CTD307_Case Study How Mobile Device Service Company Asurion Architected Its Application on AWS Edge for Speed and Security

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
C a s e S t u d y : H o w M o b i l e D e v i c e S e r v i c e C o m p a n y
A s u r i o n A r c h i t e c t e d I t s A p p l i c a t i o n o n A W S E d g e
f o r S p e e d a n d S e c u r i t y
J a b e z A b r a h a m , C l o u d S e c u r i t y A r c h i t e c t , A s u r i o n
N o v e m b e r 2 8 , 2 0 1 7

For over 20 years, Asurion has helped people across the globe balance the
interdependency between life and technology. Today, as the industry-defining leader
of technology solutions, we ensure 300 million consumers’ devices and appliances
stay online and on the job in this fast moving, tech-driven world.
Asurion ensures technology and people are
harmonious. And your life is in balance.
We do so across the digitally connected
globe, by speaking six languages, and by
working across any device, platform or
provider.
We do this in 50 offices around the world, with
our global headquarters in Nashville, TN, our
Asia Pacific HQ in Singapore, and our European
HQ in London.

Device Protection
Coverage for loss, theft,
damage, and out of warranty
malfunction, for single or
multiple devices
Premier Tech Help
Soluto offers 100% access to
a tech expert, to solve any
technology issue across OS
systems and platforms.
Electronics Protection
Coverage for computers,
laptops, tablets, gaming
consoles, entertainment
system, televisions and home
phones of any age, brand or
size
What we do
We are the trusted partner to some of the biggest
retailers, manufacturers and service providers in the world
Together we offer best in class:

Agenda
1.Layered Methodology
2.All in AWS Edge
3.Demo
4.Implementation Patterns
5.Dos and Don’ts

Setting the Stage

Network Layer
Amazon CloudFront, Amazon Route 53, Elastic Load Balancing, Amazon Virtual Private
Cloud (Amazon VPC), AWS Direct Connect or VPN, ingress and egress, Routing
Layered Methodology
Content
Network
SecurityContent Layer
Origin Mapping, A/B, Blue/Green, Dynamic Queries, Caching,
Streaming
Security Layer
DDoS, WAF, Origin Access Identity, TLS, Custom Certs, Regulatory Requirements

Hybrid Dependencies
L a y e r e d
M e t h o d o l o g y
Content
Network
Security
Network Layer
Hardcoded IPs for On-Premises dependencies
A/B routing for same Origin
Blue/Green routing for Canary
deployments
Internal vs. External facing Applications

Site Maintenance with Lambda@edge
Content
Network
Security
Content Layer
Origin Mapping
Forward Dynamic Queries
Referrer header for WordPress
Cache invalidation
Costing for CloudFront traffic
L a y e r e d

Custom Header for securing approved traffic
Content
Network
Security
Security Layer
CloudFront Security Group
Custom Auth. with IP whitelisting
All sensitive information encrypted using KMS and stored in
config
Custom Certs
Dedicated IPs/SNI
L a y e r e d

Regulatory Considerations
Retaining Logs
Geo Location lockdown
Reduce compliance scope
Disable Caching on sensitive forms
Encryption Standards
SOC2 Compliance report

All in AWS Edge | Core Focus
1. Content Delivery
2. Endpoint Protection
3. Serverless Architectures
4. Cost Effective

All in AWS Edge
1.Pre-migration strategy
2.Deep Dive Analysis
3.Roles and Responsibilities
4.External Requirements
5.Operational Uplift
6.Training
7.Migration
8.Post Migration

Pre-Migration strategy
1.Time to Market
2.Security considerations
3.Sites already deployed in AWS
4.On-Premises dependencies
5.Cost
A l l i n A W S E d g e

Deep Dive Analysis
1.Architecture reviews
2.Caching requirements
3.Origin requirements
4.Development team impact
5.Support impact
6.A/B and Blue/Green requirements
7.Origin cloaking

Roles and Responsibilities
1.DDoS vs. WAF
2.Who manages what
3.Active mitigation
4.Service Governance
5.DRT team
6.Cadence calls

