Amazon’s CloudFront is one of the most widely used Content Delivery Networks (CDNs) on the internet. A huge portion of the public-facing web relies on CDNs to move content closer to users, reduce latency, and absorb traffic spikes that would otherwise overwhelm origin servers. And Amazon CloudFront is now free.
But modern CDNs do far more than cache static assets.
Today, CloudFront (like Cloudflare) commonly sits in front of entire applications as a reverse proxy, TLS terminator, and security boundary. With integrations for AWS WAF, bot detection, and rate limiting rules, a CDN forms a core part of application architecture.
I cannot emphasize this enough.
CDNs Are Not Just About Caching Anymore
Historically, CDNs solve one problem: caching static files close to users.
That is still true, but it is only part of the story now.
A modern CDN provides:
- Reverse proxy in front of your origin
- TLS termination with managed certificates
- DDoS absorption and traffic shaping
- Web Application Firewall (WAF) rules
- Bot detection and mitigation
- Rate limiting and IP reputation filtering
In practice, this means to no longer expose your origin server directly to the internet. The CDN becomes the entry point.
But what about Cloudflare free tier?
Cloudflare has long offered an attractive free CDN tier but with a catch.
If you want Cloudflare CDN for free, you must migrate your DNS to Cloudflare nameservers and hand over authoritative DNS control. If you prefer another means (Route53, BIND, PowerDNS, etc.), Cloudflare pushes you into a paid business plan.
For many engineers running AWS-centric infrastructure, that is a dealbreaker. With cost removed from the equation, CloudFront becomes an obvious default for any APIs, microservices, UIs; there is almost no downside to placing anything on the web behind it. Even if you disable caching entirely.
If you are wondering, Okay Alex, what are you actually putting behind CloudFront?
Yesterday, because Amazon CloudFront is now free, I placed a Grafana instance behind CloudFront. Grafana is powerful but it is also a sensitive attack surface that has login entrypoints.
CloudFront is configured to serve Grafana static content from /public/.
By putting Grafana behind CloudFront, I am able to hide the origin server’s public IP and confidently view my dashboards on-the-go without needing port 3000 blocked. All without modifying Grafana itself (although server-level security such as brute-force mitigation remains a must-have).
If you are running any web service and you are not using CloudFront, it is worth reevaluating that decision.
