Use Amazon CloudFront Origin Shield
CloudFront Origin Shield is an additional layer in the CloudFront caching infrastructure that helps to minimize your origin’s load, improve its availability, and reduce its operating costs. With CloudFront Origin Shield, you get the following benefits:
- Better cache hit ratio
- 
                Origin Shield can help improve the cache hit ratio of your CloudFront distribution because it provides an additional layer of caching in front of your origin. When you use Origin Shield, all requests from all of CloudFront’s caching layers to your origin go through Origin Shield, increasing the likelihood of a cache hit. CloudFront can retrieve each object with a single origin request from Origin Shield to your origin, and all other layers of the CloudFront cache (edge locations and regional edge caches) can retrieve the object from Origin Shield. 
- Reduced origin load
- 
                Origin Shield can further reduce the number of simultaneous requests that are sent to your origin for the same object. Requests for content that is not in Origin Shield’s cache are consolidated with other requests for the same object, resulting in as few as one request going to your origin. Handling fewer requests at your origin can preserve your origin’s availability during peak loads or unexpected traffic spikes, and can reduce costs for things like just-in-time packaging, image transformations, and data transfer out (DTO). 
- Better network performance
- 
                When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. For origins in an AWS Region, CloudFront network traffic remains on the high throughput CloudFront network all the way to your origin. For origins outside of AWS, CloudFront network traffic remains on the CloudFront network all the way to Origin Shield, which has a low latency connection to your origin. 
You incur additional charges for using Origin Shield. For more information, see CloudFront pricing
Note
Origin Shield isn't supported with gRPC requests. If a distribution that supports gRPC has Origin Shield enabled, the gRPC requests will continue to work. However, the requests will be proxied directly to the gRPC origin without going through Origin Shield. For more information, see Using gRPC with CloudFront distributions.
Topics
Use cases for Origin Shield
CloudFront Origin Shield can be beneficial for many use cases, including the following:
- 
                Viewers that are spread across different geographical regions 
- 
                Origins that provide just-in-time packaging for live streaming or on-the-fly image processing 
- 
                On-premises origins with capacity or bandwidth constraints 
- 
                Workloads that use multiple content delivery networks (CDNs) 
Origin Shield may not be a good fit in other cases, such as dynamic content that is proxied to the origin, content with low cacheability, or content that is infrequently requested.
The following sections explain the benefits of Origin Shield for the following use cases.
Viewers in different geographical regions
With Amazon CloudFront, you inherently get a reduced load on your origin because requests
                that CloudFront can serve from the cache don’t go to your origin. In addition to CloudFront’s
                    global network of edge locations
When viewers are in different geographical regions, requests can be routed through different regional edge caches, each of which can send a request to your origin for the same content. But with Origin Shield, you get an additional layer of caching between the regional edge caches and your origin. All requests from all regional edge caches go through Origin Shield, further reducing the load on your origin. The following diagrams illustrate this. In the following diagrams, the origin is AWS Elemental MediaPackage.
Without Origin Shield
Without Origin Shield, your origin might receive duplicate requests for the same content, as shown in the following diagram.
 
                 
                 
            With Origin Shield
Using Origin Shield can help reduce the load on your origin, as shown in the following diagram.
 
                 
                 
