1
00:00:00,360 --> 00:00:02,310
‫So let's go and practice using CloudFront,

2
00:00:02,310 --> 00:00:04,890
‫but first we have to create an S3 bucket

3
00:00:04,890 --> 00:00:07,590
‫to hold our files for our distribution.

4
00:00:07,590 --> 00:00:08,610
‫So let's create a bucket,

5
00:00:08,610 --> 00:00:12,943
‫and I'll call this one demo-cloudfront-stephane-v4.

6
00:00:14,059 --> 00:00:15,510
‫And then we'll scroll down,

7
00:00:15,510 --> 00:00:17,400
‫leave everything as the default,

8
00:00:17,400 --> 00:00:19,173
‫and click on Create bucket.

9
00:00:20,490 --> 00:00:22,260
‫Okay, so my bucket is now created,

10
00:00:22,260 --> 00:00:24,453
‫and I'm going to upload some files in it.

11
00:00:25,290 --> 00:00:28,140
‫So let me add files, and I will choose my three files,

12
00:00:28,140 --> 00:00:31,830
‫beach, coffee, and index.html.

13
00:00:31,830 --> 00:00:33,003
‫So let's upload them.

14
00:00:34,260 --> 00:00:35,460
‫And now they've been uploaded,

15
00:00:35,460 --> 00:00:37,890
‫so if I go in my bucket, we can see all of them.

16
00:00:37,890 --> 00:00:39,960
‫And as a reminder, if I go on index.html,

17
00:00:39,960 --> 00:00:41,700
‫I have two ways of open it.

18
00:00:41,700 --> 00:00:44,130
‫The first one is to use the object URL,

19
00:00:44,130 --> 00:00:46,560
‫but if I try it, I get an access denied

20
00:00:46,560 --> 00:00:48,750
‫because my object is not public.

21
00:00:48,750 --> 00:00:51,210
‫And if I go and click on Open here,

22
00:00:51,210 --> 00:00:53,280
‫this generates a pre-signed...

23
00:00:53,280 --> 00:00:54,600
‫So let's allow popups.

24
00:00:54,600 --> 00:00:58,530
‫This generates a pre-signed URL from my S3 object,

25
00:00:58,530 --> 00:01:00,060
‫which allows me to access the object.

26
00:01:00,060 --> 00:01:01,470
‫So I see I love coffee and Hello world!

27
00:01:01,470 --> 00:01:03,030
‫But I still don't see the image,

28
00:01:03,030 --> 00:01:05,490
‫because the image itself is not public.

29
00:01:05,490 --> 00:01:08,400
‫So let's see how we can instead use CloudFront

30
00:01:08,400 --> 00:01:10,320
‫to make these files accessible

31
00:01:10,320 --> 00:01:12,003
‫without making them public.

32
00:01:12,900 --> 00:01:15,783
‫So let's open up the CloudFront console.

33
00:01:17,730 --> 00:01:19,650
‫And as you can see, on the top right corner,

34
00:01:19,650 --> 00:01:21,270
‫it is a global service,

35
00:01:21,270 --> 00:01:24,360
‫because, well, CloudFront is a global distribution,

36
00:01:24,360 --> 00:01:26,040
‫so there's no region selection.

37
00:01:26,040 --> 00:01:28,020
‫We next have to choose an origin domain.

38
00:01:28,020 --> 00:01:30,540
‫So as you can see, I get my Amazon S3 buckets,

39
00:01:30,540 --> 00:01:32,370
‫or my Elastic Load Balancer, or whatever.

40
00:01:32,370 --> 00:01:34,050
‫So if I choose my bucket,

41
00:01:34,050 --> 00:01:37,620
‫I could choose my demo CloudFront bucket, clicking on here.

42
00:01:37,620 --> 00:01:40,560
‫But here you can enter really any domain name you want,

43
00:01:40,560 --> 00:01:42,510
‫including custom HTTP origins,

44
00:01:42,510 --> 00:01:43,800
‫this is fine.

45
00:01:43,800 --> 00:01:45,120
‫So then the origin access,

46
00:01:45,120 --> 00:01:46,710
‫how do you access the identity?

