Using CloudFront
Amazon CloudFront is a web service for content delivery. It integrates with other Amazon Web Services to give developers and businesses an easy way to distribute content to end users with low latency, high data transfer speeds, and no commitments.
Setup
For background information, please refer to the AWS Cloudfront developer guide. You can use your own origin, an EC2 instance or S3 bucket is not needed for HTTP ABR streaming (but can be used also).
The tutorial for 'creating a download distribution' is straightforward and can be done from the AWS console, as described here.
Basically there are three steps:
Create a (download) distribution
Enter the origin name
Set cache behaviour
When this has been done, a similar entry as the following will appear in your Cloudfront Management Console:
All that is needed to use this is to replace the origin referencing URLs with the cloudfront referencing URLs.
Example
The following URL references the stream on the origin:
https://demo.unified-streaming.com/k8s/features/stable/video/tears-of-steel/tears-of-steel.ism/.mpd
With Cloudfront as (CDN) cache in front:
https://DOMAINNAME.cloudfront.net/k8s/features/stable/video/tears-of-steel/tears-of-steel.ism/.mpd
Please note that 'DOMAINNAME' in above example is defined by AWS Cloudfront when creating a distribution.
Advanced
For more advanced topics, please reference the AWS Cloudfront documentation for topics not listed here.
It is possible to for instance do the following:
Pass query parameters to the origin
Allow for cookies
Also, please check the pricing plans carefully - so there are no surprises afterwards.
Using Cloudfront with content in S3
In case the (VOD) content is placed in S3 care must be taken when Cloudfront is used as CDN - when authentication is required on S3 requests.
Schematically the setup looks like the following:
viewers --> cloudfront --> ec2 --> s3
Typically, this is the setup described in Cloud Storage Proxy using subrequests and signing requests using Using S3 with Authentication.
Cloudfront adds queryparameters and/or headers to requests and some of these do not play nice with S3 as they will break S3 authenticated access, because:
Signature=is reserved by S3 itself for v2 signaturesX-Amz-Cf-Idinteracts with the S3 v4 (header) signatures
The following sections outline how to address these limitations in a CF/S3 setup.
Signature
The following Apache snippet uses a rewrite rule to drop the Signature=
parameter from any upstream propagation:
RewriteEngine on
RewriteCond %{THE_REQUEST} \?Signature=(.*)\sHTTP [NC]
RewriteRule ^ %{REQUEST_URI} [P,QSD]
Header
The following config shows how to 'unset' the header so it is no longer propagated upstream:
<Proxy "http://your-bucket.s3-eu-central-1.amazonaws.com/">
ProxySet connectiontimeout=5 enablereuse=on keepalive=on retry=0 timeout=30 ttl=300
RequestHeader unset X-Amz-Cf-Id
</Proxy>
Note
This does apply to any setup involving CF and S3, not just with EC2 in the middle, but also if it would be ECS, EC2 autoscaling, adding loadbalancer - etc.