            Multiple CDNs
To serve live video events or popular on-demand content, you might use multiple content delivery networks (CDNs). Using multiple CDNs can offer certain advantages, but it also means that your origin might receive many duplicate requests for the same content, each coming from different CDNs or different locations within the same CDN. These redundant requests might adversely affect the availability of your origin or cause additional operating costs for processes like just-in-time packaging or data transfer out (DTO) to the internet.
When you combine Origin Shield with using your CloudFront distribution as the origin for other CDNs, you can get the following benefits:
- 
                    Fewer redundant requests received at your origin, which helps to reduce the negative effects of using multiple CDNs. 
- 
                    A common cache key across CDNs, and centralized management for origin-facing features. 
- 
                    Improved network performance. Network traffic from other CDNs is terminated at a nearby CloudFront edge location, which might provide a hit from the local cache. If the requested object is not in the edge location cache, the request to the origin remains on the CloudFront network all the way to Origin Shield, which provides high throughput and low latency to the origin. If the requested object is in Origin Shield’s cache, the request to your origin is avoided entirely. 
Important
If you are interested in using Origin Shield in a multi-CDN architecture, and
                    have discounted pricing, contact
                        us
The following diagrams show how this configuration can help minimize the load on your origin when you serve popular live video events with multiple CDNs. In the following diagrams, the origin is AWS Elemental MediaPackage.
Without Origin Shield (multiple CDNs)
Without Origin Shield, your origin might receive many duplicate requests for the same content, each coming from a different CDN, as shown in the following diagram.
 
                 
                 
            With Origin Shield (multiple CDNs)
Using Origin Shield, with CloudFront as the origin for your other CDNs, can help reduce the load on your origin, as shown in the following diagram.
 
                 
                 
