Back to docs

Recipe: CloudFront distribution design

A production-grade CloudFront distribution that fronts the Meridian update CDN with origin shielding, signed URLs, and cache behaviors tuned for auto-update payloads.

Architecture overview

Viewer requests hit CloudFront edge POPs. Cache misses are forwarded to a regional origin shield (us-east-1) which fans out to the S3 origin. Signed URLs prevent hotlinking; the loader embeds a short-lived key-pair token.

Cache behaviors

  • /payloads/*— TTL 300s, compress, signed-URL required.
  • /manifests/*— TTL 60s, no-cache on error, signed-URL required.
  • /static/*— TTL 86400s, public, immutable.

Signed URL policy

Use a canned policy with a 15-minute window. The loader fetches a fresh signed URL from the Meridian API on each update check. The API returns a CloudFront-signed URL using the trusted signer key-pair stored in Vercel environment secrets.

Origin shield & failover

Enable origin shield in us-east-1 to collapse requests during rollout spikes. Configure a secondary S3 bucket in eu-west-1 as an origin group with failover criteria (HTTP 5xx after 2 retries). CloudFront will automatically route to the secondary origin if the primary is unhealthy.

WAF integration

Attach an AWS WAF web ACL with rate-based rules (500 requests per 5 minutes per IP) and the AWSManagedRulesCommonRuleSet. Exclude the SizeRestrictions_BODYrule on /payloads/* to allow large binary uploads.

Next step: Recipe: Auto-update flow— wire the loader to consume these signed URLs.