The main reason to deploy a CloudFront distribution in front of an API Gateway endpoint is to reduce latency. The latency is reduced because of the following reasons:
- The clients connect to a nearby Point of Presence. From the Point of Presence, the traffic traverses AWS' managed network, which might have a better performance compared to the internet.
- The HTTPS handshake negotiation happens against the local Point of Presence. This reduces the round-trip time required for the handshake.
Another reason to deploy CloudFront along with API Gateway is increased security capabilities. Currently, AWS Shield Advanced doesn't support enabling protection on API Gateways, but supports CloudFront. Therefore, it's a best practice to place the CloudFront Distribution in front of the API Gateway and then enable protection on that distribution.
Caching definitely could be a reason to use CloudFront with API Gateway. API Gateway's built-in caching mechanism is fast and easy and it works with API Gateway's authentication, but it has some serious limitations:
- It's only available for older REST APIs.
- It's priced by the hour.
- Its error handling behaviour has an unexpected surprise - if API Gateway returns an error, either from your backing service or from API Gateway itself, it will cache the error. Amazon's recommended way to un-poison the cache is to get the client to make a follow-up request with a specific header - probably not something you'll want to do.
If your service is returning cacheable results, CloudFront can return a cache hit right from the nearest edge location (point of presence). The main downside of CloudFront is that it doesn't have built-in support for auth/auth. If you want to authenticate requests and be able to return cached results, you're going to be building, deploying and paying for Lambda@Edge functions.
API Gateway Origin of Cloudfront Behavior giving 403 forbiddenAccepted Answerasked a month ago
CloudFront + API Gateway AWS_IAM AuthorizationAccepted Answerasked 2 years ago
Edge optimized API GWAccepted Answerasked a year ago
Is it possible to use ALB/NLB infront of an API Gateway.asked 22 days ago
Firewall Appliance in front of API GatewayAccepted Answerasked 5 months ago
Cost of Amazon CloudFront additional metricsAccepted Answerasked 2 years ago
What are the benefits of using Amazon CloudFront together with Amazon API Gateway?Accepted Answerasked 2 years ago
CloudFront can't reach API Gatewayasked 8 days ago
[API Gateway] What is the maximum size of the connection ID used in @connections commands?asked 6 months ago
Cloud Front distribution managed by API Gatewayasked 2 years ago