            Choose the AWS Region for Origin Shield
Amazon CloudFront offers Origin Shield in AWS Regions where CloudFront has a regional edge cache. When you enable Origin Shield, you choose the AWS Region for Origin Shield. You should choose the AWS Region that has the lowest latency to your origin. You can use Origin Shield with origins that are in an AWS Region, and with origins that are not in AWS.
For origins in an AWS Region
If your origin is in an AWS Region, first determine whether your origin is in a Region in which CloudFront offers Origin Shield. CloudFront offers Origin Shield in the following AWS Regions.
- 
                    US East (Ohio) – us-east-2
- 
                    US East (N. Virginia) – us-east-1
- 
                    US West (Oregon) – us-west-2
- 
                    Asia Pacific (Mumbai) – ap-south-1
- 
                    Asia Pacific (Seoul) – ap-northeast-2
- 
                    Asia Pacific (Singapore) – ap-southeast-1
- 
                    Asia Pacific (Sydney) – ap-southeast-2
- 
                    Asia Pacific (Tokyo) – ap-northeast-1
- 
                    Europe (Frankfurt) – eu-central-1
- 
                    Europe (Ireland) – eu-west-1
- 
                    Europe (London) – eu-west-2
- 
                    South America (São Paulo) – sa-east-1
- 
                    Middle East (UAE) – me-central-1
If your origin is in an AWS Region in which CloudFront offers Origin Shield
If your origin is in an AWS Region in which CloudFront offers Origin Shield (see the preceding list), enable Origin Shield in the same Region as your origin.
If your origin is not in an AWS Region in which CloudFront offers Origin Shield
If your origin is not in an AWS Region in which CloudFront offers Origin Shield, see the following table to determine which Region to enable Origin Shield in.
| If your origin is in ... | Enable Origin Shield in ... | 
|---|---|
| US West (N. California) –  | US West (Oregon) –  | 
| Africa (Cape Town) –  | Europe (Ireland) –  | 
| Asia Pacific (Hong Kong) –  | Asia Pacific (Singapore) –  | 
| Canada (Central) –  | US East (N. Virginia) –  | 
| Europe (Milan) –  | Europe (Frankfurt) –  | 
| Europe (Paris) –  | Europe (London) –  | 
| Europe (Stockholm) –  | Europe (London) –  | 
| Middle East (Bahrain) –  | Asia Pacific (Mumbai) –  | 
For origins outside of AWS
You can use Origin Shield with an origin that is on-premises or is not in an AWS Region. In this case, enable Origin Shield in the AWS Region that has the lowest latency to your origin. If you’re not sure which AWS Region has the lowest latency to your origin, you can use the following suggestions to help you make a determination.
- 
                    You can consult the preceding table for an approximation of which AWS Region might have the lowest latency to your origin, based on your origin’s geographic location. 
- 
                    You can launch Amazon EC2 instances in a few different AWS Regions that are geographically close to your origin, and run some tests using pingto measure the typical network latencies between those Regions and your origin.
Enable Origin Shield
You can enable Origin Shield to improve your cache hit ratio, reduce the load on your origin, and help improve performance. To enable Origin Shield, change the origin settings in a CloudFront distribution. Origin Shield is a property of the origin. For each origin in your CloudFront distributions, you can separately enable Origin Shield in whichever AWS Region provides the best performance for that origin.
You can enable Origin Shield in the CloudFront console, with AWS CloudFormation, or with the CloudFront API.
Estimate Origin Shield costs
You accrue charges for Origin Shield based on the number of requests that go to Origin Shield as an incremental layer.
 For dynamic (non-cacheable) requests that are proxied to the origin, Origin Shield is
            always an incremental layer. Dynamic requests use the HTTP methods PUT,
                POST, PATCH, and DELETE.
GET and HEAD requests that have a time to live (TTL) setting
            of less than 3600 seconds are considered dynamic requests. In addition, GET
            and HEAD requests that have disabled caching are also considered dynamic
            requests.
To estimate your charges for Origin Shield for dynamic requests, use the following formula:
Total number of dynamic requests x Origin Shield charge per 10,000 requests / 10,000
For non-dynamic requests with the HTTP methods GET, HEAD,
            and OPTIONS, Origin Shield is sometimes an incremental layer. When you
            enable Origin Shield, you choose the AWS Region for Origin Shield. For requests that
            naturally go to the regional edge
                cache in the same Region as Origin Shield, Origin Shield is not an
            incremental layer. You don't accrue Origin Shield charges for these requests. For
            requests that go to a regional edge cache in a different Region from Origin Shield, and
            then go to Origin Shield, Origin Shield is an incremental layer. You do accrue Origin
            Shield charges for these requests.
To estimate your charges for Origin Shield for cacheable requests, use the following formula:
Total number of cacheable requests x (1 – cache hit rate) x percentage of requests that go to Origin Shield from a regional edge cache in a different region x Origin Shield charge per 10,000 requests / 10,000
For more information about the charge per 10,000 requests for Origin Shield, see
                CloudFront Pricing
Origin Shield high availability
Origin Shield leverages the CloudFront regional
                edge caches feature. Each of these edge caches is built in an AWS Region
            using at least three Availability
                Zones
How Origin Shield interacts with other CloudFront features
The following sections explain how Origin Shield interacts with other CloudFront features.
Origin Shield and CloudFront logging
To see when Origin Shield handled a request, you must enable one of the following:
- 
                    CloudFront standard logs (access logs). Standard logs are provided free of charge. 
- 
                    CloudFront real-time logs. You incur additional charges for using real-time logs. See Amazon CloudFront Pricing . 
Cache hits from Origin Shield appear as OriginShieldHit in the
                    x-edge-detailed-result-type field in CloudFront logs. Origin Shield
                leverages Amazon CloudFront’s regional edge
                    caches. If a request is routed from a CloudFront edge location to the regional
                edge cache that is acting as Origin Shield, it is reported as a Hit in
                the logs, not as an OriginShieldHit.
Origin Shield and origin groups
Origin Shield is compatible with CloudFront origin groups. Because Origin Shield is a property of the origin, requests always travel through Origin Shield for each origin even when the origin is part of an origin group. For a given request, CloudFront routes the request to the primary origin in the origin group through the primary origin’s Origin Shield. If that request fails (according to the origin group failover criteria), CloudFront routes the request to the secondary origin through the secondary origin’s Origin Shield.
Origin Shield and Lambda@Edge
Origin Shield does not impact the functionality of Lambda@Edge functions, but it can affect the AWS Region where those functions run.
When you use Origin Shield with Lambda@Edge, origin-facing triggers (origin request and origin response) run in the AWS Region where Origin Shield is enabled. If the primary Origin Shield location is unavailable and CloudFront routes requests to a secondary Origin Shield location, Lambda@Edge origin-facing triggers will also shift to use the secondary Origin Shield location.
Viewer-facing triggers are not affected.