This document discusses edge services from Amazon Web Services (AWS) as a critical component of AWS infrastructure. It defines edge services as services like AWS CloudFront, AWS Shield, AWS WAF, and Amazon Route 53 that control access to core application resources through the edge to secure, scale, and optimize applications. The document reviews the benefits of edge services like improved performance, security, and cost optimization. It provides overviews of specific edge services like CloudFront, Shield, WAF, and Route 53 and how they can be used to start leveraging edge services.
2. Architecture Best Practices
Overview of Edge Services
Edge Services Benefits
Use Case Review
Getting Started
Question / Answer
Edge Services
A Critical AWS Infrastructure Component
3. Architecting for The Cloud: Best Practices
• Scalability
• Disposable Resources Instead of Fixed Servers
• Automation
• Loose Coupling
• Services, Not Servers
• Databases
• Removing Single Points of Failure
• Caching
• Security
• Optimize for Cost
Download the White Paper:
https://aws.amazon.com/whitepapers/architecting-for-the-aws-cloud-best-practices/
4. What Are Edge Services?
Amazon CloudFront, Content Delivery Network (CDN) + Lambda
AWS Shield, Managed DDoS Protection
AWS WAF, Web Application Firewall
Amazon Route 53, Domain Name System
Amazon CloudFront
AWS Shield
AWS WAF
Amazon Route 53
6. Control Access via Edge Services
Compute
Storage
Database
Customer
Application
Users can access core application resources through the Edge to secure, scale, and optimize applications
E
d
g
e
S
e
r
v
i
c
e
s
E
d
g
e
S
e
r
v
i
c
e
s
7. Accessing Your Web Applications Directly
It Can Take Many Networks To Reach The Application
Paths to and From the Application May Differ
Each Hop Impacts Performance & Can Introduce Risk
Local ISP Network A B C D E F
Access Application!
Accessing Your Application Is Not This StraightforwardThe Result is Sub-Optimal Application Performance
Adding Edge Services Removes These Inefficiencies
CloudFront& Route 53 Gets to AWS Network Faster
Shield and WAF Mitigate Risk
Lambda@Edge Adds Intelligence and Control
Resulting in Improved Performance
Accessing Your Web Applications with Edge
AWS Network
8. Benefits of an Edge Implementation
• Edge Services Create a Tight Application Boundary
• Reduce Risk Surface Area to the Edge
• Improve Secure Access to Applications
• Reduce Latency and Increase Performance and Control
• Add Scalable Network Components
• Reduce Total Cost of Data Transfer
• Provide Visibility for Application Analytics
Edge
Edge
9. Starting with Amazon CloudFront
Global Content Delivery Network
Integrated with AWS WAF and AWS Shield
Intelligence of Lambda@Edge Compute Capability
Built In Security Features
Cost Effective Pricing Options
10. Amazon CloudFront Edge Locations
• Oregon
• Ohio
• N. Virginia
• Montreal
• Toronto
• London
• Frankfurt
• Sao Paulo
• Mumbai
• Singapore
• Seoul
• Tokyo
• Sydney
Regional Edge Locations
Global Network Infrastructure
Amazon CloudFront
AWS Shield
AWS WAF
Amazon Route 53
11. CloudFront: Built In Security Controls
SSLv3
TLSv1.0
TLSv1.1
TLSv1.2
Advanced Cipers
Certificate Manager
OCSP Stapling
Session Tickets
Perfect Forward
Secrecy
Protocol Enforcement
Half / Full Bridge
Connections
Encrypted
Connections
Custom Origin
Protection
Header and ACL
Content Protection
Signed URL /
Cookies
Content Restriction
Geo Blocking
S3 Origin Access
Identity
Access
Control
Compliance: PCI DSS Level 1, HIPAA, ISO 9001, 27001, 27017, 27018
Offload Heavy Lifting to the Edge
12. CloudFront: Performance and Scale
Network Acceleration (TCP Optimization)
Regional Edge Caching Layer
Content Ingest (PUT/POST and S3-TA)
Latency Based Routing
Granular Cache Control (origin timeouts)
Fast Propagation and Content Invalidation
Low Latency, High Throughput Connections
13. CloudFront: Cost Optimization
On Demand Pricing
Published Online
Regional Tiered Rates
Pay As You Go
Free Tier
Reserved Capacity
Reduced Pricing
Contracts Tailored to Use Case
Variable Term
Price Classes
Optimize for Cost
Regional Data Transfer
User Controlled
Turn On/Off Any Time
No Data Transfer Fees from AWS Origins to Amazon CloudFront
No Charge for Regional Edge Cache
No Charge for SSL/TLS Certs from Amazon Certificate Manager
No Charge for Shared CloudFront certificates
Low Monthly Charge for Custom Hosted Certificates, Free SNI Certs via ACM
Same Rate, Same Network for HTTP and HTTPS traffic
Simple Request Fees
Covered by Existing Customer Service Plan
14. CloudFront: Application Acceleration with Lambda@Edge
• Event Driven Code at the Edge
• Header Response Manipulation
• Authentication
• HTTP Redirects
• A/B Testing
• Smart Content Assembly
• Image Serve Optimization
• Access Control
edge location
Move Code Execution to the Edge
Create / Modify Dynamic Content
15. Poll Question #1
Are you using any WAF technology in front of your
applications today?
16. AWS WAF: Application Level Security
Block or Allow Web Requests Monitor Security Events
17. AWS WAF: Application Level Security
Match Conditions
•IP
•String
•SQLi
•Size
•Rate Based
•Reusable
Flexible Rules
• AND/OR
• Block, allow, or
count
• Ordered conditions
• Reusable
Fast Feedback
• ~1 minute for
changes
• 1-minute metrics
• Request samples
Global Implementation on CloudFront
Local Implementation at AWS Regions
AND/ORWebACL
19. Integrated into the AWS global infrastructure
Always-on, fast mitigation without external routing
Redundant Internet connectivity in AWS data centers
AWS Shield Advanced: Managed DDoS Protection
20. AWS Shield Advanced: Managed DDoS Protection
Additional Detection & Monitoring
Protection Against Large DDoS
Attacks
Visibility into Attack Detection &
Mitigation
AWS WAF at No Additional Cost
24x7 DDoS Response Team
Cost Protection (Absorb DDoS
Scaling Cost)
AWS Shield
• In Line Protections on the Edge and
within the AWS Region
• No Architectural Changes Required
21. Amazon Route 53: Global DNS
Register and Manage Domains
Manage Hosted Zones
Serve DNS Queries
Route traffic to AWS resource with Traffic Flow
• DNS Failover
• Geo Routing
• Latency Based Routing
• Weighted Round Robin
Amazon Route 53
22. Poll Question #2
Do you think you can use Edge Services if you don’t have
“cacheable content”?
23. Use Case Review: with / without Edge Services
Case #1: Dynamic/Static Content Delivery Case #2: API Acceleration
24. Key Takeaways
Application Core Services Typically Include
• Compute, Storage and Database
Edge Service Provide an Additional Value
• CDN, Security, DNS, Distributed Server-less Compute
• Network Scale, Performance, Visibility
• Support Static and Dynamic Content
• Cost Optimization
Adding Edge Services Improve Application Performance
25. Getting Started with Edge Services
A few simple ways to get started!
• Sign Up for an AWS Account
• Route 53: Create or Transfer Hosted Zones
• CloudFront:
• Create a CloudFront Distribution (Console or API)
• Launch a CloudFront Template Snippet with CloudFormation
• AWS WAF:
• Create WebACLs
• Associate to CloudFront or Application Load Balancers
• Launch pre-configured protections from AWS Answers
• AWS Shield Advanced:
• Add to accounts that have resources you want protected
Application Architecture Best Practices
Overview of Edge Services
Edge Services Benefits to Application Architectures
-Security
Authentication
Encryption
Restriction
Application Vulnerability Protection with WAF
DDoS Mitigation
-Performance (latency, throughput, availability, scalability) (L@E)
-Integrated Design (lending to consistency, innovation, cost optimization)
With or Without You; Use Cases Improved by Edge
Getting Started / How To
Questions
CloudFront protects connection between end users and the content edge and between the edge network and your origin.
By offloading SSL termination to CloudFront, application performance is enhanced since the origins are not burdened with the processing required to negotiate and SSL handshakes. Advanced SSL/TLS options include the use of a wide variety of ciphers (AES128 and AES256, SHA, DES, MD5, and RSA-AES256), OCSP Stapling, Perfect Forward Secrecy, and Session Tickets. In addition CloudFront makes use of TCP optimizations such as increased payload size, less aggressive retransmissions, and reuse of connections. Not only to these assist with SSL termination, but when combined with HTTP/2, optimize network connections and lower overall latency. The result, even for non cacheable content, a faster more responsive web applications.
Signed URL
Signed Cookies
Enforce HTTPS to origin
Support iOS ATS
Support for TLSv1 .1 and TLSv1.2 between edge and origin
Add/Modify Request Headers Forwarded From CloudFront to Origin
Integration with AWS Certificate Manager (SNI Certs from Amazon)
Integration with AWS WAF (web application firewall)
Geographic Restriction
IPv6 Support
Quick Start for CloudFront
Amazon CloudFront Template Snippets
Distribution Blueprints
Lambda Blueprints
CloudFront Template Snippets are available from the CloudFormation user guide.
Snippets Available include:
Amazon CloudFront Distribution Resource with an Amazon S3 Origin
Amazon CloudFront Distribution Resource with Custom Origin
Amazon CloudFront Distribution with Multi-origin Support.