🃏 DNS & Content Delivery Flashcards

Q: When should you use geoproximity vs geolocation routing?

A: Geolocation: route by user country/continent (exact mapping). Geoproximity: route by distance with adjustable bias to expand/shrink routing regions.

Q: What is Route 53 traffic flow?

A: Visual editor for complex routing policies. Creates reusable traffic policies that can combine multiple routing types (weighted + failover + latency).

Q: How does CloudFront Origin Shield work?

A: Additional caching layer between edge locations and origin. Reduces origin load by consolidating requests from multiple edge POPs through one shield region.

Q: What is the difference between CloudFront Functions and Lambda@Edge?

A: CF Functions: lightweight (viewer events only, <1ms, 10KB), JavaScript. Lambda@Edge: full Lambda (all 4 events, up to 30s, 50MB), Node.js/Python.

Q: What is Route 53 DNSSEC?

A: Signs DNS responses to prove authenticity. KSK in KMS signs ZSK. DS record in parent zone creates chain of trust. Prevents DNS spoofing.

Q: What is Global Accelerator vs CloudFront?

A: Global Accelerator: L4 TCP/UDP, static IPs, non-HTTP workloads, instant failover. CloudFront: L7 HTTP/HTTPS, caching, content delivery, Lambda@Edge.

Q: What is a Route 53 alias record?

A: AWS-specific record type that maps to AWS resources (ELB, CloudFront, S3, etc.). Free queries, supports zone apex. Cannot set TTL (inherits from target).

Q: How does CloudFront cache invalidation work?

A: Removes objects from edge caches before TTL expires. First 1,000 paths/month free. Use versioned URLs (file-v2.js) instead for cost efficiency.

Q: What is a calculated health check?

A: Monitors other health checks and reports healthy/unhealthy based on a threshold (e.g., healthy if 2/3 children are healthy).

Q: What is CloudFront Origin Access Control (OAC)?

A: Replaces OAI. Restricts S3 access to CloudFront only using IAM-based signing (SigV4). Supports SSE-KMS, all S3 features, and PUT requests.