Skip to main content
  1. The AWS Mastery Question Bank: Architect Decision Matrix Hub/
  2. SAP-C02/

AWS SAP-C02 Drill: Serverless Edge Computing - The Header Manipulation Trade-off Analysis

·1605 words·8 mins·
Architecture Drills AWS SAP-C02 FinOps Decision Matrix CloudFront Lambda@Edge CloudFront Functions API Gateway Serverless Edge Computing
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | AWS SAA/SAP & Multi-Cloud Expert.
Table of Contents

Jeff’s Insights
#

“Unlike generic exam dumps, Jeff’s Insights is designed to make you think like a Real-World Production Architect. We dissect this scenario by analyzing the strategic trade-offs required to balance operational reliability, security, and long-term cost across multi-service deployments.”

While preparing for the AWS SAP-C02, many candidates get confused by serverless edge computing options. In the real world, this is fundamentally a decision about response manipulation location, cost efficiency, and latency. Let’s drill into a simulated scenario.

The Architecture Drill (Simulated Question)
#

Scenario
#

StreamTech Industries operates a metadata delivery platform serving millions of smart home devices—including legacy IoT televisions, internet radios, and set-top boxes manufactured between 2008-2015. Their on-premises solution uses a custom metadata API that identifies legacy devices via the User-Agent HTTP header and strips incompatible HTTP response headers (like X-Frame-Options, Strict-Transport-Security) that cause these devices to crash or display error screens.

The platform currently runs behind an on-premises F5 load balancer with iRules that perform conditional header removal. StreamTech is mandated by the CFO to migrate to AWS using serverless technologies to eliminate server maintenance overhead while maintaining 100% backward compatibility with the installed device base (approximately 2.3 million legacy units still active).

The application logic has already been containerized and successfully refactored into AWS Lambda functions. Each device type (TV, radio, media player) invokes a different Lambda function endpoint.

The Requirement:
#

Migrate the metadata service to AWS using a fully serverless architecture that:

  • Supports legacy devices by removing incompatible HTTP headers based on User-Agent detection
  • Minimizes operational complexity (no EC2 management)
  • Optimizes for cost efficiency at scale (billions of requests/month)
  • Maintains response latency under 200ms globally

The Options:
#

  • A) Create an Amazon CloudFront distribution for the metadata service; create an Application Load Balancer (ALB); configure CloudFront to forward requests to the ALB; configure the ALB to invoke the appropriate Lambda function for each request type; create a CloudFront Function to remove problematic headers based on User-Agent header values.

  • B) Create an Amazon API Gateway REST API for the metadata service; configure API Gateway to invoke the appropriate Lambda function for each request type; modify the default Gateway Responses to remove problematic headers based on User-Agent header values.

  • C) Create an Amazon API Gateway HTTP API for the metadata service; configure API Gateway to invoke the appropriate Lambda function for each request type; create response mapping templates to remove problematic headers based on User-Agent header values; associate the response data mapping with the HTTP API.

  • D) Create an Amazon CloudFront distribution for the metadata service; create an Application Load Balancer (ALB); configure CloudFront to forward requests to the ALB; configure the ALB to invoke the appropriate Lambda function for each request type; create a Lambda@Edge function to remove problematic headers based on User-Agent header values at the viewer response event.

Correct Answer
#

Option A.

The Architect’s Analysis
#

Correct Answer
#

Option A.

The Winning Logic
#

Option A represents the optimal trade-off between cost, performance, and architectural simplicity for this specific use case:

  1. Cost Efficiency at Scale: CloudFront Functions cost $0.10 per 1M invocations vs Lambda@Edge at ~$0.60+ per 1M executions. At 3 billion requests/month, this is $300/month vs $1,800+/month—a $18,000/year savings.

  2. Performance Superiority: CloudFront Functions execute in less than 1 millisecond at the viewer response stage, with no cold start penalty. They run in a lightweight JavaScript runtime optimized for header/cookie manipulation.

  3. Global Edge Execution: CloudFront’s 275+ edge locations ensure sub-50ms latency for 95% of global users, critical for legacy devices with poor retry logic.

  4. Architectural Simplicity: The ALB provides native Lambda integration via target groups, eliminating the need for API Gateway entirely while providing health checks and traffic distribution.

