB，因此您将拥有:

• 两个 HTTPS 协商(客户端 <-> Cloudfront 和 Cloudfront <-> LB)
• 根本不缓存(它是动态内容，不应该被缓存，因为这就是“动态”的含义)
• 您将不会拥有客户端 IP，因为您的负载均衡器只会看到 Cloudfront IP(我知道这个问题可以修复，以拥有客户端 IP，但接下来您将遇到下一个项目符号的问题)。
• 作为一项额外工作，您需要能够经常更新 LB 安全组，以匹配 CloudFront IP(针对该区域)，因为我猜您只想从 Cloudfront 获取流量，而不是直接从 CloudFront 获取流量。 LB 公共(public)端点。

因此，我可能遗漏了有关此 Route 53 -> CloudFront -> Application LB 架构的一些重要内容。

有什么想法吗？

谢谢!

Answer 1

以下是在 ALB 之上部署 Cloudfront 的一些好处

• For a web application or other content that's served by an ALB in Elastic Load Balancing, CloudFront can cache objects and serve themdirectly to users (viewers), reducing the load on your ALB.

• CloudFront can also help to reduce latency and even absorb some distributed denial of service (DDoS) attacks. However, if users canbypass CloudFront and access your ALB directly, you don't get thesebenefits. But you can configure Amazon CloudFront and your ApplicationLoad Balancer to prevent users from directly accessing the ApplicationLoad Balancer (Doc).

• Outbound data transfer charges from AWS services to CloudFront is $0/GB. The cost coming out of CloudFront is typically half a cent lessper GB than data transfer for the same tier and Region. What thismeans is that you can take advantage of the additional performance andsecurity of CloudFront by putting it in front of your ALB, AWS ElasticBeanstalk, S3, and other AWS resources delivering HTTP(S) objects fornext to no additional cost (Doc).

• The CloudFront global network, which consists of over 100 points of presence (POP), reduces the time to establish viewer-facingconnections because the physical distance to the viewer is shortened.This reduces overall latency for serving both static and dynamiccontent (Doc).

• CloudFront maintains a pool of persistent connections to the origin, thus reducing the overhead of repeatedly establishing newconnections to the origin. Over these connections, traffic betweenCloudFront and AWS origins are routed over a private backbone networkfor reliability and performance. This reduces overall latency forserving both static and dynamic content (Doc).

• You can use geo restriction, also known as geo blocking, to prevent users in specific geographic locations from accessing content thatyou're distributing through a CloudFront distribution (Doc).

换句话说，您可以利用 ClodFront 的优势向源(ALB、Elastic Beanstalk、S3、EC2)添加新功能，但如果您不需要这些功能，最好不要在架构中进行此配置.