We close Chapter 28 with a very powerful idea: executing logic very close to users, at the «edge» of the network. Until now, our Lambdas (Chapter 14) ran in a specific region. But what if you could run code in the hundreds of locations that CloudFront (subchapter 16.2) has distributed around the world, right next to each user? That’s what Lambda@Edge and CloudFront Functions allow: bringing compute to the edge (the edge of the network) to respond faster and personalize content.
Recap: CloudFront and the «edge»
Remember from subchapter 16.2 that CloudFront is AWS’s CDN: it has locations distributed all over the world (points of presence or «edge locations») that serve content to users from the point closest to them, reducing latency. That set of locations close to users is what we call the edge (the edge of the network).
User in Tokyo → CloudFront location in Tokyo (nearby) → fast response User in Madrid → CloudFront location in Madrid (nearby) → fast response
The idea of this subchapter: run code in those edge locations, not just serve files. That way, the logic runs next to the user, not in a distant region.
The problem: sometimes the region is far away
If all your logic runs in a region (for example, in Europe), a user in Japan has to “go back and forth” to Europe for every operation, which adds latency (delay). For certain simple tasks that could be solved near the user, that trip is a waste. It would be better to run that small logic in the edge location closest to the user.
What it means to run logic at the edge
Running logic at the edge means running code in the locations close to users (CloudFront’s), instead of in a central region. This is useful for tasks that are best solved right when a request arrives at or leaves the edge, without traveling to the region:
- Personalize responses according to the user (their country, language, device).
- Redirect requests according to certain rules.
- Check things (basic authentication, headers) before proceeding.
- Modify the request or response on the fly.
Analogy: running logic at the edge is like having a receptionist at the door of every branch of a bank, instead of having to call headquarters for everything. If you come in and just need to be directed to a window or given a brochure in your language, the local receptionist solves it instantly, without calling headquarters (which is far away). Only complex transactions go to headquarters. Bringing simple tasks “to the door” makes everything faster.
The two AWS options: Lambda@Edge and CloudFront Functions
AWS offers two ways to run code at the edge, one more powerful and one lighter:
CloudFront Functions (lightweight and ultra-fast)
CloudFront Functions are very lightweight and extremely fast functions, designed for simple tasks that run on every request with minimal latency. They are ideal for simple, high-volume manipulations:
CloudFront Functions:
✓ ultra-fast and very low cost
✓ for SIMPLE tasks: rewriting a URL, adding/checking
headers, simple redirects
- limited capabilities (on purpose, to be extremely fast)Lambda@Edge (more powerful)
Lambda@Edge are Lambdas (Chapter 14) that run at the edge, more powerful than CloudFront Functions: they allow more complex logic (longer execution time, access to more resources, etc.), at the cost of a bit more latency and cost.
Lambda@Edge: ✓ more powerful: complex logic, more capabilities ✓ for tasks that need more than a simple manipulation - somewhat more latency and cost than CloudFront Functions
How to choose
| CloudFront Functions | Lambda@Edge | |
|---|---|---|
| Power | Lightweight, simple tasks | More powerful, complex logic |
| Speed | Ultra-fast | Fast (a bit more than Functions) |
| Ideal for | Rewriting URLs, headers, redirects | Complex personalization, authentication, elaborate logic |
💡 Practical rule: for simple and high-volume tasks (manipulating headers or URLs), use CloudFront Functions (faster and cheaper). For more complex logic, use Lambda@Edge. Choose the lightest tool that solves your need.
Why it matters: global speed and personalization
The advantage of running logic at the edge is twofold:
- Lower latency: the logic runs close to the user, so it responds faster (without the trip to the region).
- Global personalization: you can adapt content to each user (language, country, device) at the point closest to them, giving a fast, tailored experience worldwide.
This fits with the performance efficiency pillar of the Well-Architected Framework (subchapter 27.1): using the right location so the system performs as well as possible for each user.
Real-world example: a global website wants each user to see content in their language and be redirected to their country’s version as quickly as possible. They use a CloudFront Function that, on each request, looks at the user’s country (from a header that CloudFront adds) and rewrites the URL to serve the correct version, all in the nearest edge location, in milliseconds. For another, more complex task—checking an authentication token and personalizing the response according to the user’s profile—they use Lambda@Edge, which has the necessary power. The result: users all over the world get personalized and fast content, because the logic runs next to them, not on the other side of the planet.
What you should remember
- CloudFront (subch. 16.2) has locations all over the world (the edge) close to users. You can run code in them, not just serve files.
- Running logic at the edge means running code close to the user (not in a distant region), ideal for personalizing responses, redirecting, checking, or modifying requests on the fly. Like a receptionist at the door of every branch instead of always calling headquarters.
- AWS offers two options: CloudFront Functions (very lightweight and ultra-fast, for simple tasks like rewriting URLs or headers) and Lambda@Edge (more powerful, for complex logic).