  5. Correct Event Timing: Viewer response events (where CloudFront Functions execute) occur after the origin response is received, allowing inspection of both the User-Agent (from request) and modification of headers (in response).

Why the ALB is included: While it adds a component, ALB provides native Lambda target group support with automatic retries, connection draining, and health checks—operational features API Gateway HTTP API lacks when invoking Lambda directly.

The Trap (Distractor Analysis):
#

  • Why not Option B (API Gateway REST API with Gateway Responses)?

    • Fatal Technical Flaw: Gateway Responses are designed for API Gateway-generated error responses (4xx, 5xx from API Gateway itself), NOT for modifying responses from backend Lambda functions. They cannot conditionally modify headers based on request attributes like User-Agent.
    • Incorrect Feature Application: This demonstrates confusion between Gateway Responses (error templates) and Response Mapping (data transformation).
    • Cost: REST API costs $3.50 per million requests vs CloudFront’s $0.085 per 10,000 requests (with caching benefits).

  • Why not Option C (API Gateway HTTP API with Response Mapping)?

    • Critical Feature Gap: API Gateway HTTP API does not support response mapping templates. This feature is exclusive to REST APIs. The HTTP API is intentionally simplified and lacks VTL (Velocity Template Language) transformation capabilities.
    • Documentation Trap: This is a common exam distractor testing whether you know the feature matrix differences between REST and HTTP APIs.

  • Why not Option D (Lambda@Edge at viewer response)?

    • Cost Inefficiency: Lambda@Edge costs 5-6x more than CloudFront Functions for identical header manipulation tasks.
    • Performance Overhead: Lambda@Edge has cold start latency (50-200ms) and executes in Node.js/Python runtimes designed for complex logic, not sub-millisecond header operations.
    • Over-Engineering: Lambda@Edge is designed for compute-intensive edge tasks (image resizing, A/B testing with external DB calls, bot detection with ML models). Using it for simple header removal is architectural overkill.
    • Correct Event, Wrong Tool: While the viewer response event is correct, CloudFront Functions are purpose-built for this exact use case.

The Architect Blueprint
#

graph TD A[Legacy IoT Device<br/>User-Agent: LegacyTV/1.0] -->|HTTPS Request| B[CloudFront Edge Location<br/>275+ Global POPs] B -->|Cache MISS| C[Origin Shield<br/>Optional Cost Optimization] C -->|Forward to Origin| D[Application Load Balancer<br/>Target Group: Lambda] D -->|Invoke| E[Lambda Function<br/>Metadata API Logic] E -->|Response with Standard Headers| D D -->|Origin Response| C C -->|Origin Response| B B -->|Viewer Response Event| F[CloudFront Function<br/>Header Removal Logic] F -->|Conditional Header Strip<br/>Based on User-Agent| G[Modified Response<br/>Legacy-Safe Headers] G -->|HTTPS Response| A style F fill:#ff6b6b,stroke:#c92a2a,color:#fff style B fill:#4dabf7,stroke:#1971c2,color:#fff style E fill:#51cf66,stroke:#2f9e44,color:#fff H[CloudFront Function Code] -.->|Executes at Edge| F subgraph "Edge Computing Layer" B F end subgraph "Origin Layer - us-east-1" D E end

Diagram Note: CloudFront Function executes at the viewer response stage after receiving the origin response from ALB/Lambda, inspecting the original request’s User-Agent header to conditionally remove incompatible response headers before delivery to the client—all within the same edge location for sub-millisecond latency.

The Decision Matrix
#

Option Est. Complexity Est. Monthly Cost (3B requests) Pros Cons
A - CloudFront + ALB + CloudFront Functions Medium $550/month
($255 CloudFront data transfer + $300 CF Functions + $18 ALB hours - $23 ALB LCU)		 ✅ Lowest cost for header manipulation
✅ Sub-millisecond execution
✅ No cold starts
✅ Global edge performance
✅ Native caching benefits		 ⚠️ Requires JavaScript knowledge
⚠️ CF Functions have 10KB code limit
⚠️ ALB adds architectural layer
B - API Gateway REST API + Gateway Responses Low $10,500/month
($10,500 API requests)		 ✅ Simple setup
✅ Integrated monitoring		 INCORRECT SOLUTION
❌ Gateway Responses don’t modify Lambda responses
❌ 19x more expensive than Option A
❌ No global edge caching
C - API Gateway HTTP API + Response Mapping Low $3,000/month
($3,000 API requests)		 ✅ Lower cost than REST API
✅ Simplified API		 INCORRECT SOLUTION
❌ HTTP API doesn’t support response mapping
❌ Feature doesn’t exist
❌ 5.5x more expensive than Option A
D - CloudFront + ALB + Lambda@Edge High $2,055/month
($255 CloudFront + $1,800 Lambda@Edge + $18 ALB - $18 Lambda@Edge discount)		 ✅ Full programmability (Node.js/Python)
✅ Access to external resources
✅ Correct event type (viewer response)		 3.7x more expensive than Option A
❌ Cold start latency (50-200ms)
❌ Over-engineered for simple header manipulation
❌ Higher memory/duration costs

