Case study

Origin Shield: How does it Help to Protect Your Origin?

CategoryArticles

Origin Shield: How does it Help to Protect Your Origin?

In this article, you will learn:

For static content, a Content Delivery Network (CDN) such as Amazon CloudFront can cache your content on hundreds of POPs (Point of Present). Content cached in CDN can be delivered with lower latency from the POP closest to viewers without communication with the origin server. Some CDNs have their own features that can dramatically improve your cache hit ratios. One of these features is called Origin Shield.

In this blog post, we will look at what Origin Shield is, its use cases, benefits, and how it improves the performance of a CloudFront distribution.

What is an Origin Shield?

Generally, an Origin Shield is a protective feature that shields your origin server(s) from overload, ensuring high availability and great performance. While there is no simple specific for this feature, an Origin Shield is a good idea to reduce the load on your origin server and maintain high-performance content delivery.

Origin Shield differs across the CDNs that have this feature. For example, some of them are paid for like Akamai, Amazon CloudFront, and Cloudflare, while other providers have it for free, like StackPath and CDN 77.

Amazon CloudFront Origin Shield

CloudFront Origin Shield is an additional layer in the CloudFront CDN caching infrastructure that helps to minimize your origin’s load, improve its availability, and reduce its operating costs. If your origin is located outside of AWS, performance can be also improved by leveraging AWS's global private backbone network based on Origin Shield.

You can use Origin Shield with origins that are in an AWS Region, and with origins that are not in AWS.

Once enabled, CloudFront will route all origin fetches through Origin Shield, and only make a request to your origin if the content is not already stored in Origin Shield's cache.

37_origin-shield-1.png

CloudFront already provides Regional Edge Caches at no additional cost to reduce the operational burden on your origins.

With Origin Shield, you can further minimize your origin’s load by enabling it in your CloudFront Origin Settings with just two clicks.

37_origin-shield-5.png

Why use the CloudFront Origin Shield?

The main reason why you can use Origin Shield is connected to the normal behavior of CloudFront.

When using CloudFront, your user requests are routed first to a nearby CloudFront edge location (PoP), and if the object isn’t cached in that location, the request is sent on to a regional edge cache.

When your users are in different geographical regions, requests can be routed through different regional edge caches, each of which can send a request to your origin for the same content. That’s where Origin Shield can replace your origin.

Use cases for CloudFront Origin Shield

CloudFront Origin Shield can be beneficial for many use cases, including the following:

  • Viewers that are spread across different geographical regions.
  • Origins that provide live streaming.
  • On-premises origin servers with bandwidth or capacity constraints.
  • IT infrastructures that use multiple content delivery networks (CDNs).

Origin Shield may not be a good fit in some cases, such as dynamic content that has to be proxied to the origin, content with low cache ability, or content that is infrequently requested.

CloudFront Origin Shield benefits

Get a better cache hit ratio of your distribution

Origin Shield can help improve the cache hit rate of your CloudFront distribution by providing an additional layer of caching in front of the origin. When you use Origin Shield, all requests from all CloudFront edge locations to your origin go through Origin Shield, increasing the chance of a cache hit.

Reduce origin load

Origin Shield can further reduce the number of concurrent requests sent to your origin for the same object. Requests for content that are not in Origin Shield's cache are merged with other requests for the same object/file, so only one request is sent to your origin.

Get better network performance and latency

When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.

  • For AWS origins (ELBs, S3 buckets, EC2 instances, etc.), CloudFront network traffic remains on the AWS backbone network to your AWS origin.
  • For origins outside of AWS, CloudFront network traffic remains on the CloudFront network to Origin Shield, which has a low latency connection to your origin.

Enabling CloudFront Origin Shield

Choosing the AWS Region for Origin Shield

Amazon CloudFront offers Origin Shield in AWS Regions where CloudFront has a regional edge cache.

37_origin-shield-2.png

When you enable Origin Shield, you choose the AWS Region for Origin Shield. You should choose the AWS Region that has the lowest latency/distance to your origin server.

CloudFront Origin Shield set up

Visit CloudFront Console and use the official AWS guide to enable CloudFront Origin Shield on your current or new distribution.

StormIT offers custom CloudFront pay-as-you-go pricing. You pay only for what you use. There is no minimum fee and you can start as low as 1TB/month.

Estimate savings

CloudFront Origin Shield pricing

CloudFront Origin Shield pricing can be a little bit confusing, but you are charged based on the type and number of HTTP requests, and the AWS region and there is no Free-Tier available at the moment.

For non-cacheable(dynamic) requests that are not possible to cache and are proxied to the origin and use the following HTTP methods: PUT, POST, PATCH, and DELETE, then use the following formula:

37_origin-shield-6.png

And for cacheable requests (HTTP methods GET, HEAD, and OPTIONS), Origin Shield is charged as a request fee for each request that comes from another regional cache to your Origin Shield region.

You can use the following formula:

37_origin-shield-7.png

Origin Shield HTTP Request Pricing (per 10,000)

37_origin-shield-3.png

If you need more information visit our blog post about CloudFront pricing.

Are you ready to accelerate your business to the cloud?

Contact us

Similar blog posts

See all posts
CategoryArticles

Amazon Route 53: Health Checks and DNS Failover

Learn about AWS Route 53 health-checking features and how to only route traffic to healthy AWS resources.

Find out more
CategoryCase Studies

InScope Choses StormIT and AWS for Deployment of their AML Solution

InScope chose to migrate its core technology platform to Amazon Web Services, a cloud leader in Infrastructure & Platform Services

Find out more
CategoryArticles

Scalability in Cloud Computing: Horizontal vs. Vertical Scaling

Look deeper into horizontal and vertical scaling and also into AWS scalability and which services you can use.

Find out more
CategoryArticles

What is a Web Application Firewall (WAF) and Why Use it?

What is the difference between a firewall and a web application firewall (WAF) and what are the benefits of WAF. Learn more...

Find out more
CategoryArticles

Origin Shield: How does it Help to Protect Your Origin?

Learn what Origin Shield is, its use cases, benefits, and how it improves the performance of a CloudFront distribution.

Find out more
CategoryArticles

AWS Instance Scheduler: Everything you Need to Know and Tutorial

What is the AWS Instance Scheduler? Deployment of the AWS Instance Scheduler solution. Learn more

Find out more