External Requirements
1.Business priorities
2.License impact for renewals
3.Internal vetting of our processes
Operational Uplift
1.Security Operations monitoring
2.New WAF rules
3.Monitoring and mitigating threats

Training
1.Internal team Dynamics
2.DevOps impact on deployments
3.Functional and performance testing
4.Center of Excellence
5.Architecture impact on teams

Migration
1.Running in parallel
2.RFC and Switch over
3.Domain name and Custom certs
4.Migration Strategies
Post Migration
1.Incident Post-Mortems
2.Ongoing monitoring
3.Updates and iterative enhancements

Web Architecture Implementation
corporatedatacenter
Users
Multi-Path Routing
- rules engine
- hosted site
weighted TXT
record sets
A/B Routing
Blue/Green Routing

Multi-Path Routing Use Case
o R e v e r s e P r o x y u s i n g L a m b d a @ e d g e
o R o u t i n g b e t w e e n A W S a n d O n -
P r e m i s e s
o A b s t r a c t r u l e s i n t o a n i s o l a t e d S 3

'use strict';
function getSiteVal (params){
return new Promise (function (resolve, reject) {
const http = require('http');
var options = {
host: 'd6e71f08bk8tj.cloudfront.net',
port: 80,
path: ’/siteinfo.json',
method: 'GET'
};
var req = http.request(options,function(res){
res.on('data', chunk => {
console.log(`site information "${chunk}"`);
resolve(chunk);
});
});
req.on('error', function(e) {
console.log('problem with request: ' + e.message);
});
req.end();
});
}
exports.handler = (event, context, callback) => {
const request = event.Records[0].cf.request;
getSiteVal().then(function (data) {
var value = JSON.parse(data);
console.log('Value of passed data ' + JSON.stringify(value));
console.log('Value of request uri ' + request.uri);
CODE SNIPPET | Multi-Path Routing
if(value.hasOwnProperty(request.uri)) {
var picked = value[request.uri];
console.log ('Value of picked ' + picked);
if (picked[0] === 1) {
request.uri = picked[1];
console.log('Value of internal loop ' + request.uri);
callback(null, request);
return;
} else if (picked[0] === 2); {
const response = {
status: '302',
statusDescription: 'Found',
headers: {
location: [{
key: 'Location',
value: picked[1],
}],
},
};
console.log('Value of external loop ' + JSON.stringify(response));
callback(null, response);
return;
}
} else {
request.uri = value["/other"][1];
console.log('Value of other loop ' + request.uri);
}
});
};

CloudWatch logs
M u l t i - P a t h R o u t i n g
{
"/":[1,"/index.html"],
"/hpath":[1,"/cloud.html"],
"/mpath":[2,"https://s3.amazonaws.com/logix.d2/maint.html"]
"/epath":[2,"https://logix.link"],
"/other":[1,"/404error.html"],
"/old.html":[1,"/old/old.html"],
}
siteinfo.json

Path Pattern redirection
'use strict';
request.uri = request.uri.replace(/^/alb//g, '/');;
console.log(`Request uri set to "${request.uri}"`);
};
CloudWatch logs

A/B Use Case
o A b s t r a c t % a n d a p p p a t h a t t h e o r i g i n
o R o u t e 5 3 T X T r e c o r d s e t
o M u l t i p l e v e r s i o n d e p l o y e d t o t h e s a m e
o r i g i n

'use strict';
function getRoute53val (params){
var dnstxt = require('dns');
dnstxt.resolveTxt("ab.logix.link",function(err,res) {
if (err) { console.log('There was an error reading the record', err);
return; }
console.log('Value of first loop' + JSON.stringify(res));
resolve(JSON.stringify(res));
});
});
}
CODE SNIPPET | A/B
if (request.uri !== '/') {
// not an A-B testing
return;
}
getRoute53val().then(function (data) {
console.log('Value of passed data ' + value);
request.uri = value[0][0];
console.log(`Request uri set to "${request.uri}"`);
});
};

