運用 AWS Edge Services 作為遊戲行業的關鍵基礎設施元件 (Level 200)

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Paul Yung
Head of Territory Business Development- HKT, AWS
Track 6: 14:40 – 15:20, 28th Jun 2019
AWS Edge Services - A Critical AWS
Infrastructure Component for Gaming

Thank You!

My Wish Today
• Share the Cloud Architecture Best Practices
• Overview of Edge Services
• See it in action

Global
Infrastructur
e
& Services
Pre-built
Game
Services
& Tools
Content
Creation
Tools
Distribution
&
Marketing

Infrastructure
Services
Pre-built
Game
Solutions
Content
Creation
Distribution
&
Marketing
Amazon
GameLift
Dream big. Build bigger.

Global
Infrastructure
& Services

90%oftheworld’slargest
gamecompaniesuseAWS.”

Architecting for The Cloud: Best Practices
• Scalability
• Disposable Recourses Instead of Fixed Servers
• Automation
• Loose Coupling
• Services, Not Servers
• Database
• Removing Single Points of Failure
• Caching
• Security
• Optimize for Cost
Download the White Paper:
https://aws.amazon.com/whitepapers/architecting-for-the-aws-cloud-best-practices/
Global
Infrastructur
e
& Services

Access Core Infrastructure Services Directly
Compute
Storage
Database
Customer
Application

Control Access Via Edge Services
Compute
Storage
Database
Customer
Application
E
d
g
e
S
e
r
v
i
c
e
s
E
d
g
e
S
e
r
v
i
c
e
s
Users can access resources
through the Edge to secure,
scale, and optimize applications

What Are Edge Services in AWS?
CloudFront
Caching Servers
Route 53 AWS WAF AWS Shield Lambda@Edge
Global DNS Firewall Anti-DDoS Serverless
compute
Content Delivery Ingest and Proxy

Accessing Your Gaming App Directly
It Can Take Many Networks To Reach The Application
Paths to and From the Application May Differ
Each Hop Impacts Performance & Can Introduce Risk
Local ISP Network
A
B C D E F
Access Application!
Accessing Your Application Is Not This StraightforwardThe Result is Sub-Optimal Application Performance
Adding Edge Services Removes These Inefficiencies
CloudFront & Route 53 Gets to AWS Network Faster
Shield and WAF Mitigate Risk
Lambda@Edge Adds Intelligence and Control
Resulting in Improved Performance
Accessing Your Gaming App with Edge
AWS Network

Amazon CloudFront
Content Distribution Network (CDN)

Starting with Amazon CloudFront
• Global Content Delivery Network (CDN)
• Integrated with AWS WAF and AWS Shield
• Intelligence of Lambda@Edge Compute Capability
• Built in Security Features
• Cost Effective Pricing Options

How CloudFront Works
user
request
origin
CloudFront
Get
Get
Ok
Ok
GetGet
user
request
Amazon
S3
Amazon
EC2
Custom
Server

Dynamic
Static Video
User
input
SSL/TLS
CloudFront delivers ALL types of content

Without having to change your backend…
ALB/ELB
Dynamic content
Amazon EC2
Static content
Amazon S3 Custom origin
OR
OR
Custom originAmazon CloudFront
example.com
*.jpg
*.php

NASA/JPL
18
Amazon CloudFront - Broad Range of Use Cases
News, Weather, Sports,
Leisure, Social Media
Software
Delivery
E-commerce
Media Gaming
Digital
Advertising

119 Points of Presence in 58 Cities, 26 Countries
As of Jun 2018
Amazon CloudFront Global Content Delivery Network
Asia(28)
Chennai, India (2)
Hong Kong, China (3)
Kuala Lumpur, Malaysia
Mumbai, India (2)
Manila, Philippines
New Delhi, India
Osaka, Japan
Seoul, Korea (4)
Singapore (3)
Taipei, Taiwan (2)
Tokyo, Japan (8)

AWS Global Backbone Network

CloudFront Dynamic Content(API) acceleration
API Acceleration – CloudFront with AWS Backbone
Slack Web API
• POSTs and GETs to
HTTPS endpoint
• Responses come back
as JSON objects
• Accelerated globally
using Amazon
CloudFront

CloudFront: Built In Security Controls
SSLv3
TLSv1.0
TLSv1.1
TLSv1.2
Advanced Cippers
Certificate Manager
OCSP Stapling
Session Tickets
Perfect Forward
Secrecy
Protocol Enforcement
Half / Full Bridge
Connections
Encrypted
Connections
Custom Origin
Protection
Header and ACL
Content Protection
Signed URL /
Cookies
Content Restriction
Geo Blocking
S3 Origin Access
Identity
Access
Control
Compliance: PCI DSS Level 1, HIPAA, ISO 9001, 27001, 27017, 27018
Offload Heavy Lifting to the Edge

Amazon CloudFront Field-Level Encryption
Secure and control the access of sensitive customer data
while accelerating your application
 Sensitive data encrypted with public RSA key
 Reduces attack surface for your sensitive data
 Eliminates risk with accidental (or incidental) data
leakage
CloudFront
Origin
CC=1234
Date=1/1/17
CC=1234 -> CC=XXXX
Date=11/27/17 CC=1234
Payments
Encrypt at Edge
Decrypt at
Payments
HTML Form
POST
Launched

Amazon CloudFront Field-Level Encryption
Without Field-Level Encryption
POST/HTTP(S)
Host: foo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Name=Paul&Phone=0989040368
Field-Level Encryption Converts This To:
POST/HTTP(S)
Host: foo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Name=Paul&Phone=<encrypted>ejYx52fxx2jjnwetvxx</encrypted>

CloudFront: Cost Optimization
On Demand Pricing
• Published Online
• Regional Tiered Rates
• Pay As You Go
• Free Tier
Reserved Capacity
• Reduced Pricing
• Contracts Tailored to Use
Case
• Event more flexible via
partner
Price Classes
• Optimize for Cost
• Regional Data Transfer
• User Controlled
• Turn On/Off Any Time

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.Feb-14 Mar-14 Apr-14 May-14 Jun-14 Jul-14 Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 15-Feb
AWS Cost & Beat User Growth
Rev ($K)
Price drop in
EC2, S3
RI purchase
CloudFront
commit contract
#1
Price drop in
Data Transfer of
26%
CloudFront
commit cont
#2
0.1M users
1M users
2M users

Apr-14 May-14 Jun-14 Jul-14 Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15
97% reduction
in cost per user
AWS cost per user
1M users
2M users
0.1M users
While the number of Beat
users has grown rapidly,
the total cost of using
AWS has not. Through
continuous cost
optimizations, the cost per
user has decreased by
97% since we launched
the service.”
-THE BEATPACKING
COMPANY
Su-man Park, CEO-

AWS CloudFront: Service Delivery Partners
博弘雲端
伊雲谷
台灣區
CDN合作夥伴

AWS Lambda@Edge
Serverless Computing at Edge Location

AWS Lambda: Serverless computing
Run code without servers. Pay only for the compute time you consume. Be happy.
Triggered by events or called from APIs:
• PUT to an Amazon S3 bucket
• Updates to Amazon DynamoDB table
• Call to an Amazon API Gateway endpoint
• Mobile app backend call
• CloudFront requests
• And many more…
Continuous
scaling
No servers
to manage
Never pay for idle
– no cold servers
Globally
distributed

Introducing Lambda@Edge
• Lambda@Edge is an extension of AWS Lambda that allows you to run
Node.js code at global AWS locations
• Bring your own code to the Edge and customize your content very close to
your users, improving end-user experience
Continuous
scaling
No servers
to manage
Never pay for idle
– no cold servers
Globally
distributed
Improve viewer latency
Simplify your origin infrastructure

Edge locationAWS
Region
Regional Edge
Cache
Write once, run everywhere
AWS
Location
AWS
Location
AWS
Location
AWS
Location
AWS
Location

CloudFront triggers for
Lambda@Edge functions
CloudFront cache
End user
Viewer request Origin request
Origin responseViewer response

Lambda@Edge functionality
• Read and write access to headers, URIs, and
cookies across all triggers
• Ability to generate custom responses from
scratch
• Access to make network calls to external
resources on origin-facing hooks

So, what can I do with Lambda@Edge?

Highly personalized websites
• Redirect viewers to the optimal
experience based on their location,
language preferences, and device type

Highly personalized websites – how?
• Trigger: Viewer request
• Inputs
• Requested URL
• Device type (i.e., User-Agent)
• Existing session data
• Output
• Generate a response directly from Lambda@Edge,
specifically a redirect to the most relevant experience (e.g. ,
cropped images and mobile sites for mobile users)

Pretty URLs
• Rewrite the URL end user's request
to serve content without exposing
your team’s internal directory
structure and organization
• Provide customized experiences
without compromising consistency
in what your viewers see

Pretty URLs – how?
• Trigger: Origin request
• Inputs
• URL requested
• Outputs
• Rewrite the requested URL, which will be passed to the
origin
• The response will be cached based on what the customer
requested to serve subsequent requests (i.e., the pretty
URL)

Authorization at the Edge
• Inspect cookies or custom headers to
authenticate clients right at the Edge
• Enforce paywalls at the Edge to gate
access to premium content to only
authenticated viewers

Authorization at the Edge – how?
• Prerequisites
• The customer must have previously authenticated against your
authoritative service, resulting in some sort of authorization credential.
Typically this is a cookie.
• Inputs
• URL
• Authorization credential (cookie)
• Outputs
• Allow the request to succeed if the request is authorized. If not, either
return a 403 response or redirect to an authentication page

A/B testing
• ‘Flip a coin’ to select a
version of content
displayed to each user
on an asset level
• Set cookies to ensure
that users continue to
see the right versions
of content

A/B testing – how?
• Inputs
• URL
• Cookies
• Outputs
• If the A/B testing cookie is set, rewrite the requested URI to
be the correct content version
• If it is not set, flip a coin and set the cookie accordingly.

Limited access to content
• Enforce timed access to content
at the edge
• Make a call to an external
authentication server to
confirm if a user’s session is still
valid
• Forward valid requests to the
origin, and serve redirects to
new users to login pages

Limited content access – how?
• Trigger: Origin request
• Inputs
• URL/cookies
• Access to external user-tracking database
• Outputs
• If a customer requests content for specific URLs or with
specific cookies, make a request to the external server to
confirm session validity
• Based on response from external server, serve content, or
redirect to a login page

Response generation at the Edge
Generate an HTTP response to end
user requests arriving at AWS locations:
• Generate customized error pages
and static websites directly from
Edge locations
• Combine content drawn from
multiple external resources to
dynamically build websites at the
Edge

Response generation – how?
• Viewer or origin request event
• Inputs
• URI
• Headers
• Outputs
• Custom response based on URI and headers

Lambda@Edge pricing
Just as with Lambda today, Lambda@Edge is priced on two
dimensions:
• $0.60 / million function executions
• $0.0225 per hour of execution duration (128 MB per function, metered
at 50ms granularity)
For example - 10 million executions, 50ms each time
• Total charges = Compute charges (10M * 0.05 sec * ($0.0225 / 3600) =
$3.13) + Request charges (10M * $0.6/M = $6.00) = $3.13 + $6.00 =
$9.13 per month

AWS WAF
Web Application Firewall

Types of Threats
Bad BotsDDoS Application Attacks
Reflection
Layer 4 floods
Slowloris
SSL abuse
HTTP
floods
Amplification
Content scrapers
Scanners & probes
Crawler
s
SQL
injection
Application
exploits
Social
engineering
Sensitive data
exposure
Application
Layer
Network /
Transport
Layer

AWS WAF: Application Level Security
Block or Allow Web Requests Monitor Security Events
Layer 7 Protection Available via AWS WAF
 Self-service & pay-as-you-go
 Flexible rule language
 Fast rule propagation

AWS WAF - Block or Allow Web Requests
Valid users
Web server
Database
Application vulnerabilities
Content Abuse:
Bots & Scrapers
Application DDoS
Exploit
code

Valid users
Web server
Database
Application vulnerabilities
Content Abuse:
Bots & Scrapers
Application DDoS
Exploit
code
X
X
X
AWS WAF - Block or Allow Web Requests

AWS WAF - Monitor Security Events
Monitor security events

Key Benefits
Scale APIs for Automation
Fast Incidence
Response
Preconfigured
Protection
AWS WAF
available on:
Amazon CloudFront Application Load Balancer (ALB)

AWS Shield
Managed DDoS Protection

DDoS Attack threats and Trends:
Network / Transport Layer DDoS

0
200
400
600
800
1000
1200
1400
1600
1800
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
Largest DDoS Attacks (Gbps)
DDoS Size Trends
Memcached
Attacks
Mirai Attacks

Evolution of DDoS Mitigation
On-Premise Cloud-Routed Cloud-Native

On-Premise
• Scale network and fixed
infrastructure to mitigate DDoS
attacks on-site
• Limited Visibility and control
• Large capital expenditures,
maintenance costs, and in-house
expertise

Cloud-Routed
• Route traffic to other networks for
better mitigation capacity, managed
services
• Mitigate larger DDoS attacks without
upfront investment or in-house
expertise
• Black box solution – can introduce
latency, additional points of failure,
increased operating costs

Cloud-Native
• Automatic, always-on DDoS protection
for all applications on AWS
• Leverage 18 AWS Regions and over
119+ Edge Locations to mitigate large
attacks close to the source
• Simple, flexible, and affordable
• Robust capabilities without
undifferentiated heavy-lifting

AWS Shield - Managed DDoS Protection
AWS Integration
DDoS protection
without
infrastructure
changes
Affordable
Don’t force unnecessary
trade-offs between cost
and availability
Flexible
Customize
protections for your
applications
Always-On Detection
and Mitigation
Minimize impact on
application latency

Source: AWS Global Threat Dashboard (Available for AWS Shield Advanced customers)
AWS Shield detects and mitigates 1,000’s of DDoS Attacks Daily
AWS Shield - Managed DDoS Protection

AWS Shield – Layer 3/4 Protection for Everyone
Standard Protection Advanced Protection
Available to ALL AWS customers
at No Additional Cost
Paid service that provides additional,
comprehensive protections from large
and sophisticated attacks

AWS Shield Overview
Shield Standard
 Protect Against 96% of Infrastructure Layer
Attacks
 Network flow monitoring for Layer 3/4
Attack
 Self-service & pay-as-you-go WAF for web
attacks
Shield Advanced
 Protection Against Largest & Sophisticated
attacks
 Additional Detection & Monitoring
 Attack Notification & Details via
CloudWatch
 24X7 Access to DDoS Response Team
 Include AWS WAF at No Additional Cost
 Cost Protection (Absorb Bursting Cost)

Real Time Notifications via CloudWatch
Notification
metrics on
individual attack
vector
Set Alarms on each
metric to Notify
your SOC teams

Attack Dashboard & Historical Attack Summary
High level view of
Protected resources
and Any Ongoing
events
Attack Details on
Current/On-going Incident

Amazon Route 53: Global DNS
Register and Manage Domains
Manage Hosted Zones
Serve DNS Queries
SLA: 100% Available
Route traffic to AWS resource with Traffic Flow
• DNS Failover
• Geo Routing
• Latency Based Routing
• Weighted Round Robin
Amazon Route 53

corporate data center
Static Content Origin
Dynamic Content Origin
Dynamic Content Origin
AND, OR
EC2 instance
web app
server
Elastic Load
Balancing
Amazon S3
bucket
Static Content Origin
Edge Services: Reference Architecture
CloudFront CDN edge
location
DDoS Attack
X Legitimate
Traffic
AWS SHIELD
Managed DDoS Protection
Lambda@Edge
Intelligent Compute
AWS WAF
Web Application Firewall
X
hackers
bad bots
site
scrapingX
SQL Injection,
XSS, other attacksX
Legitimate
Traffic
Lambda@Edge

Edge
Benefits of an Edge Enabled Implementation

Benefits of an Edge Enabled Implementation
• Edge Services Extend Your App Closer to the Users
• Reduce Risk Surface Area to the Edge
• Improve Secure Access to Applications
• Reduce Latency and Increase Performance and Control
• Add Scalable Network Components
• Reduce Total Cost of Data Transfer
• Provide Visibility for Application Analytics
Edge

48
82
280
722
2009 2011 2013 2015 2016 2017
Continuous Innovation in Cloud
AWS has been continually expanding its services to support virtually
any cloud workload, and it now has more than 100 services that
range from compute, storage, networking, database, analytics,
application services, deployment, management, developer, mobile,
IoT, AI, security, hybrid and enterprise applications.
1017
Customer-driven services and features
1430

Call to Action
• Review the “Architecting for The Cloud: Best
Practices” Whitepaper, consider to enable edge
services
• Schedule a follow-up assessment with AWS & AWS
partner for Architecture an Cost optimization
• Build a POC with AWS sponsored credits
Paul Yung
pyung@amazon.com
Edge

We Love Customer’s Feedback !
Please complete the session
survey in the summit mobile app

運用 AWS Edge Services 作為遊戲行業的關鍵基礎設施元件 (Level 200)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 運用 AWS Edge Services 作為遊戲行業的關鍵基礎設施元件 (Level 200)

Similar to 運用 AWS Edge Services 作為遊戲行業的關鍵基礎設施元件 (Level 200) (20)

More from Amazon Web Services

More from Amazon Web Services (20)

運用 AWS Edge Services 作為遊戲行業的關鍵基礎設施元件 (Level 200)