What can the Solutions Architect do to improve the cache hit rate for this distribution without causing the SSL/TLS handshake between CloudFront and theApplication Load Balancer to fail?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A company is using an Amazon CloudFront distribution to distribute both static and dynamic content from a web application running behind an Application LoadBalancer.The web application requires user authorization and session tracking for dynamic content.The CloudFront distribution has a single cache behavior configured to forward the Authorization, Host, and User-Agent HTTP whitelist headers and a session cookie to the origin.All other cache behavior settings are set to their default value.A valid ACM certificate is applied to the CloudFront distribution with a matching CNAME in the distribution settings.The ACM certificate is also applied to theHTTPS listener for the Application Load Balancer.The CloudFront origin protocol policy is set to HTTPS only.Analysis of the cache statistics report shows that the miss rate for this distribution is very high.

What can the Solutions Architect do to improve the cache hit rate for this distribution without causing the SSL/TLS handshake between CloudFront and theApplication Load Balancer to fail?

Create two cache behaviors for static and dynamic content. Remove the User-Agent and Host HTTP headers from the whitelist headers section on both of the cache behaviors. Remove the session cookie from the whitelist cookies section and the Authorization HTTP header from the whitelist headers section for cache behavior configured for static content.

Remove the User-Agent and Authorization HTTP headers from the whitelist headers section of the cache behavior. Then update the cache behavior to use presigned cookies for authorization.

Remove the Host HTTP header from the whitelist headers section and remove the session cookie from the whitelist cookies section for the default cache behavior. Enable automatic object compression and use Lambda@Edge viewer request events for user authorization.

Create two cache behaviors for static and dynamic content. Remove the User-Agent HTTP header from the whitelist headers section on both of the cache behaviors. Remove the session cookie from the whitelist cookies section and the Authorization HTTP header from the whitelist headers section for cache behavior configured for static content.

Explanations:

While creating two cache behaviors for static and dynamic content can help, removing the User-Agent and Host headers, as well as the session cookie and Authorization header for static content, may not be suitable as it could lead to improper handling of requests that require user-specific data. Removing essential headers may result in incorrect content being served.

Removing the User-Agent and Authorization headers from the whitelist may lead to issues with user authorization for dynamic content. While presigned cookies can enhance cache hit rates, they do not address the need for specific headers in a dynamic context where user sessions are essential.

Although removing the Host header and session cookie may help improve the cache hit rate, enabling automatic object compression and using Lambda@Edge for user authorization does not directly address the core issue of the high cache miss rate related to the configuration of HTTP headers and cookies being forwarded.

Creating two separate cache behaviors allows for different handling of static and dynamic content. By removing the User-Agent header and ensuring that static content does not include the session cookie and Authorization header, this approach optimizes caching for static assets while preserving necessary headers for dynamic requests. This separation helps to improve the cache hit rate significantly without impacting the SSL/TLS handshake.

Leave a Reply

Your email address will not be published. Required fields are marked *

twelve − nine =