- 💡 Use the lightest that solves your need: CloudFront Functions for simple and high-volume; Lambda@Edge for complex.
- Provides lower latency (logic close to the user) and global personalization, in line with the performance efficiency pillar of the Well-Architected Framework.
You’ve completed Chapter 28 and mastered serverless architectures at scale: event-driven, the Saga pattern, Step Functions, and edge computing! In Chapter 29 we’ll move on to another major domain: data platforms on AWS (data lakes, streaming, and large-scale analytics).
Cloud, AWS & Terraform — From Zero to Expert
Chapter 1 · What is cloud computing
- 1.1 The traditional client-server model
- 1.2 Problems the cloud came to solve
- 1.3 On-premise vs cloud vs hybrid
- 1.4 The three service models: IaaS, PaaS, SaaS
- 1.5 The five pillars of cloud (according to NIST)
- 1.6 Real advantages: elasticity, pay-as-you-go, global availability
Chapter 2 · The cloud market and major providers
- 2.1 AWS, Azure and GCP: differences and market share
- 2.2 Why learn AWS first
- 2.3 Concepts that are universal among providers
Chapter 3 · Regions, availability zones and edge
- 3.1 What is an AWS region and how to choose it
- 3.2 Availability Zones: high availability by design
- 3.3 Edge locations and CloudFront
- 3.4 Latency, resilience and data sovereignty
Chapter 4 · Compute: EC2
- 4.1 Instances: types, families and when to choose each
- 4.2 AMIs, key pairs and Security Groups
- 4.3 Instance lifecycle
- 4.4 Elastic IPs and Placement Groups
- 4.5 Savings Plans vs Reserved vs On-Demand vs Spot
Chapter 5 · Storage: S3
- 5.1 Buckets, objects and keys
- 5.2 Storage classes (Standard, IA, Glacier…)
- 5.3 Versioning and object lifecycle
- 5.4 Bucket policies and ACLs
- 5.5 Static website hosting
Chapter 6 · Networking: VPC
- 6.1 What is a VPC and why you need it
- 6.2 Public and private subnets
- 6.3 Internet Gateway and NAT Gateway
- 6.4 Route Tables and Network ACLs
- 6.5 VPC Peering and endpoints
Chapter 7 · Identity and access: IAM
- 7.1 Users, groups, roles and policies
- 7.2 The principle of least privilege
- 7.3 Identity-based vs resource-based policies
- 7.4 MFA and temporary credentials (STS)
- 7.5 IAM security best practices
Chapter 8 · Managed databases
- 8.1 RDS: engines, Multi-AZ and read replicas
- 8.2 Aurora and its advantages over vanilla RDS
- 8.3 DynamoDB: key-value / document model
- 8.4 ElastiCache for in-memory cache
- 8.5 When to use each type of database
Chapter 9 · Why Infrastructure as Code
- 9.1 Problems with manual provisioning
- 9.2 Declarative vs imperative IaC
- 9.3 Terraform vs CloudFormation vs Pulumi vs CDK
- 9.4 The plan → apply → destroy cycle
Chapter 10 · HCL: the Terraform language
- 10.1 Resource, variable, output, locals blocks
- 10.2 Data types: string, number, bool, list, map, object
- 10.3 Expressions, references and built-in functions
- 10.4 Conditionals and loops (count, for_each, for)
Chapter 11 · Providers and state
- 11.1 How the AWS provider works
- 11.2 The terraform.tfstate file and its importance
- 11.3 Local state vs remote state (S3 + DynamoDB)
- 11.4 Essential commands: init, plan, apply, destroy, fmt, validate
Chapter 12 · Your first real infrastructure in Terraform
- 12.1 Create a VPC with subnets from scratch
- 12.2 Launch a public EC2 instance
- 12.3 Associate a Security Group and an Elastic IP
- 12.4 Outputs and references between resources
- 12.5 Team workflow: PR review of plans
Chapter 13 · Load balancing and auto scaling
- 13.1 Application Load Balancer vs Network Load Balancer
- 13.2 Target Groups, listeners and rules
- 13.3 Auto Scaling Groups: policies and metrics
- 13.4 Warm pools and lifecycle hooks
Chapter 14 · Serverless with Lambda
- 14.1 The Lambda execution model
- 14.2 Triggers: API Gateway, S3, DynamoDB Streams, SQS
- 14.3 Dependency management and layers
- 14.4 Cold starts and strategies to reduce them
- 14.5 Limits and anti-patterns
Chapter 15 · Messaging and events
- 15.1 SQS: standard vs FIFO queues, DLQ
- 15.2 SNS: topics, subscriptions, fan-out
- 15.3 EventBridge: event buses and rules
- 15.4 Patterns: pub/sub, decoupling, saga
Chapter 16 · Content delivery and DNS
- 16.1 Route 53: record types and routing policies
- 16.2 CloudFront: distributions, caches and origins
- 16.3 ACM: free SSL/TLS certificates
