Cloudfront Distributions are set to distribute content to all available edge locations, including locations that may not include commercially viable users or may pose data sovereignty concerns
AWS CloudFront is a content delivery network (CDN) designed to provide faster access to your application’s data by caching content closer to geographically dispersed users. CloudFront is highly effective for distributing content globally, but it offers only three pricing tiers, which are not country-specific. These tiers include:
Price Class 100: This is the most cost-effective tier and covers regions like the United States, Mexico, Canada, Europe, Israel, and Turkey. Price Class 200: Includes all regions from Price Class 100, plus South Africa, Kenya, Nigeria, Egypt, the Middle East, Japan, India, Hong Kong, Indonesia, Philippines, Singapore, South Korea, Taiwan, Thailand, Malaysia, and Vietnam. Price Class All: Extends coverage to all previously mentioned regions, adding South America, Australia, and New Zealand.
In practice, many applications do not need to be accessible across all of these geographic areas. Even with Price Class 100, users worldwide can still connect to your CloudFront distribution they simply need to connect to endpoints held in North America and Europe rather than connecting to a geographically closer cache.
Using a higher price class than Price Class 100 instructs Cloudfront to distribute it’s content to locations close to the above regions. This improves performance by directing users to connect to a locally available version of that cached content rather than connecting to services in Europe or North America.
In our experience, most organisations do not need this additional level of performance enhancement as their users are not global. As discussed in test A-CF-2, there are few services that are required to be accessible across the globe. If your organisation fits in this category then distributing content across additional regions does not offer any business benefit.
Additionally, distributing your cached content to regions may introduce unnecessary complexity and risk originating from evolving data management and legal regulations. Whilst this is unlikely to become an issue given the ubiquity of CDN services, there are movements across a number of legislative bodies to control data hosted within legal jurisdictions. If there is no business benefit to providing better performance to users outside of your viable business locations, then caching content abroad introduces legal risk for no business benefit.
As a practical example, if your audience is mostly in the United States, sticking to Price Class 100 ensures efficient content delivery without the extra complexity of managing data across regions that don’t offer business value.
It’s important to assess your customer base and legal obligations to ensure your CDN distribution aligns with your actual user needs. For most businesses, it’s simpler and safer to keep content distribution limited to regions that provide a tangible benefit, reducing the risk of legal complications and unnecessary data exposure.
SkySiege’s AWS Vulnerability Scan automatically detects this vulnerability across all AWS Regions with the report delivered the same day.
Our advice is generally to reduce the Cloudfront Distribution to utilising Price Class 100 unless there are active and commercial users in the above countries. This will help centralise your data and ensure that you are not distributing your content further than necessary.
There are good reasons for utilising Price Class 200 or Price Class All, but if you’re unsure you can always seek architectual guidance that can help you find the optimum point between performance, cost and functionality