47
00:01:46,710 --> 00:01:49,530
‫Well, because this is Amazon S3, we have multiple ways.

48
00:01:49,530 --> 00:01:50,460
‫We have public,

49
00:01:50,460 --> 00:01:52,860
‫which is that the bucket itself must be public,

50
00:01:52,860 --> 00:01:54,570
‫but this is not the case for us.

51
00:01:54,570 --> 00:01:57,480
‫Then we have Origin Access Control, which is OAC,

52
00:01:57,480 --> 00:01:59,640
‫that's the recommended way we'll be using it.

53
00:01:59,640 --> 00:02:01,050
‫And here this was OAI,

54
00:02:01,050 --> 00:02:02,670
‫it was the previous way of doing it.

55
00:02:02,670 --> 00:02:03,870
‫But now we're going to use the new way

56
00:02:03,870 --> 00:02:06,240
‫called OAC, Origin Access Control.

57
00:02:06,240 --> 00:02:08,730
‫So we need to create an Origin Access Control,

58
00:02:08,730 --> 00:02:12,360
‫so to do so, let's click on Create control setting,

59
00:02:12,360 --> 00:02:13,710
‫and it just gives us a name for it.

60
00:02:13,710 --> 00:02:14,910
‫So this is good.

61
00:02:14,910 --> 00:02:16,770
‫And let's click on Create.

62
00:02:16,770 --> 00:02:19,170
‫So now this has been created

63
00:02:19,170 --> 00:02:22,530
‫and we will have to update the S3 bucket policy,

64
00:02:22,530 --> 00:02:26,460
‫so that CloudFront can access our S3 bucket.

65
00:02:26,460 --> 00:02:28,230
‫Because if you go right now in here

66
00:02:28,230 --> 00:02:31,980
‫and look at our bucket itself under Permissions

67
00:02:31,980 --> 00:02:32,970
‫and scroll down,

68
00:02:32,970 --> 00:02:34,650
‫the bucket policy is currently empty

69
00:02:34,650 --> 00:02:37,170
‫and so CloudFront will not be able to access it.

70
00:02:37,170 --> 00:02:38,790
‫So right now, we'll leave it as is.

71
00:02:38,790 --> 00:02:42,240
‫I'm going to scroll down and skip many different settings.

72
00:02:42,240 --> 00:02:45,870
‫But one you have to set is the default root object,

73
00:02:45,870 --> 00:02:47,730
‫which is that the default object

74
00:02:47,730 --> 00:02:49,980
‫is going to be for me index.hmtl.

75
00:02:51,400 --> 00:02:52,410
‫Okay, so everything looks good,

76
00:02:52,410 --> 00:02:54,033
‫let's create our distribution.

77
00:02:54,990 --> 00:02:58,230
‫And our distribution can take some time to be created.

78
00:02:58,230 --> 00:02:59,250
‫As you can see here,

79
00:02:59,250 --> 00:03:01,110
‫the S3 bucket policy needs to be updated.

80
00:03:01,110 --> 00:03:04,170
‫So I can click on Copy policy here,

81
00:03:04,170 --> 00:03:06,240
‫and there is a shortcut from here

82
00:03:06,240 --> 00:03:10,110
‫to go straight to your bucket policy settings page.

83
00:03:10,110 --> 00:03:11,730
‫So here we go, we have it.

84
00:03:11,730 --> 00:03:13,560
‫Now let's click on Edit,

85
00:03:13,560 --> 00:03:16,950
‫and we're going to paste the policy we just printed.

86
00:03:16,950 --> 00:03:20,790
‫And by the way, if you somehow lose access to this policy,

87
00:03:20,790 --> 00:03:22,440
‫you can go under Origins.

88
00:03:22,440 --> 00:03:23,640
‫Then in here in Origins,

89
00:03:23,640 --> 00:03:25,890
‫you click on Edit, you scroll down,

90
00:03:25,890 --> 00:03:28,140
‫and here you will find the policy statement

91
00:03:28,140 --> 00:03:31,140
‫to copy and paste here.

92
00:03:31,140 --> 00:03:33,600
‫So if we look at this bucket policy now,

93
00:03:33,600 --> 00:03:37,650
‫we allow the CloudFront service to do GetObject

94
00:03:37,650 --> 00:03:39,840
‫on any file in our bucket,

95
00:03:39,840 --> 00:03:42,120
‫as long as the CloudFront distribution,

96
00:03:42,120 --> 00:03:43,440
‫so this is the condition,

97
00:03:43,440 --> 00:03:44,460
‫is the one we created.

98
00:03:44,460 --> 00:03:46,320
‫So this basically allows our distribution

99
00:03:46,320 --> 00:03:48,150
‫to access our S3 bucket.

100
00:03:48,150 --> 00:03:48,983
‫This is good.

101
00:03:48,983 --> 00:03:50,190
‫This was generated by AWS,

102
00:03:50,190 --> 00:03:52,350
‫we don't do anything besides this.

103
00:03:52,350 --> 00:03:54,480
‫So the permissions are now correct.

104
00:03:54,480 --> 00:03:58,170
‫So back in CloudFront, let's cancel this

105
00:03:58,170 --> 00:03:59,820
‫and we go to our distribution,

106
00:03:59,820 --> 00:04:02,730
‫and we have to wait until it becomes deployed.

107
00:04:02,730 --> 00:04:04,350
‫My CloudFront distribution is now ready,

108
00:04:04,350 --> 00:04:06,630
‫so I'm going to copy the domain name, open a new tab,

109
00:04:06,630 --> 00:04:07,500
‫and as you can see now,

110
00:04:07,500 --> 00:04:09,750
‫I get I love coffee, Hello world!

111
00:04:09,750 --> 00:04:11,130
‫And my image.

112
00:04:11,130 --> 00:04:14,010
‫So you can go to /coffee.jpg,

113
00:04:14,010 --> 00:04:15,450
‫and of course, this will work.

114
00:04:15,450 --> 00:04:16,950
‫And you can go to /beach.jpg,

115
00:04:16,950 --> 00:04:18,780
‫and this will work as well.

116
00:04:18,780 --> 00:04:19,650
‫But the cool thing about it

117
00:04:19,650 --> 00:04:21,690
‫is that now if I refresh this page,

118
00:04:21,690 --> 00:04:24,120
‫this is served actually from the CloudFront cache,

119
00:04:24,120 --> 00:04:27,090
‫and not from the S3 bucket itself.

120
00:04:27,090 --> 00:04:29,310
‫Because well, I requested the file once,

121
00:04:29,310 --> 00:04:31,950
‫so now they are automatically sent by CloudFront.

122
00:04:31,950 --> 00:04:34,320
‫As you can see, the loading is much quicker.

123
00:04:34,320 --> 00:04:36,300
‫And again, if I go to index.html,

124
00:04:36,300 --> 00:04:38,100
‫this is served from the cache.

125
00:04:38,100 --> 00:04:39,630
‫So this is the beauty of CloudFront.

126
00:04:39,630 --> 00:04:40,800
‫Now we've done one request

127
00:04:40,800 --> 00:04:42,300
‫against Amazon S3 through CloudFront,

128
00:04:42,300 --> 00:04:45,390
‫and then the rest is cached on the distribution itself.

129
00:04:45,390 --> 00:04:47,580
‫So if I go back now to CloudFront,

130
00:04:47,580 --> 00:04:49,560
‫on the left-hand side, just to show you,

131
00:04:49,560 --> 00:04:51,540
‫you have the Origin access,

132
00:04:51,540 --> 00:04:54,420
‫and this is where you will find your Origin access controls

133
00:04:54,420 --> 00:04:56,970
‫and we can see that this one was created

134
00:04:56,970 --> 00:04:58,350
‫and is active right now,

135
00:04:58,350 --> 00:05:01,207
‫and is assigned to this distribution.

136
00:05:01,207 --> 00:05:02,610
‫So, okay, that's it,

137
00:05:02,610 --> 00:05:03,870
‫we've seen how CloudFront works.

138
00:05:03,870 --> 00:05:05,010
‫I hope you liked it,

139
00:05:05,010 --> 00:05:06,960
‫and I will see you in the next lecture.