Blue/Green & Session Mgmt.
o U s e P e r s i s t e n c e C o o k i e f o r m a n a g i n g s e s s i o n
o A p p l i c a t i o n d e p e n d e n c y f o r C o o k i e
Blue/Green Use Case
o A b s t r a c t % a n d a p p p a t h a t t h e o r i g i n
o R o u t e 5 3 T X T r e c o r d s e t
o R e s t r i c t a c c e s s t o L a m b d a f o r o p s
o C a n a r y d e p l o y m e n t s w i t h m u l t i p l e o r i g i n s

'use strict';
dnstxt.resolveTxt("bg.logix.link",function(err,res) {
return; }
});
});
}
if (request.uri === '/blue' || request.uri === '/green') {
// in proper path
return;
}
console.log('Value of request uri ' + request.uri);
CODE SNIPPET | B/G
let url = 'https://bg.logix.link';
url = url + value[0][0] + request.uri;
console.log ('Value of url ' + url);
const response = {
status: '302',
headers: {
location: [{
key: 'Location',
value: url,
}],
},
};
});
};

'use strict';
dnstxt.resolveTxt("bgp.logix.link",function(err,res) {
return; }
});
});
}
const headers = request.headers;
const cookiePersistB = 'Persistence=Blue';
const cookiePersistG = 'Persistence=Green';
let pathUri;
if (headers.cookie) {
for (let i = 0; i < headers.cookie.length; i++) {
if (headers.cookie[i].value.indexOf(cookiePersistB) >= 0) {
console.log('Persistent Blue cookie found');
pathUri = '/blue';
break;
} else if (headers.cookie[i].value.indexOf(cookiePersistG) >= 0) {
console.log('Persistent Green cookie found');
pathUri = '/green';
break;
}
}
CODE SNIPPET | B/G and Session Mgmt.
request.uri = pathUri + request.uri;
console.log(`In cookie loop. Request uri set to "${request.uri}"`);
} else if (!pathUri) {
console.log('Persistent cookie has not been found. Checking Route53');
let url = 'https://bgp.logix.link';
url = url + value[0][0] + request.uri;
console.log ('Value of url ' + url);
const response = {
status: '302',
headers: {
location: [{
key: 'Location',
value: url,
}],
},
};
});
}
};

Route 53 setting
CloudWatch logs
A/B

CloudWatch logs
B / G w i t h C o o k i e
B / G w i t h o u t C o o k i e

Implementation PatternsNetworkCentricPattern
Users
weighted record sets
app.example53.com
- blue-elb : 50
- green-elb : 50
app.example.com
CNAME: app.example53.com
M a n a g i n g D N S d e p e n d e n c y

Implementation PatternsContentCentricPattern
Users
maintenance
viewerrequest
M a n a g i n g c o n t e n t
r o u t i n g
corporatedatacenter

Implementation PatternsSecurityCentricPattern
Approved
Users
governance
lambda
External
Users
custom Auth +
IP validation
API key
A P I s f o r i n t e r n a l u s e r s

o Buy in from Internal Security
teams
o Layered Security Model
o Layer AWS compliance reports
with your controls
o Training and enabling
Development for faster
adoption
o Build RACI matrix for ownership
o Multi-vendor Network hops
o Open Security Groups
o Expect the same visibility as a
traditional on-premises service
o Lift and Shift to AWS could be
cost prohibitive
o Self-Signed Certificates
Dos and Don’ts

Layered Methodology
Benefits, Business Process, Contractual and Regulatory requirements
Recap
Content
Network
SecurityAll in AWS EDGE
Migration Strategies, Shield+, Proactive vs. Reactive vs. Preventive
Implementation Patterns
Content Layer, Network layer, Security Layer, Dos and Don’ts

Thank you!

CTD307_Case Study How Mobile Device Service Company Asurion Architected Its Application on AWS Edge for Speed and Security

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a CTD307_Case Study How Mobile Device Service Company Asurion Architected Its Application on AWS Edge for Speed and Security

Similar a CTD307_Case Study How Mobile Device Service Company Asurion Architected Its Application on AWS Edge for Speed and Security (20)

Más de Amazon Web Services

Más de Amazon Web Services (20)

CTD307_Case Study How Mobile Device Service Company Asurion Architected Its Application on AWS Edge for Speed and Security