AWS CloudFront Integration
Monitor distribution-level cache hit ratios, origin latency percentiles, and 4xx/5xx error rates across your CloudFront distributions. Get predictive edge performance alerts and AI root cause analysis before degradation reaches your users.
How It Works
Enable CloudWatch Metric Streams
Deploy the TigerOps CloudFormation template targeting the AWS/CloudFront namespace. It provisions a Firehose delivery stream and CloudWatch Metric Stream that forwards distribution-level metrics in near real time — no polling, no Lambda functions.
Configure Real-Time Log Delivery
Enable CloudFront real-time logs on your distributions and point the Kinesis Data Stream to the TigerOps log ingest endpoint. Real-time logs provide sub-second edge request data including cache status, origin latency, and viewer location.
Set Cache & Error Thresholds
Define alert thresholds for CacheHitRate, OriginLatency, 4xxErrorRate, and 5xxErrorRate per distribution or behavior. TigerOps fires predictive alerts when cache hit ratios decline or origin latency trends upward before end users are impacted.
Correlate with Origin Infrastructure
TigerOps automatically links CloudFront origin latency increases with upstream ALB target response times, EC2 instance CPU saturation, or S3 request throttling — pinpointing whether degradation is at the edge or origin.
What You Get Out of the Box
Cache Hit Ratio Tracking
Per-distribution and per-behavior CacheHitRate with historical trend analysis. TigerOps alerts when cache hit ratios drop below your SLO threshold and identifies which URL patterns are causing cache misses.
Origin Latency Percentiles
p50, p95, and p99 OriginLatency by distribution and origin. TigerOps detects origin latency degradation before it manifests as elevated viewer-side response times, giving your origin team early warning.
Error Rate Monitoring
Track 4xxErrorRate and 5xxErrorRate per distribution with rate-of-change alerting. Distinguish between client-side 4xx spikes from bot traffic and origin-side 5xx errors that indicate infrastructure failures.
Real-Time Edge Request Analytics
Analyze CloudFront real-time log data for request volume by edge location, viewer country, cache status (Hit/Miss/Error/Redirect), and User-Agent patterns. Detect traffic anomalies and DDoS patterns in seconds.
Bytes Downloaded & Throughput
Monitor BytesDownloaded, BytesUploaded, and total request counts per distribution. Correlate CDN throughput changes with origin data transfer costs, identify bandwidth hotspots, and track content delivery trends.
AI Anomaly & Root Cause Analysis
When error rates spike or cache performance degrades, TigerOps AI correlates CloudFront metrics with origin ALB health, WAF block rates, and Route 53 resolver latency to surface the root cause with full context.
CloudFormation + Real-Time Log Setup
Deploy the TigerOps CloudFormation stack and enable real-time log delivery for full CloudFront observability.
# Deploy CloudWatch Metric Streams for CloudFront
# aws cloudformation deploy \
# --template-file tigerops-cloudfront.yaml \
# --stack-name tigerops-cloudfront-monitoring \
# --region us-east-1 \
# --capabilities CAPABILITY_IAM \
# --parameter-overrides TigerOpsApiKey=${TIGEROPS_API_KEY}
#
# NOTE: CloudFront metrics are only available in us-east-1
AWSTemplateFormatVersion: '2010-09-09'
Description: TigerOps - CloudFront CloudWatch Metric Streams
Parameters:
TigerOpsApiKey:
Type: String
NoEcho: true
DistributionId:
Type: String
Description: CloudFront Distribution ID for real-time logs
Resources:
TigerOpsMetricStream:
Type: AWS::CloudWatch::MetricStream
Properties:
Name: tigerops-cloudfront-stream
FirehoseArn: !GetAtt TigerOpsDeliveryStream.Arn
RoleArn: !GetAtt TigerOpsStreamRole.Arn
OutputFormat: opentelemetry1.0
IncludeFilters:
- Namespace: AWS/CloudFront
- Namespace: AWS/WAFV2
StatisticsConfigurations:
- AdditionalStatistics: [p50, p95, p99]
IncludeMetrics:
- Namespace: AWS/CloudFront
MetricName: OriginLatency
- Namespace: AWS/CloudFront
MetricName: CacheHitRate
# Real-time logs via Kinesis Data Stream
TigerOpsRealtimeLogConfig:
Type: AWS::CloudFront::RealtimeLogConfig
Properties:
Name: tigerops-realtime-logs
SamplingRate: 100
EndPoints:
- StreamType: Kinesis
KinesisStreamConfig:
RoleArn: !GetAtt TigerOpsRealtimeLogRole.Arn
StreamArn: !Sub arn:aws:kinesis:us-east-1:${AWS::AccountId}:stream/tigerops-cf-logs
Fields:
- timestamp
- c-ip
- sc-status
- cs-method
- cs-uri-stem
- x-edge-result-type
- x-edge-response-result-type
- time-to-first-byte
- origin-fbl
- x-edge-location
- cs-country
# Alert thresholds (tigerops-alerts.yaml)
alerts:
- name: CloudFront Cache Hit Ratio Drop
metric: aws_cloudfront_cache_hit_rate
condition: value < 0.85
severity: warning
- name: CloudFront Origin Latency p95
metric: aws_cloudfront_origin_latency_p95
condition: value > 2000 # milliseconds
severity: critical
- name: CloudFront 5xx Error Rate
metric: aws_cloudfront_5xx_error_rate
condition: value > 0.01 # 1%
severity: criticalCommon Questions
What is the difference between CloudWatch Metric Streams and real-time logs for CloudFront monitoring?
CloudWatch Metric Streams deliver pre-aggregated CloudFront distribution metrics (CacheHitRate, OriginLatency, ErrorRate) with approximately 2–3 minutes of latency — ideal for alerting and dashboards. Real-time logs deliver raw per-request log records with sub-second latency via Kinesis Data Streams, enabling request-level analysis, cache status breakdowns by URL, and geographic traffic patterns. TigerOps ingests both for comprehensive coverage.
Does TigerOps monitor CloudFront at the distribution behavior level?
Yes. CloudFront distributions can have multiple cache behaviors with different origins and TTL configurations. TigerOps ingests real-time log data tagged with the cache behavior path pattern, letting you build per-behavior cache hit and latency dashboards. This is essential for distributions that serve both dynamic API responses and static assets with very different caching strategies.
Can TigerOps detect when a CloudFront invalidation causes a cache hit ratio drop?
Yes. TigerOps can correlate AWS CloudTrail CreateInvalidation API events with cache hit ratio metrics. When a large invalidation is submitted, TigerOps creates an annotation on your dashboard and suppresses cache hit ratio alerts for the expected re-warm period, avoiding false positives after intentional cache clears.
How does TigerOps monitor CloudFront with AWS WAF enabled?
TigerOps ingests AWS WAF metrics from the AWS/WAFV2 namespace alongside CloudFront metrics. You can correlate WAF BlockedRequests and AllowedRequests with CloudFront 4xx error rates to determine whether error spikes originate from WAF blocks or true client errors. WAF rule group block rates are displayed in the same distribution dashboard.
Does TigerOps support CloudFront Functions and Lambda@Edge monitoring?
Yes. TigerOps monitors CloudFront Functions execution errors and throttle rates via CloudWatch metrics, and Lambda@Edge function errors and duration via the AWS/Lambda namespace in us-east-1 and each edge region. Errors from edge functions are correlated with CloudFront 5xx rates in the incident view.
Stop Discovering CloudFront Cache Misses After Users Complain
Cache hit ratio alerts, origin latency percentiles, and AI-powered edge diagnostics. Deploy with one CloudFormation stack in minutes.