This document presents a real-world evaluation report on Amazon CloudFront CDN integration. Testing was conducted on business domains that had completed DNS integration and were actively handling traffic. The evaluation focused on two core capabilities:CDN Acceleration Effect 与DDoS Attack Mitigation Capability。
All tests were conducted after the CloudFront distribution took effect.
I. Test Environment and Basic Information
| Project | Explanation |
|---|---|
| Service Provider Under Test | Amazon CloudFront |
| Testing Party | This Site's Cybersecurity Testing Team |
| Access Method | DNS CNAME points to CloudFront distribution domain name |
| Origin server environment | Nginx (AWS EC2, US East Region) |
| Testing Cycle | 30 days |
| Test Focus | CDN Acceleration / DDoS Attack Mitigation |
II. CloudFront Plans and Billing Model Overview
CloudFront employs Pay-as-you-go pricing There are no fixed packages or one-time annual plans; charges are billed directly through the AWS billing system.
| Billing Items | Explanation |
|---|---|
| Data charges | Pricing varies by region, with significant differences in unit rates across different areas. |
| Request Fee | Billed by request count (HTTPS requests billed separately) |
| DDoS Protection | Includes AWS Shield Standard by default (at no additional cost) |
| Total traffic during the test period | Approximately 540 GB |
| Costs during the testing period | Approximately $70–90 (subject to the actual bill) |
In actual use, CloudFront costs are more dependent on traffic distribution and request volume. Without setting budgets and alerts, there is a risk of unexpected costs.
III. CDN Acceleration Testing Methodology
CDN acceleration testing primarily focuses on DNS resolution time, Time to First Byte (TTFB), and overall response duration. The testing tools used are: curland initiate access requests across multiple regional nodes.
curl -o /dev/null -s -w \ DNS: %{time_namelookup}s\n Connect: %{time_connect}s\n TLS: %{time
"DNS: %{time_namelookup}s\nConnect: %{time_connect}s\nTLS: %{time_appconnect}s\nTTFB: %{time_starttransfer}s\nTotal: %{time_total}s\nHTTP: %{http_code}\n" \
https://cdn-test.example.com/static/test.jpg
IV. CDN Acceleration Test Results
| Test Area | DNS(s) | Time to First Byte (TTFB) | Total(s) | HTTP Response Codes |
|---|---|---|---|---|
| United States (US) | 0.005 | 0.095 | 0.124 | 200 |
| Germany (DE) | 0.007 | 0.118 | 0.152 | 200 |
| Singapore (SG) | 0.012 | 0.162 | 0.201 | 200 |
Test results indicate that CloudFront delivers stable performance in North America and Europe, while latency is slightly higher in Asia. The Time to First Byte (TTFB) for initial requests (cold cache) is relatively noticeable.
V. DDoS Attack Testing Plan
| Test Item | Explanation |
|---|---|
| Attack Type | TCP SYN Flood / HTTP GET Flood |
| Testing Tools | hping3 / wrk / ab |
| HTTP Peak Requests | Approximately 1000–1200 RPS |
| Network Layer Packet Rate | Approximately 40K–50K PPS |
VI. DDoS Attack Test Results
| stage | HTTP 200 | HTTP 403 / 429 | Origin Server CPU | Service Availability |
|---|---|---|---|---|
| Before the attack | 99.91% TP3T | 0% | 11% | 100% |
| Under attack | 91.81 TP3T | 7.61 TP3T | 17% | 99.01 TP3T |
| After the attack | 99.71 TP3T | 0.31 TP3T | 12% | 100% |
During the attack, abnormal requests were primarily intercepted and returned by edge nodes.
403 / 429,
The load variation at the origin server was limited, with no significant amplification effect observed.
VII. Return Header and Node Verification
curl -I https://cdn-test.example.com/static/test.jpg
HTTP/2 200 x-cache: Hit from CloudFront via: 1.1 abcdef.cloudfront.net
The request was displayed by CloudFront Edge NodeResponse, cache hit status normal.
VIII. Frequently Asked Questions (CloudFront Usage FAQ)
1. Why does CloudFront take longer to activate than some other CDNs?
CloudFront distribution configurations require propagation across global nodes, with actual propagation typically taking 5–15 minutes.
Not suitable for scenarios requiring frequent real-time configuration changes.
2. Is CloudFront's default DDoS protection sufficient?
The default AWS Shield Standard protects against common traffic-based attacks, but complex application-layer attacks still require AWS WAF.
3. Will CloudFront forward attack traffic to the origin server?
When cache hit rates are high, attack traffic is primarily absorbed at the edge; when the proportion of dynamic requests is high, the risk of backend traffic increases.
4. Why are CloudFront costs difficult to understand at a glance?
Costs are broken down into multiple dimensions such as traffic, request volume, and regions, and are consolidated with AWS billing. Without setting budget alerts initially, costs can easily spiral out of control.
5. Is CloudFront suitable for personal websites?
Technically feasible, but with higher learning and management costs, making it more suitable for users already within the AWS ecosystem.
IX. Evaluation Findings and Personal Perspectives
Based on actual testing experience, CloudFront functions more as part of the AWS infrastructure than as a CDN product designed for an “out-of-the-box experience.”
Its advantage lies not in achieving extreme single-point speed, but in Stable, scalable, and deeply integrated with the AWS ecosystem。
If your business is already running on AWS, CloudFront is a “rational and prudent” choice; but if you simply want a straightforward, intuitive CDN, CloudFront's complexity may become a burden.