FinOps Key Insight: The $18,000/year savings (Option A vs D) could fund an entire additional engineer or 3 years of AWS Professional Services consulting for migration optimization.

Real-World Application (Practitioner Insight)
#

Exam Rule
#

For SAP-C02: When you see “serverless” + “header/cookie manipulation” + “cost optimization”, immediately evaluate CloudFront Functions first. Only choose Lambda@Edge when the scenario requires:

  • External network calls (DynamoDB, API lookups)
  • Compute >1ms (image processing, encryption)
  • Runtimes beyond JavaScript (Python for ML inference)
  • Body manipulation (not just headers/cookies)

Real World
#

In production environments, we would enhance Option A with:

  1. CloudFront Origin Shield ($0.01/10k requests): Adds an additional caching layer to reduce ALB load by 80-90%, critical when origin is in a single region.

  2. WAF Integration ($5/month + $1 per 1M requests): Add AWS WAF to CloudFront for bot detection and DDoS protection—legacy devices are common targets for botnet recruitment.

  3. CloudWatch RUM: Implement Real User Monitoring to track actual device failure rates and header-specific error correlation—validating that header removal is truly solving the compatibility issue.

  4. A/B Testing Strategy: Use CloudFront Functions to gradually roll out header removal (e.g., 10% of traffic with User-Agent pattern matching) before full deployment, using custom headers to track cohorts.

  5. ALB Alternatives: For greenfield designs, consider Lambda Function URLs (released 2022) with CloudFront, eliminating the ALB entirely. However, ALB provides superior health checking and traffic distribution for multi-function architectures.

  6. Response Caching Strategy: Configure Cache-Control headers in Lambda responses based on metadata volatility—static device configs can be cached for 24h at edge, reducing origin requests by 95%+.

Cost Reality Check: A Fortune 500 streaming company using this exact pattern (CloudFront Functions for device compatibility) reported:

  • 94% reduction in origin traffic due to edge caching
  • $127k annual savings vs their previous Lambda@Edge implementation
  • P99 latency improvement from 340ms to 78ms globally

Disclaimer

This is a study note based on simulated scenarios for the AWS SAP-C02 exam. It is not an official question from AWS or any certification body. All company names, scenarios, and technical implementations are fictional and created for educational purposes.

The DevPro Network: Mission and Founder

A 21-Year Tech Leadership Journey

Jeff Taakey has driven complex systems for over two decades, serving in pivotal roles as an Architect, Technical Director, and startup Co-founder/CTO.

He holds both an MBA degree and a Computer Science Master's degree from an English-speaking university in Hong Kong. His expertise is further backed by multiple international certifications including TOGAF, PMP, ITIL, and AWS SAA.

His experience spans diverse sectors and includes leading large, multidisciplinary teams (up to 86 people). He has also served as a Development Team Lead while cooperating with global teams spanning North America, Europe, and Asia-Pacific. He has spearheaded the design of an industry cloud platform. This work was often conducted within global Fortune 500 environments like IBM, Citi and Panasonic.

Following a recent Master’s degree from an English-speaking university in Hong Kong, he launched this platform to share advanced, practical technical knowledge with the global developer community.


About This Site: AWS.CertDevPro.com


AWS.CertDevPro.com focuses exclusively on mastering the Amazon Web Services ecosystem. We transform raw practice questions into strategic Decision Matrices. Led by Jeff Taakey (MBA & 21-year veteran of IBM/Citi), we provide the exclusive SAA and SAP Master Packs designed to move your cloud expertise from certification-ready to project-ready.