CloudFront signed URLs

In AWS, there is another kind of signed URLs provided by a different service: CloudFront. The basic use-case is the same, to provide controlled access in a serverless-friendly way, but there are many technical differences between the two solutions.

CloudFront is AWS's CDN solution that provides routing, edge caching, TLS termination, and also custom domain support for webapps. In practice, a CloudFront distribution is the entry points where all client requests are sent and it forwards them to the different backends, or "origins" as they are called here.

These origins can be a variety of things, such as S3 buckets, Lambda functions, API gateways, and even generic HTTP APIs, and they don't even need to be hosted in AWS. When a request reaches the distribution entry point, CloudFront decides where to route it based on the request path. For example, the /index.html and the /app.js might go to an S3 bucket that serves the static frontend app, while everything starting with /api/ can go to a Lambda function.

The above example is a fairly typical serverless setup: store the static HTML, CSS, JS, and other assets in a bucket, add an API, then put both behind CloudFront and configure its routing. This combines the best of these services: S3 provides a robust way to store and serve static files, CloudFront provides an optimized HTTP endpoint, and Lambda scales to meet the demand for all dynamic operations.

Using CloudFront here means clients connect to a single domain, so there is only one DNS resolution, one TLS handshake, and one single multiplexed connection to maintain. Moreover, since all the paths are relative to the domain, it even provides a simplified configuration: the API is always under /api/, making the client-side configuration easier.

CloudFront routing