Weitere ähnliche Inhalte Ähnlich wie SRV312_Taking Serverless to the Edge (20) Mehr von Amazon Web Services (20) SRV312_Taking Serverless to the Edge1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
Taking Serverless to the Edge
B e n j a m i n F a b r e , D a t a D o m e C o - f o u n d e r & C T O
G e o r g e J o h n , A W S P r o d u c t M a n a g e r
W i l l S t . C l a i r , A W S S r . S o l u t i o n s A r c h i t e c t
N o v e m b e r 2 0 1 7
S R V 3 1 2
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is covered in this session
• Why do serverless at the edge ?
• How can AWS Lambda@Edge help?
• How DataDome implemented real time bot protection ?
3. No servers to provision
or manage
Scales with usage
Never pay for idle Built-in availability
and fault tolerance
Serverless means…
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
… but what if you could run your Lambda
functions at the Edge?
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon CloudFront Global Content Delivery Network
107 PoPs (96 Edge Locations + 11 Regional Edge Caches)
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon CloudFrontAWS Lambda
Lambda@Edge
Lambda@Edge
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Globally
distributed
No servers to provision
or manage
Scales with usage Never pay for idle Built-in availability
and fault tolerance
Lambda@Edge
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Write once, run Lambda functions globally
N Virginia
AWS Location
AWS Location
AWS Location
AWS Location
AWS Location
AWS Location
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda@Edge
Origin
AWS Location
AWS Location
AWS Location
AWS Location
AWS Location
AWS Location
Compute
Storage
Database
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudFront Events
CloudFront
cache
End users
Viewer Request
Viewer Response Origin Response
Origin
Origin Request
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda@Edge
Content-based routing NEWNetwork calls
• Origin events
NEW
Response generation
• Binary Support
• Larger functions (upto 1536 MB)
• Larger Responses (upto 1MB)
• Larger packages (upto 50MB)
• Longer timeouts (upto 30 secs)
NEW
NEW
NEW
NEW
NEW
NEW• Viewer events
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Taking Serverless to the Edge
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
FROM MONOLITH
Authentication and
authorization
Content management
and processing
Localization, internationalization,
and personalization
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
FROM MONOLITH
Authentication and
authorization
Content management
and processing
Localization, internationalization,
and personalization
Application code
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
FROM MONOLITH
Authentication and
authorization
Content management
and processing
Localization, internationalization,
and personalization
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
TO MICROSERVICES
Amazon
CloudFront
Authentication and
authorization
Content management
and processing
Localization, internationalization,
and personalization
Lambda@Edge FunctionsUser Agents HTTP Origins
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VIEWER REQUEST EVENTS
CloudFront
cache
User Agents
Viewer Request
HTTP Origins
Viewer Response Origin Response
Origin Request
Viewer Response Origin Response
Origin RequestViewer Request
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VIEWER REQUEST EVENTS
Executed on every request before CloudFront’s cache is checked
Modify cache key (URL, cookies, headers, query string)
Perform authentication and authorization checks
Make external network calls
Generate responses that will not be cached
NEW
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VIEWER REQUEST: STATELESS AUTH
User Agent
User credentials
Identity provider
(IdP)
JSON Web Token
(JWT)
Legacy application
CloudFront distribution
www.example.com
JWT
JWT public key
Access decision
Origin applicationJWT
Amazon S3
Bucket
?
?
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
{
"iss": "https://idp.example.com",
"client_id": "exampleclient",
"sub": "081e018d-0594-411a-bbe8-cccd7c6058a2",
"custom:allowed_paths": [
"/customer/249/*",
"/user/1360/*",
"/videos/29492/*”
]
}
VIEWER REQUEST: STATELESS AUTH
Example JWT payload:
Private claims for making
an access decision
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VIEWER REQUEST: STATELESS AUTH
JWT
JWT public key
Viewer Request Event
User Agent CloudFront distribution
www.example.com
JWT
HTTP 403, 3XX, etc.
NO
Access decision
Legacy application
S3 Bucket
Origin application
OK
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VIEWER REQUEST: STATEFUL AUTH
Viewer Request Event
User Agent CloudFront distribution
www.example.com
NO
Paywall message,
403, redirect, etc.
$
Entitlement service
HTTP request
Access decision
HTTP Origins
OK
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORIGIN REQUEST EVENTS
CloudFront
cache
User Agents
Viewer Request
HTTP Origins
Viewer Response Origin Response
Origin Request
Viewer Response Origin Response
Viewer Request Origin Request
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORIGIN REQUEST EVENTS
Executed on cache miss, before a request is forwarded to the origin
Make one or more external network calls
Dynamically select an origin based on request headers
Implement pretty URLs by rewriting the origin URL
Generate responses that can be cached
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORIGIN REQUEST: BODY GENERATION
<h1>{ page.title }</h1>
{{ for section in page.sections }}
<h2>{ section.title }</h2>
<p>{ section.body }</p>
{{ endfor }}
"page": {
"title": "Hello",
"sections": [ {
"title": "Introduction",
"body": "The quick..."
}, { ... } ]
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORIGIN REQUEST: BODY GENERATION
User Agent CloudFront distribution
www.example.com
Cache Behavior
/blog
Origin Request
Event
S3 Bucket
blog-templates.s3.amazonaws.com
Amazon
DynamoDB table
blog-posts
External network
calls
Rendered templateCached response
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
const templateBucket = 'blog-templates-123456789012';
const postTable = 'blog-posts';
var AWS = require('aws-sdk');
var Mustache = require('mustache');
var s3 = new AWS.S3({region: 'us-east-1'});
var documentClient = new AWS.DynamoDB.DocumentClient({
region: 'us-east-1'});
exports.handler = (event, context, callback) => {
const request = event.Records[0].cf.request;
const response = {
status: '200',
statusDescription: 'OK',
headers: {
'cache-control': [{
key: 'Cache-Control',
value: 'max-age=2628000, public’
}],
'content-type': [{
key: 'Content-Type',
value: 'text/html; charset=utf-8’
}]}};
ORIGIN REQUEST: BODY GENERATION CODE
const ddbParams = {
TableName: postTable,
Key: { slug: request['uri'].slice(1) }};
documentClient.get(ddbParams, function(err, resp) {
if (err) {
callback(err, null);
return;
}
const template = resp['Item']['template'];
const data = resp['Item']['data'];
const s3Params = {
Bucket: templateBucket,
Key: template };
s3.getObject(s3Params, function(err, s3resp) {
if (err) {
callback(err, null);
return;
}
const body = s3resp.Body.toString('utf-8');
response.body = Mustache.render(body, data);
callback(null, response);
});
});
};
28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
FULL BODY GENERATION DEMO
29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
PRETTY URLS FOR USER/API EXPERIENCE
https://tiles.example.com/zoom/x/y.jpg
S3 Bucket
tiles-v1.s3.amazonaws.com
Legacy Service
old-tile-service.example.net
Elastic Load Balancer
tile-service-123456.us-east-1
.amazonaws.com
30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORIGIN REQUEST : PRETTY URLS
https://tiles.example.com/zoom/x/y.jpg
https://tiles-origin.s3.amazonaws.com/f5fdc6f658a49284b.jpg
Origin Request Event
originPath = sha256(requestPath)
CloudFront cache
Cache key: tiles.example.com/zoom/x/y.jpg
Cached response
31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORIGIN REQUEST: IMAGE PROCESSING
User Agent CloudFront distribution
www.example.com
Origin Request
Event
PUT
Amazon API
Gateway
Image Thumbnail
Function
S3 Bucket
image-thumbnails.s3.amazonaws.com
GET
S3 Bucket
image-originals.s3.amazonaws.com
GET
404
32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
TRANSPARENT GLOBAL EXPANSION
Region A
customers
Region A
deployment
Region B
customers Region B
deployment
https://saas.example.com
33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
TRANSPARENT GLOBAL EXPANSION
34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORIGIN REQUEST: ORIGIN SELECTION
id user
1 alex
2 bob
3 joe
4 jane
User database
200 OK
Application
User Agent
POST /login
user=jane&pass=***
home-region
na
eu
ap
eu
Set-Cookie: home-region=eu
35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORIGIN REQUEST: ORIGIN SELECTION
User Agent CloudFront distribution
www.example.com
North America
origin
User DB
Cache Behavior
/login
North America
app DB
Europe origin Europe app DB
home-region=eu ?
APAC origin APAC app DB
Cache Behavior
/app
Origin Request
Event
36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORIGIN REQUEST: ROUTE ON USER AGENT
User Agents
Desktop
Mobile
Bots and
crawlers
CloudFront distribution
www.example.com
Origin Request
Event
Mobile optimized
app
Client-rendered
app
Server-rendered
app
Cloudfront-Is-Mobile-Viewer?
Cloudfront-Is-Desktop-Viewer?
Cloudfront-Is-Tablet-Viewer?
User-Agent?
