Here is the loophole:

In the cat-and-mouse game between students and school network administrators, a new champion has emerged. It isn't a proxy site with a weird .io domain, nor is it a VPN app hastily downloaded from a Chrome Web Store. It is Amazon CloudFront —a piece of enterprise-grade infrastructure designed to make the internet faster, not freer.

Morally? It’s a grey area. Schools argue that games distract from learning and consume bandwidth. Students argue that free periods are their time, and that draconian filters punish everyone for the sins of a few.

Any developer can create a "distribution"—a public endpoint ending in .cloudfront.net —and point it to any origin server. That origin could be an Amazon S3 bucket, an EC2 instance, or even a random VPS in Finland.

Walk into any high school computer lab during a free period, and you might see a familiar sight: tabs titled “1v1.LOL,” “Shell Shockers,” or “Krunker.” But look closer at the URL bar. It doesn’t end in .com or .io . Instead, it contains a string like d1234abcd.cloudfront.net .

As long as schools need the internet to be fast and functional, they cannot block AWS. And as long as CloudFront exists, somewhere in a study hall, a browser tab will be quietly, secretly, running a first-person shooter on d1234abcd.cloudfront.net .