By using AWS re:Post, you agree to the Terms of Use

What are the benefits of using Amazon CloudFront together with Amazon API Gateway?


I want to know the benefits of using an Amazon CloudFront distribution in front of an API Gateway endpoint. In terms of performance, I understand that with API Gateway [edge-optimized API endpoints][1], you can terminate the API calls at the nearest CloudFront Point of Presence. Does API caching cache content at the Point of Presence or only at regional caches? Is caching a reason for using CloudFront together with API Gateway. Also, does using CloudFront in front of API Gateway provide benefits in terms of costs? [1]:

2 Answers
Accepted Answer

The main reason to deploy a CloudFront distribution in front of an API Gateway endpoint is to reduce latency. The latency is reduced because of the following reasons:

  1. The clients connect to a nearby Point of Presence. From the Point of Presence, the traffic traverses AWS' managed network, which might have a better performance compared to the internet.
  2. The HTTPS handshake negotiation happens against the local Point of Presence. This reduces the round-trip time required for the handshake.

Another reason to deploy CloudFront along with API Gateway is increased security capabilities. Currently, AWS Shield Advanced doesn't support enabling protection on API Gateways, but supports CloudFront. Therefore, it's a best practice to place the CloudFront Distribution in front of the API Gateway and then enable protection on that distribution.

profile picture
answered 2 years ago

Caching definitely could be a reason to use CloudFront with API Gateway. API Gateway's built-in caching mechanism is fast and easy and it works with API Gateway's authentication, but it has some serious limitations:

  • It's only available for older REST APIs.
  • It's priced by the hour.
  • Its error handling behaviour has an unexpected surprise - if API Gateway returns an error, either from your backing service or from API Gateway itself, it will cache the error. Amazon's recommended way to un-poison the cache is to get the client to make a follow-up request with a specific header - probably not something you'll want to do.

If your service is returning cacheable results, CloudFront can return a cache hit right from the nearest edge location (point of presence). The main downside of CloudFront is that it doesn't have built-in support for auth/auth. If you want to authenticate requests and be able to return cached results, you're going to be building, deploying and paying for Lambda@Edge functions.

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions