CTD201_Introduction to Amazon CloudFront and AWS Lambda@Edge

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
C D T 2 0 1
Introduction to Amazon CloudFront and
AWS Lambda@Edge
T o m W i t m a n , A W S B u s i n e s s D e v e l o p m e n t
N i s h i t S a w h n e y , A W S P r o d u c t M a n a g e m e n t
N o v e m b e r 2 8 , 2 0 1 7

Amazon CloudFront
Global content delivery network (CDN)
Application acceleration and optimization
Distributed scalable integrated security controls
Optimized for all delivery use cases with intelligent caching
On-demand, full user control, cost effective
Essential
cloud
infrastructure
component

What’s at the Edge?
CloudFront Caching Servers
Amazon Route 53 AWS WAF AWS Shield Lambda@Edge
Global DNS Firewall Anti-DDoS Serverless compute
Content Delivery Ingest and Proxy

Accessing Your Web Applications Directly
It Can Take Many Networks To Reach The Application
Paths To and From the Application May Differ
Each Hop Impacts Performance & Can Introduce Risk
Local ISP Network A B C D E F
Access Application!
Accessing Your Application Is Not This StraightforwardThe Result is Sub-Optimal Application Performance
Adding Edge Services Removes These Inefficiencies
CloudFront & Route 53 Get to AWS Network Faster
AWS Shield and AWS WAF Mitigate Risk
Lambda@Edge Adds Intelligence and Control
Resulting in Improved Performance
Accessing Your Web Applications with Edge
AWS Network

How CloudFront Works
user
request
origin
CloudFront
Get
Get
Ok
Ok
GetGet
user
request
Amazon S3Amazon EC2
Custom
Server

CloudFront Components: Distributions
distribution
Unique CloudFront.net Domain Name to Reference Objects
example: abc123.cloudfront.net
Specifies Origin(s) of Original Content Versions
example: orign.example.com
Types Provide for HTTP/HTTPS
example: https://cdn.example.com
HINT: CNAME the
CloudFront.net domain
with Amazon Route 53 to
personalize the
distribution

Customer Location
www.example.com
Path pattern matching
Examples: /*.jpg; /*.php etc.
GET http://example.com/images/1.jpg to ORIGIN A
GET http://example.com/index.php to ORIGIN B
GET http://example.com/web/home.css to ORIGIN C
GET http://example.com/* (DEFAULT) to ORIGIN D
Origin A:
origin.example.com
Origin B:
origin2.example.com
Origin C:
origin3.example.com
Origin D:
origin4.example.com
Path pattern matching
/*.php
/images/*.jpg
/web/*.css
/*.* (DEFAULT)
CloudFront Origin Selection

HEAD
Identical to GET except that the
server MUST NOT return a message-
body in the response. Used for
obtaining meta-information about
the entity implied by the request
without transferring the entity-body
itself
POST
Used to request the origin server
to accept the entity enclosed in
the request as a new
subordinate of the resource
identified by the Request-URI in
the Request-Line.
PUT
The fundamental difference
between the POST and PUT
requests is reflected in the
different meaning of the
Request-URI.
PATCH
Used to apply partial
modifications to a resource
DELETE
Requests that the origin
server delete the resource
identified by the Request-URI
OPTIONS
Request for information
about the communication
options available on the
request/response chain
identified by the Request-URI
GET
Requests for content
from the cache HTTP,
HTTPS and RTMP
CloudFront Supported HTTP Methods

Four Major Use Cases
Accelerate websites
Customize user
experience
Stream live and
on-demand media
Secure content
Customer use
cases

Use Case 1: Accelerate Websites

Typical Architecture
Static Content
Dynamic Content
An Example
WordPress Site

Optimizing Static Content: Edge Caching
• Set High TTLs for intermediary caches
(e.g. Cache-Control: max-age=3600, s-maxage=86400)
• Don’t forward Headers, Query Strings or Cookies
Note: You do need to forward the relevant headers if you’re doing CORS
• In other words, use CloudFront defaults

Caching Personalized Content
Configure CloudFront to forward request
headers to your origin
CloudFront HTTP Headers Examples
1) Vary response based on user agent Example: desktop,
mobile, tablet
2) Vary response based on language Example: user would prefer
Danish but will accept British English and other types of English
(Accept-Language: da, en-gb;q=0.8, en;q=0.7 )
3) Vary response based on protocol
Example: CloudFront-Forward-Proto detected and customer sent
different content based on connection type
Mobile User
(CloudFront-Is-
Mobile-Viewer)
Desktop User
(CloudFront-Is-
Desktop-Viewer)
1
1
2
3
ONLY forward required headers
•Example: don’t forward cookies for /images

But, what about Dynamic Content?

Edge Caching with Low TTLs
Content with query strings
/factor/create_image?name=book1&size=10x10
• CloudFront can cache content with query strings
• Every unique query-string combination is a unique object in cache
API Calls
/api/getdomain?categeory=business&lang=eng
• Imagine you have an API that gets 1000 RPS
• Offload your web tier from handling 1000 RPS
• Set low TTLs

Dynamic Content: Benefits with CloudFront
• Keep-alive connections to reduce RTT
• SSL/TLS optimizations

TCP/IP Hand Shake
• HTTP Runs on TCP/IP
• TCP has the concept of TCP handshake
• Every HTTP Connection has to complete TCP Handshake

Two Users without an Edge Proxy
SYN
SYN-ACK
ACK
GET /index.jsp
ACK
SYN-ACK
GET /index.jsp
2nd User
Region
SYN
100ms
400ms
400ms
1st User
Region

With CloudFront as an Edge Proxy
SYN
SYN-ACK
ACK
GET /index.jsp
ACK
-ACK
GET /index.jsp
Region
SYN
20ms
SYN
SYN-ACK
ACK
GET /index.jsp
GET /index.jsp
80ms
2nd User
400ms
220ms
1st User
Amazon
CloudFront
Region

SSL/TLS Optimizations
• CloudFront supports SSL/TLS traffic—half bridge and full bridge connections
• Termination at the edge, closer to the end users
• Takes advantage of keep-alive connections
• SSL introduces additional TCP handshake packets
• Keep-alive eliminates additional SSL TCP handshake packets
• Performance & security enhancements
• SSL Session Tickets
• OCSP Stapling
• Perfect Forward Secrecy

Case Study—API Acceleration
Slack Web API
• POSTs and GETs to HTTPS endpoint
• Responses come back as JSON objects
• Accelerated globally using Amazon CloudFront

Case Study—API Acceleration

Use Case 2: Customize User Experience

Lambda@Edge
• AWS Lambda allows you to run code without thinking about servers
• Lambda@Edge is an extension of AWS Lambda that allows you trigger code
from CloudFront and run Node.js code closer to your end-user
• Bring your own code to the Edge and customize your content
Improve viewer latency
Simplify your origin infrastructure
Continuous
scaling
No servers
to manage
Never pay for idle
—no cold servers
Globally
distributed

CloudFront Triggers for Lambda@Edge
CloudFront
cache
End user
Viewer request
Origin request
Origin responseViewer response

'use strict';
exports.handler = (event, context, callback) => {
/*
* Generate HTTP redirect response with 302 status code and Location header.
*/ const response = {
status: '302',
statusDescription: 'Found',
headers: {
location: [{
key: 'Location',
value: 'http://docs.aws.amazon.com/lambda/latest/dg/lambda-edge.html',
}],
},
};
callback(null, response);
};
Lambda@Edge Function Structure

Lambda@Edge Use Cases and Blueprints
• Content customization
• Based on user attributes, device properties
• Visitor session validation
• User-agent validation—add an Access-Control-
Allow-Header
• Validate access token to confirm authentication
• URL customization
• Re-write URLs, pretty URLs
• A/B testing and cookie-based sticky sessions
• “Flip a coin” to select a version of content
displayed to each user
• Security
• Security header insertions (HSTS, X-Content-
Type-Options, etc.)
• Bot handling

New Lambda@Edge Capabilities
1. Content-Based Dynamic Origin Selection
• Intelligently route requests to different origins headers, query strings, etc.
• Use cases include data locality, geo-proximity and more
Example Code: Using an
Origin-Request Trigger
to Change the Amazon
S3 Origin Region

New Lambda@Edge Capabilities
2. Network Calls on Viewer-Facing
Events
• Enables authentication at the edge
3. Advanced Content Aggregation with
Binary Support and higher Function
Limits
• Dynamic content aggregation and generation
at the edge
• Image manipulation on the fly
• Higher function limits enable compute
intensive logic
Example:
Serving Static Website Content as Gzip Compressed Content

Use Case 3: Live and
Video-on-Demand Streaming

• VOD content
• HLS, Smooth Streaming, DASH
• Downloads
• Live and VOD content
• Common Adaptive HTTP formats
• Examples:
• AWS Elemental Delta
• Wowza Streaming Engine
• Universal Streaming Platform
• Adobe Media Server
Media Origins for CloudFront
Amazon S3 Custom Origins

Content Types
Static assets
*.css, *.js, images, software
downloads
Cache-Control:
public;
max-age=31536000
Login landing pages
index.html
Cache-Control:
no-cache=Set-Cookie;
max-age=30
Live streaming manifests
/*.m3u8
Cache-Control:
public;
max-age=2
Media fragments
/*.ts
Cache-Control:
public;
max-age=31536000
Dynamic content
Cache-Control:
no-cache;
max-age=0;
No-store;
private
User agents
Edge
cache

Protecting Content: Viewer Access
Viewers CloudFront
Application
S3 bucket
User’s application credentials
Signed cookie or URLs
GET/movie.mp4
Cached response
✓

Event Management for Amazon CloudFront
• Marketing, Live Events, Product Launch, Episodic Premiers
• Included with Enterprise Support
• Fee for Service with Business Support
• Start the Process 3-4 week in advance of event date

Customer Example: Hulu
• Live and On-Demand TV Service with DVR Capabilities
• Over 600 Streams
• Adaptive Bit Rate Streaming via HLS and DASH Live
• Delivery via Amazon CloudFront

Use Case 4: Secure Content

CloudFront: Built-In Security Controls
Advanced Ciphers
Certificate Manager
OCSP Stapling
Session Tickets
Perfect Forward
Secrecy
Protocol Enforcement
Half / Full Bridge
Connections
TLSv1.0, 1.1, 1.2
Field-Level Encryption
Encrypted
Connections
Custom Origin
Protection
Header and ACL
Content Protection
Signed URL /
Cookies
Content Restriction
Geo Blocking
S3 Origin Access
Identity
Access
Control
Compliance: PCI DSS Level 1, HIPAA, ISO 9001, 27001, 27017, 27018, SOC1, SOC2
Offload heavy lifting to the Edge

Amazon CloudFront Field-Level Encryption
Secure and control the access of sensitive customer
data while accelerating your application
 Sensitive data encrypted with public RSA key
 Reduces attack surface for your sensitive data
 Eliminates risk with accidental (or incidental) data
leakage
CloudFront
Origin
CC=1234
Date=1/1/17
CC=1234 -> CC=XXXX
Date=11/27/17 CC=1234
Payments
Encrypt at Edge
Decrypt at
Payments
HTML Form
POST
Launching
December
2017

Amazon CloudFront Field-Level Encryption
Without Field-Level Encryption
POST/HTTP(S)
Host: foo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Name=Bob&Phone=1235551212
Field-Level Encryption Converts This To:
POST/HTTP(S)
Host: foo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Name=Bob&Phone=<encrypted>ejYx52fxx2jjnwetvxx</encrypted>

Additional Security Integrations
AWS WAF
AWS Shield Advanced
AWS Certificate Manager
AWS Config
AWS CloudWatch
AWS WAF
• Layer 7 Packet Filtering Firewall
• Fast Rule Propagation
• API Driven Controls
• Globally Deployed at Edge Locations
• Partner Managed Rules
• Robust Feature Support

AWS WAF
AWS Shield Advanced
AWS Config
AWS CloudWatch
AWS Shield Advanced
• Layer 3 and 4 Network Protections
• Dedicated DDoS Response Team
• Real Time Attack Notifications
• Inclusive of AWS WAF service
• Cost Effective Risk Mitigation
• Economic Protections

AWS WAF
AWS Shield Advanced
AWS Config
AWS CloudWatch
• Free Certificates for CloudFront
• Easy One-Click Enablement
• Global SSL/TLS Support
• Managed Cert Renewal
• Central Key Management

AWS WAF
AWS Shield Advanced
AWS Config
AWS CloudWatch
AWS Config
• Trigger Lambda Upon Changes
• Maintain Compliant Operations
• Ensure Changes Are Consistent

AWS WAF
AWS Shield Advanced
AWS Config
AWS CloudWatch
AWS CloudWatch
• Includes Several Metrics for
Performance
• Request Count
• Bytes Uploaded / Downloaded
• Total Error Rate
• 4xx Error Rate
• 5xx Error Rate
• Graph and Export Metrics

Amazon CloudFront Pricing
On Demand Pricing
Published Online
Regional Tiered Rates
Pay As You Go
Free Tier
Reserved Capacity
Reduced Pricing
Contracts Tailored to Use Case
Variable Term
Price Classes
Optimize for Cost
Regional Data Transfer
User Controlled
Turn On/Off Any Time
No Data Transfer Fees from AWS Origins to Amazon CloudFront
No Charge for Regional Edge Cache
No Charge for SSL/TLS Certs from Amazon Certificate Manager
No Charge for Shared CloudFront Certificates
Low Monthly Charge for Custom Hosted Certificates, Free SNI Certs via ACM
Same Rate, Same Network for HTTP and HTTPS traffic
Simple Request Fees
Covered by Existing Customer Service Plan

Benefits of an Edge Implementation
• Edge services create a tight application boundary
• Reduce risk surface area to the Edge
• Improve secure access to applications
• Reduce latency and increase performance and control
• Add scalable network components
• Reduce total cost of data transfer
• Provide visibility for application analytics

Getting Started
• CloudFront:
• Create a CloudFront Distribution (Console or API)
• Launch a CloudFront Template Snippet with CloudFormation
• AWS WAF:
• Create WebACLs
• Associate to CloudFront or Application Load Balancers
• Launch pre-configured protections from AWS Answers
• AWS Shield Advanced:
• Add to accounts that have resources you want protected
• Route 53:
• Create or Transfer Hosted Zones

Related Sessions Today: November 28th
11:30 a.m.-12:30 p.m.
CTD303—Case Study: POOQ, Korea's largest OTT provider broadcasts more than sixty five, 24/7 LIVE
channels, all using AWS Services
1:00-2:00 p.m.
CTD301—Amazon CloudFront Flash Talks: Best Practices on Configuring, Securing, Customizing, and
Monitoring Your Distribution
2:30-3:30 p.m.
CTD413—Securing Your Amazon CloudFront Distributions
3:15-4:15 p.m.
CTD307—Case Study: How Mobile Device Service Company Asurion Architected Its Application on AWS
Edge Locations for Speed and Security

Related Sessions Today: November 28th
3:15-4:15 p.m.
CTD403—Supercharge Your Websites with the Power of Lambda@Edge
4:45-5:45 p.m.
CTD412—Your Customers Don’t Wait for Errors and Rebuffering - Best Practices for Video Delivery
with Amazon CloudFront
5:30-6:30 p.m.
CTD202—Learn How AWS is Enabling the World’s Most Advanced Media Workflows
Completed Session Today Available via Recording
8:30-9:30 a.m.
CTD302—Case Study: How Hulu reinvented television using the AWS Cloud

Thank you!

CTD201_Introduction to Amazon CloudFront and AWS Lambda@Edge

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a CTD201_Introduction to Amazon CloudFront and AWS Lambda@Edge

Similar a CTD201_Introduction to Amazon CloudFront and AWS Lambda@Edge (20)

Más de Amazon Web Services

Más de Amazon Web Services (20)

CTD201_Introduction to Amazon CloudFront and AWS Lambda@Edge