How to improve the cache hit rate for a distribution?

0

Kindly help to understand how D is the correct answer to the question.

Q. A company is using an Amazon CloudFront distribution to distribute both static and dynamic content from a web application running behind an Application Load Balancer.

  • The web application requires user authorization and session tracking tor dynamic content The CloudFront distribution has a single cache behavior configured to forward the Authorization, Host, and Agent HTTP allow list headers and a session cookie to the origin.
  • All other cache behavior settings are set to their default value. A valid ACM certificate is applied to the CloudFront distribution with a matching CNAME in the distribution settings.
  • The ACM certificate is also applied to the HTTPS listener for the Application Load Balancer.
  • The CloudFront origin protocol policy is set to HTTPS only Analysis of the cache statistics report shows that the miss rate for this distribution is very high.

What can the solutions architect do to improve the cache hit rate for this distribution without causing the SSL/TLS handshake between CloudFront and the Application Load Balancer to fail?

Choices for Answers:

  • A. Create two cache behaviors for static and dynamic content Remove the user-Agent and Host HTTP headers from the allow list headers section on both of the cache behaviors. Remove the session cookie from the allow list cookies section and the Authorization HTTP header from the allow list headers section for cache behavior configured for static content
  • B. Remove the user-Agent and Authorization HTTP headers from the allow list headers section of the cache behaviour. Then update the cache behaviour to use resigned cookies for authorization.
  • C. Remove the Host HTTP header from the allow list headers section and remove the session cookie from the allow list cookies section for the default cache behaviour. Enable automatic object compression and use Lambda@Edge viewer request events for user authorization.
  • D. Create two cache behaviours for static and dynamic content Remove the User-Agent HTTP header from the allow list headers section on both of the cache behaviours Remove the session cookie from the allow list cookies section and the Authorization HTTP header from the allow list headers section for cache behaviour configured for static content

The correct answer is D

1 Answer
1
Accepted Answer

Since CloudFront responds from content stored in the cache when all URLs and specified parameters match, if all request parameters coming from users are included in the cache key, the cache hit rate will decrease.

I think the reason why the User-Agent HTTP header is removed is that if the user-agent header is forwarded, the cache will be managed for each user-agent string, which will make the cache inefficient.
CloudFront can use headers such as "CloudFront-Is-Android-Viewer" to identify devices.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-cloudfront-headers.html#cloudfront-headers-device-type

The reason we are removing session cookies for static content is that we are not changing what is displayed based on session cookies.
As described in the following document, configuring CloudFront to forward cookies to an origin that does not vary its response based on cookies may result in more requests being forwarded to that origin for the same content, leading to poor performance.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Cookies.html

Amazon S3 and some HTTP servers don’t process cookies. Don’t configure CloudFront to forward cookies to an origin that doesn’t process cookies or doesn’t vary its response based on cookies. That can cause CloudFront to forward more requests to the origin for the same object, which slows performance and increases the load on the origin. If, considering the previous example, your origin doesn’t process the country cookie or always returns the same version of locations.html to CloudFront regardless of the value of the country cookie, don’t configure CloudFront to forward that cookie.

The difference between this and Answer A is that if you remove the Host HTTP header, access from CloudFront to the origin will be on the origin domain.
Since the certificate issued by ACM is also used by the Application Load Balancer in this case, I expect that the lack of a host header would result in a certificate error.

From the above, I thought that answer "D" was the correct answer.

profile picture
EXPERT
answered 9 months ago
  • thanks for details. can you please explain more what you mean by - "if all request parameters coming from users are included in the cache key, the cache hit rate will decrease."?

  • CloudFront returns cache information when all request parameters match. For example, if the User-Agent information matches, cache is returned. However, since User-Agent information is most likely to vary from device to device, the cache hit rate is reduced because the origin content is accessed without returning a cache. Although we used User-Agent as an example, other request parameters must also match, so including all parameters in the cache key will cause the cache hit ratio to drop.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions