This document discusses edge services from Amazon Web Services (AWS) as a critical component of AWS infrastructure. It defines edge services as services like AWS CloudFront, AWS Shield, AWS WAF, and Amazon Route 53 that control access to core application resources through the edge to secure, scale, and optimize applications. The document reviews the benefits of edge services like improved performance, security, and cost optimization. It provides overviews of specific edge services like CloudFront, Shield, WAF, and Route 53 and how they can be used to start leveraging edge services.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tom Witman, Business Development – Edge Services
August 16th, 2017
Edge Services
A Critical AWS Infrastructure Component

2. Architecture Best Practices
Overview of Edge Services
Edge Services Benefits
Use Case Review
Getting Started
Question / Answer
Edge Services
A Critical AWS Infrastructure Component

3. Architecting for The Cloud: Best Practices
• Scalability
• Disposable Resources Instead of Fixed Servers
• Automation
• Loose Coupling
• Services, Not Servers
• Databases
• Removing Single Points of Failure
• Caching
• Security
• Optimize for Cost
Download the White Paper:
https://aws.amazon.com/whitepapers/architecting-for-the-aws-cloud-best-practices/

4. What Are Edge Services?
Amazon CloudFront, Content Delivery Network (CDN) + Lambda
AWS Shield, Managed DDoS Protection
AWS WAF, Web Application Firewall
Amazon Route 53, Domain Name System
Amazon CloudFront
AWS Shield
AWS WAF
Amazon Route 53

5. Access Core Infrastructure Services Directly
Users can access application resources directly
Compute
Storage
Database
Customer
Application

6. Control Access via Edge Services
Compute
Storage
Database
Customer
Application
Users can access core application resources through the Edge to secure, scale, and optimize applications
E
d
g
e
S
e
r
v
i
c
e
s
E
d
g
e
S
e
r
v
i
c
e
s

7. Accessing Your Web Applications Directly
It Can Take Many Networks To Reach The Application
Paths to and From the Application May Differ
Each Hop Impacts Performance & Can Introduce Risk
Local ISP Network A B C D E F
Access Application!
Accessing Your Application Is Not This StraightforwardThe Result is Sub-Optimal Application Performance
Adding Edge Services Removes These Inefficiencies
CloudFront& Route 53 Gets to AWS Network Faster
Shield and WAF Mitigate Risk
Lambda@Edge Adds Intelligence and Control
Resulting in Improved Performance
Accessing Your Web Applications with Edge
AWS Network

8. Benefits of an Edge Implementation
• Edge Services Create a Tight Application Boundary
• Reduce Risk Surface Area to the Edge
• Improve Secure Access to Applications
• Reduce Latency and Increase Performance and Control
• Add Scalable Network Components
• Reduce Total Cost of Data Transfer
• Provide Visibility for Application Analytics
Edge
Edge

9. Starting with Amazon CloudFront
Global Content Delivery Network
Integrated with AWS WAF and AWS Shield
Intelligence of Lambda@Edge Compute Capability
Built In Security Features
Cost Effective Pricing Options

10. Amazon CloudFront Edge Locations
• Oregon
• Ohio
• N. Virginia
• Montreal
• Toronto
• London
• Frankfurt
• Sao Paulo
• Mumbai
• Singapore
• Seoul
• Tokyo
• Sydney
Regional Edge Locations
Global Network Infrastructure
Amazon CloudFront
AWS Shield
AWS WAF
Amazon Route 53

11. CloudFront: Built In Security Controls
SSLv3
TLSv1.0
TLSv1.1
TLSv1.2
Advanced Cipers
Certificate Manager
OCSP Stapling
Session Tickets
Perfect Forward
Secrecy
Protocol Enforcement
Half / Full Bridge
Connections
Encrypted
Connections
Custom Origin
Protection
Header and ACL
Content Protection
Signed URL /
Cookies
Content Restriction
Geo Blocking
S3 Origin Access
Identity
Access
Control
Compliance: PCI DSS Level 1, HIPAA, ISO 9001, 27001, 27017, 27018
Offload Heavy Lifting to the Edge

12. CloudFront: Performance and Scale
Network Acceleration (TCP Optimization)
Regional Edge Caching Layer
Content Ingest (PUT/POST and S3-TA)
Latency Based Routing
Granular Cache Control (origin timeouts)
Fast Propagation and Content Invalidation
Low Latency, High Throughput Connections

13. CloudFront: Cost Optimization
On Demand Pricing
Published Online
Regional Tiered Rates
Pay As You Go
Free Tier
Reserved Capacity
Reduced Pricing
Contracts Tailored to Use Case
Variable Term
Price Classes
Optimize for Cost
Regional Data Transfer
User Controlled
Turn On/Off Any Time
No Data Transfer Fees from AWS Origins to Amazon CloudFront
No Charge for Regional Edge Cache
No Charge for SSL/TLS Certs from Amazon Certificate Manager
No Charge for Shared CloudFront certificates
Low Monthly Charge for Custom Hosted Certificates, Free SNI Certs via ACM
Same Rate, Same Network for HTTP and HTTPS traffic
Simple Request Fees
Covered by Existing Customer Service Plan

14. CloudFront: Application Acceleration with Lambda@Edge
• Event Driven Code at the Edge
• Header Response Manipulation
• Authentication
• HTTP Redirects
• A/B Testing
• Smart Content Assembly
• Image Serve Optimization
• Access Control
edge location
Move Code Execution to the Edge
Create / Modify Dynamic Content

15. Poll Question #1
Are you using any WAF technology in front of your
applications today?

16. AWS WAF: Application Level Security
Block or Allow Web Requests Monitor Security Events

17. AWS WAF: Application Level Security
Match Conditions
•IP
•String
•SQLi
•Size
•Rate Based
•Reusable
Flexible Rules
• AND/OR
• Block, allow, or
count
• Ordered conditions
• Reusable
Fast Feedback
• ~1 minute for
changes
• 1-minute metrics
• Request samples
Global Implementation on CloudFront
Local Implementation at AWS Regions
AND/ORWebACL

18. Traditional
Datacenter
Operator involvement to
initiate mitigation
Re-route traffic via distant
scrubbing location
Increased time to mitigate
AWS Shield Advanced
Solves These Traditional Service Issues
AWS Shield

19. Integrated into the AWS global infrastructure
Always-on, fast mitigation without external routing
Redundant Internet connectivity in AWS data centers
AWS Shield Advanced: Managed DDoS Protection

20. AWS Shield Advanced: Managed DDoS Protection
Additional Detection & Monitoring
Protection Against Large DDoS
Attacks
Visibility into Attack Detection &
Mitigation
AWS WAF at No Additional Cost
24x7 DDoS Response Team
Cost Protection (Absorb DDoS
Scaling Cost)
AWS Shield
• In Line Protections on the Edge and
within the AWS Region
• No Architectural Changes Required

21. Amazon Route 53: Global DNS
Register and Manage Domains
Manage Hosted Zones
Serve DNS Queries
Route traffic to AWS resource with Traffic Flow
• DNS Failover
• Geo Routing
• Latency Based Routing
• Weighted Round Robin
Amazon Route 53

22. Poll Question #2
Do you think you can use Edge Services if you don’t have
“cacheable content”?

23. Use Case Review: with / without Edge Services
Case #1: Dynamic/Static Content Delivery Case #2: API Acceleration

24. Key Takeaways
Application Core Services Typically Include
• Compute, Storage and Database
Edge Service Provide an Additional Value
• CDN, Security, DNS, Distributed Server-less Compute
• Network Scale, Performance, Visibility
• Support Static and Dynamic Content
• Cost Optimization
Adding Edge Services Improve Application Performance

25. Getting Started with Edge Services
A few simple ways to get started!
• Sign Up for an AWS Account
• Route 53: Create or Transfer Hosted Zones
• CloudFront:
• Create a CloudFront Distribution (Console or API)
• Launch a CloudFront Template Snippet with CloudFormation
• AWS WAF:
• Create WebACLs
• Associate to CloudFront or Application Load Balancers
• Launch pre-configured protections from AWS Answers
• AWS Shield Advanced:
• Add to accounts that have resources you want protected

26. Question / Answer Session
Edge Services
A Critical AWS Infrastructure Component

27. Thank you!