Origin Shield: How does it Help to Protect Your Origin?
For static content, a Content Delivery Network (CDN) such as Amazon CloudFront can cache your content on hundreds of POPs (Point of Present). Content cached in CDN can be delivered with lower latency from the POP closest to viewers without communication with the origin server. Some CDNs have their own features that can dramatically improve your cache hit ratios. One of these features is called Origin Shield.
In this blog post, we will look at what Origin Shield is, its use cases, benefits, and how it improves the performance of a CloudFront distribution.
What is an Origin Shield?
Generally, an Origin Shield is a protective feature that shields your origin server(s) from overload, ensuring high availability and great performance. While there is no simple specific for this feature, an Origin Shield is a good idea to reduce the load on your origin server and maintain high-performance content delivery.
Origin Shield differs across the CDNs that have this feature. For example, some of them are paid for like Akamai, Amazon CloudFront, and Cloudflare, while other providers have it for free, like StackPath and CDN 77.
Amazon CloudFront Origin Shield
CloudFront Origin Shield is an additional layer in the CloudFront CDN caching infrastructure that helps to minimize your origin’s load, improve its availability, and reduce its operating costs. If your origin is located outside of AWS, performance can be also improved by leveraging AWS's global private backbone network based on Origin Shield.
You can use Origin Shield with origins that are in an AWS Region, and with origins that are not in AWS.
Once enabled, CloudFront will route all origin fetches through Origin Shield, and only make a request to your origin if the content is not already stored in Origin Shield's cache.
CloudFront already provides Regional Edge Caches at no additional cost to reduce the operational burden on your origins.
With Origin Shield, you can further minimize your origin’s load by enabling it in your CloudFront Origin Settings with just two clicks.
Why use the CloudFront Origin Shield?
The main reason why you can use Origin Shield is connected to the normal behavior of CloudFront.
When using CloudFront, your user requests are routed first to a nearby CloudFront edge location (PoP), and if the object isn’t cached in that location, the request is sent on to a regional edge cache.
When your users are in different geographical regions, requests can be routed through different regional edge caches, each of which can send a request to your origin for the same content. That’s where Origin Shield can replace your origin.
Use cases for CloudFront Origin Shield
CloudFront Origin Shield can be beneficial for many use cases, including the following:
- Viewers that are spread across different geographical regions.
- Origins that provide live streaming.
- On-premises origin servers with bandwidth or capacity constraints.
- IT infrastructures that use multiple content delivery networks (CDNs).
Origin Shield may not be a good fit in some cases, such as dynamic content that has to be proxied to the origin, content with low cache ability, or content that is infrequently requested.
CloudFront Origin Shield benefits
Get a better cache hit ratio of your distribution
Origin Shield can help improve the cache hit rate of your CloudFront distribution by providing an additional layer of caching in front of the origin. When you use Origin Shield, all requests from all CloudFront edge locations to your origin go through Origin Shield, increasing the chance of a cache hit.
Reduce origin load
Origin Shield can further reduce the number of concurrent requests sent to your origin for the same object. Requests for content that are not in Origin Shield's cache are merged with other requests for the same object/file, so only one request is sent to your origin.
Get better network performance and latency
When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
- For AWS origins (ELBs, S3 buckets, EC2 instances, etc.), CloudFront network traffic remains on the AWS backbone network to your AWS origin.
- For origins outside of AWS, CloudFront network traffic remains on the CloudFront network to Origin Shield, which has a low latency connection to your origin.
Enabling CloudFront Origin Shield
Choosing the AWS Region for Origin Shield
Amazon CloudFront offers Origin Shield in AWS Regions where CloudFront has a regional edge cache.
When you enable Origin Shield, you choose the AWS Region for Origin Shield. You should choose the AWS Region that has the lowest latency/distance to your origin server.
CloudFront Origin Shield set up
Visit CloudFront Console and use the official AWS guide to enable CloudFront Origin Shield on your current or new distribution.
StormIT offers custom CloudFront pay-as-you-go pricing. You pay only for what you use. There is no minimum fee and you can start as low as 1TB/month.Estimate savings
CloudFront Origin Shield pricing
CloudFront Origin Shield pricing can be a little bit confusing, but you are charged based on the type and number of HTTP requests, and the AWS region and there is no Free-Tier available at the moment.
For non-cacheable(dynamic) requests that are not possible to cache and are proxied to the origin and use the following HTTP methods: PUT, POST, PATCH, and DELETE, then use the following formula:
And for cacheable requests (HTTP methods GET, HEAD, and OPTIONS), Origin Shield is charged as a request fee for each request that comes from another regional cache to your Origin Shield region.
You can use the following formula:
Origin Shield HTTP Request Pricing (per 10,000)
If you need more information visit our blog post about CloudFront pricing.
Adam Novotny is an AWS Solutions Architect at Stormit with 5+ years of experience designing and optimizing AWS cloud architectures.
He supports customers across the full cloud lifecycle — from pre-sales consulting and solution design to AWS funding programs such as AWS Activate, Proof of Concept (PoC), and the Migration Acceleration Program (MAP).
Adam holds the AWS Certified Solutions Architect – Professional and AWS Certified CloudOps Engineer – Associate certifications.