- 16.4 WAF integrated with CloudFront
Chapter 17 · Containers on AWS
- 17.1 Docker: quick review of key concepts
- 17.2 ECR: private image registry
- 17.3 ECS: task definitions, services, Fargate vs EC2
- 17.4 EKS: when Kubernetes and when not
Chapter 18 · Modules: reuse and composition
- 18.1 Anatomy of a Terraform module
- 18.2 Input variables, outputs and dependencies
- 18.3 Local modules vs Terraform Registry modules
- 18.4 Module versioning with Git tags
- 18.5 Design of generic vs domain-specific modules
Chapter 19 · Workspaces and environment management
- 19.1 Terraform workspaces: use cases and limitations
- 19.2 Directory strategy per environment (dev/stg/prod)
- 19.3 Terragrunt: DRY for environment configurations
- 19.4 Environment variables and .tfvars files
Chapter 20 · Remote backends and locking
- 20.1 Configure S3 + DynamoDB as backend
- 20.2 State locking: avoiding team corruption
- 20.3 State migration between backends
- 20.4 terraform import: bring existing resources into state
Chapter 21 · Infrastructure testing
- 21.1 Terraform validate and fmt in CI
- 21.2 Checkov and tfsec: static security analysis
- 21.3 Terratest: integration tests in Go
- 21.4 Contract testing between modules
Chapter 22 · Terraform in CI/CD
- 22.1 Basic pipeline: lint → plan → apply in GitHub Actions
- 22.2 Atlantis: GitOps for Terraform
- 22.3 Terraform Cloud / HCP Terraform
- 22.4 Drift detection and automatic reconciliation
Chapter 23 · Defense in depth
- 23.1 AWS Organizations and Service Control Policies
- 23.2 AWS Config: continuous compliance
- 23.3 GuardDuty: threat detection
- 23.4 Security Hub: centralized view
- 23.5 KMS: key management and rotation
- 23.6 Secrets Manager vs Parameter Store
Chapter 24 · Observability: logs, metrics and traces
- 24.1 CloudWatch Logs, metrics and alarms
- 24.2 CloudWatch Dashboards and Contributor Insights
- 24.3 X-Ray: distributed tracing
- 24.4 OpenTelemetry on AWS
- 24.5 Managed Grafana and Managed Prometheus
Chapter 25 · Cost optimization
- 25.1 AWS Cost Explorer and budgets with alerts
- 25.2 Trusted Advisor and Compute Optimizer
- 25.3 Rightsizing: how to detect overprovisioning
- 25.4 Savings Plans vs Reserved Instances: strategic decision
- 25.5 FinOps: culture and processes to control spending
Chapter 26 · High availability and disaster recovery
- 26.1 RTO and RPO: defining objectives
- 26.2 Strategies: backup/restore, pilot light, warm standby, multi-site
- 26.3 Route 53 health checks and automatic failover
- 26.4 AWS Backup: centralized backup policy
Chapter 27 · AWS Well-Architected Framework
- 27.1 The six pillars: operational excellence, security, reliability, performance efficiency, cost optimization, sustainability
- 27.2 Well-Architected Tool: formal reviews
- 27.3 How to apply the framework in design decisions
Chapter 28 · Serverless architectures at scale
- 28.1 Event-driven architecture with Lambda + EventBridge
- 28.2 Saga pattern for distributed transactions
- 28.3 Step Functions: orchestration of complex workflows
- 28.4 Lambda@Edge and CloudFront Functions
Chapter 29 · Data platforms on AWS
- 29.1 Data Lake with S3, Glue and Athena
- 29.2 Kinesis Data Streams and Firehose for streaming
- 29.3 Redshift: data warehousing at scale
- 29.4 Lake Formation: data governance
Chapter 30 · Multi-account and landing zones
- 30.1 Why separate workloads into different accounts
- 30.2 AWS Control Tower and Account Factory
- 30.3 Centralized log and security management
- 30.4 Terraform at multi-account scale with shared modules
Chapter 31 · Platform Engineering and Internal Developer Platform
- 31.1 Golden paths and abstractions over Terraform
- 31.2 AWS Service Catalog
- 31.3 Backstage as a developer portal
- 31.4 Terraform modules as internal product
Chapter 32 · Relevant AWS certifications
- 32.1 Cloud Practitioner: is it worth it?
- 32.2 Solutions Architect Associate → Professional
- 32.3 DevOps Engineer Professional
- 32.4 Specialty: Security, Database, Networking
- 32.5 HashiCorp Terraform Associate
Chapter 33 · Projects to consolidate what you've learned
- 33.1 Project 1: serverless blog (S3 + CloudFront + Lambda + DynamoDB)
- 33.2 Project 2: REST API with ECS Fargate + RDS + ALB
- 33.3 Project 3: data platform with Glue + Athena + Redshift
- 33.4 Project 4: multi-account landing zone with Terraform and Control Tower