37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORIGIN REQUEST: GENERATE REDIRECT
User Agent CloudFront distribution
www.example.com
HTTP redirect
www.example.com/de
Origin Request
Event
Cloudfront-Viewer-Country?
Accept-Language?
38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
'use strict';
const originDomainNames = {
'origin_1': 'origin.us-east-1.example.com',
'origin_2': 'origin.eu-west-1.example.com'
};
const defaultOrigin = 'origin_1';
function chooseOrigin(headers) {
/* Parse cookies, inspect headers, etc. */
if (condition1) {
return 'origin_1';
} else if (condition2) {
return 'origin_2';
} else {
return default_origin;
}
}
ORIGIN REQUEST: CUSTOM ROUTING CODE
exports.handler = (event, context, callback) => {
const request = event.Records[0].cf.request;
const headers = request.headers;
const selectedOrigin = chooseOrigin(headers);
/* Modify the request's `origin` object. */
request.origin = {
custom: {
domainName: originDomainNames[selectedOrigin],
keepAliveTimeout: 60,
path: '/',
port: 443,
protocol: 'https',
readTimeout: 5,
sslProtocols: ['TLSv1', 'TLSv1.1']
}
};
callback(null, request);
};
39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORIGIN REQUEST DEMO
40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORIGIN RESPONSE EVENTS
CloudFront
cache
User Agents
Viewer Request
HTTP Origins
Viewer Response Origin Response
Origin Request
Viewer Response
Origin RequestViewer Request
Origin Response
41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORIGIN RESPONSE EVENTS
Executed on cache miss, after a response is received from the origin
Make external network calls
Modify the response headers prior to caching
42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
'use strict';
exports.handler = (event, context, callback) => {
const response = event.Records[0].cf.response;
const headers = response.headers;
const headerName =
'Strict-Transport-Security';
const headerValue =
'max-age=31536000; includeSubDomains';
headers[headerName.toLowerCase()] = [{
key: headerName,
value: headerValue
}];
callback(null, response);
};
ORIGIN RESPONSE: INJECT HEADERS
Content-Type
Cache-Control
HTTP Strict Transport
Security (HSTS)
Content-Security-Policy
and more!
43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VIEWER RESPONSE EVENTS
CloudFront
cache
User Agents
Viewer Request
HTTP Origins
Viewer Response Origin Response
Origin Request
Origin Response
Origin RequestViewer Request
Viewer Response
44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VIEWER RESPONSE EVENTS
Executed on all requests, after a response is received from the origin or
cache
Modify the response headers without caching the result
Make external network calls NEW
45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VIEWER RESPONSE: SET USER COOKIES
User Agent
CloudFront distribution
www.example.com
CloudFront cache Origin fetch
Cache miss
Viewer response event
const sid = uuidv4();
headers['set-cookie'].push({
Key: 'Set-Cookie',
Value: 'sessionid=' + sid });
46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Real time bot protection taken to
the edge
47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benjamin Fabre, DataDome co-founder & CTO
b@datadome.co
benjaminfabre
@bfabre
datadome.co
48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Intelligent Data
Protection
49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Intelligent bot mitigation
Protection Analysis Re-action
50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1.The challenge of real time bot
protection
2 . P r o t e c t t h e O r i g i n
3 . P r o t e c t t h e E d g e
What to expect from this session
51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bots?
52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bots account for
50%
of global web traffic
53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Advanced crawling technologies
2017
54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bots are massively distributed
55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The challenge of advanced bot protection
Detection & Re-action
<2ms
56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1 . T h e c h a l l e n g e o f r e a l t i m e b o t p r o t e c t i o n
2.Protect the Origin
3 . P r o t e c t t h e E d g e
57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Functional logic
58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IaaS Integration
browser
end client
customer webserver customer application
API
1
2
3
4
59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Real time detection challenges
Scalability
Latency
60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
3 detection stages
sync async
seconds
Fast Streaming
engine
Stream detection
minutes
Scalable Storage
Behaviour
detection
mseconds
Limit I/O
RealTime detection
61. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon ElastiCache Redis
Regional PoP
Realtime detection (< 2ms)
AWS Elastic Beanstalk Multi Docker Container
Load Balancer
Async jobs
DataDome
Modules
API Server instances
Global
Behaviour detection (~ minutes)
Elasticsearch
cluster
Behaviour algorithmsApache Flink
Global
Streaming detection (~ seconds)
Apache Kafka
Architecture
62. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Achievements
Run real time detection under 2ms per hit
Shared detection across multiple AWS Regions
More than 15 billion hits protected per month
63. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1 . T h e c h a l l e n g e o f r e a l t i m e b o t p r o t e c t i o n
2 . P r o t e c t t h e O r i g i n
3.Protect the Edge
64. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why
Lambda@Edge?
65. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon CloudFront
66. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
+ =
67. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda@Edge integration
browser
end client
customer
application
API
1
3
AWS Lambda
Viewer Request
4
Amazon
CloudFront
2
68. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
11 DataDome Regional API PoP
api-eu-france-1.datadome.co
api-eu-west-1.datadome.co
api-eu-central-1.datadome.co
api-us-east-1.datadome.co
api-us-west-1.datadome.co
api-ap-south-1.datadome.co
api-ap-southeast-1.datadome.co
api-ap-southeast-2.datadome.co
api-ap-northeast-1.datadome.co
api-ap-northeast-2.datadome.co
api-sa-east-1.datadome.co
Datadome API server
69. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A single endpoint thanks to Amazon Route 53
Amazon
Route 53
api-lambda.datadome.co
Resolve to the closest
DataDome Regional API
70. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Legitimate human request
browser
end client
HTTP Origins
DataDome
API
Viewer Request Origin Request
Origin ResponseViewer Response
CloudFront
cache
200
71. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Illegitimate bot request
BOT
HTTP Origins
Viewer Request Origin Request
Origin ResponseViewer Response
CloudFront
cache
DataDome
API
403
72. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Some code for Lambda@Edge
73. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
/******************************/
/* Requirements and main app. */
/******************************/
const http = require('http');
const querystring = require('querystring');
const process = require('process');
const util = require('util');
exports.handler = (event, context, callback) => {
/********************/
/* DataDome process */
/********************/
recordLog('debug', 'Initial request: ', event.Records[0].cf.request);
const request = event.Records[0].cf.request;
Hook the request event
74. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
// Builds request data
var requestData = {
"Key" : DATADOME_LICENSE_KEY,
"ServerName" : context.invokedFunctionArn,
"IP" : request.clientIp,
"TimeRequest" : getCurrentMicroTime(),
"Protocol" : getRequestProtocol(request),
"Method" : request.method,
"ServerHostname" : getHeader(request.headers, 'host'),
"Request" : request.uri,
"HeadersList" : getHeadersList(request.headers),
"Host" : getHeader(request.headers, 'host'),
"UserAgent" : getHeader(request.headers, 'user-agent'),
"Referer" : getHeader(request.headers, 'referer'),
"Accept" : getHeader(request.headers, 'accept'),
"AcceptEncoding" : getHeader(request.headers, 'accept-encoding'),
"AcceptLanguage" : getHeader(request.headers, 'accept-language'),
Collect request information
75. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
/*********************/
/* DataDome const */
/*********************/
const datadomeHost = 'api-lambda.datadome.co';
const datadomePath = '/validate-request/';
/////////////////////////////////////
// Prepares request to DataDome API
let req = http.request({
host : datadomeHost,
path : datadomePath,
method : 'POST’,
agent : agent
}, function (datadomeResponse) {
Query DataDome API servers
76. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
switch (datadomeResponse.statusCode) {
case 200:
callback(null, redirect200Response);
return;
case 403:
var bodyData = '';
datadomeResponse.on('data', function (chunk) {bodyData += chunk;});
datadomeResponse.on('end', function()
{
// Builds response to send
let response = {
status : '403',
statusDescription : 'HTTP Forbidden',
body : bodyData
};
callback(null, response);
});
Handle the response
77. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Extract information from incoming request
Prepare and send the fingerprint to the closest
DataDome API Servers
Depending on the response
• allow
• block
• redirect the request
Lambda function sum-up
78. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What’s next with lambda
• Specific captcha based on browser detection
• Different caching policy based on the Bot Status
Viewer
Request
• Specific endpoint origin for Good Bot
Origin
Request
• Generate fake content for scrapper
Viewer
Response
79. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Intelligent Data Protection all over the
world
80. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you
for your feedbacks
Let’s connect
b@datadome.co
benjaminfabre
@bfabre
datadome.co
81. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
THANK YOU!
O t h e r L a m b d a @ E d g e s e s s i o n s :
C T D 4 0 3 - S u p e r c h a r g e Y o u r W e b s i t e s w i t h t h e P o w e r o f L a m b d a @ E d g e
C T D 3 0 9 - B u i l d i n g S e r v e r l e s s W e b s i t e s w i t h L a m b d a @ E d g e