Upload
amazon-web-services-korea
View
804
Download
2
Embed Size (px)
Citation preview
CloudFront CDN로동적컨텐츠를사용하는 4가지이유김일호 | Solutions Architect
Do you know CloudFront support Dynamic content acceleration?
No reasons not to use~
1. Simple configuration2. DDoS Mitigation + WAF3. Cost Saving4. Speed up
Configure multiple origins
Elastic Load Balancing
Dynamic content
Amazon EC2
Static content
Amazon S3
* (default)
/error/*/assets/*
Amazon CloudFrontexample.com
CloudFront Behaviors
CloudFront
CustomerLocationwww.mysite.com
PathPatternMatching/*.jpg;/*.php etc.
GEThttp://mysite.com/images/1.jpgtoORIGINAGEThttp://mysite.com/index.php toORIGINB
GEThttp://mysite.com/web/home.csstoORIGINCGEThttp://mysite.com/*(DEFAULT)toORIGIND
OriginA: S3bucket
OriginB:www.mysite.com
OriginC: S3Bucket
OriginD:www.mysite.com
PathPatternMatching
/*.php
/images/*.jpg
/web/*.css
/*.*(DEFAULT)
CloudFront Behaviors at console
1. Simple configuration2. DDoS Mitigation + WAF3. Cost Saving4. Speed up
AWS Global Presence and Redundancy
Route A
Route B
Route C
CloudFront
CountryB
CountryA
CountryCCloudFront
ValidObjectRequest
InvalidProtocol
InvalidObjectRequest
InternetConnectionC
InternetConnection A
InternetConnectionB
Your VPC only has to deal with layer 7 traffic
CloudFront
DDoS
HTTP
SYN/UDP
HTTP Customer Solution
80%ofDDoS trafficisL3/L4floodattack
20%isDDoS attackisvalidHTTPrequests.
WAF(Web Application Firewall)Match any part of the web request
Host:www.example.comUser-Agent:Mozilla/5.0(Macintosh;…Accept:image/png,image/*;q=0.8,*/*;q=0.5Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip,deflateReferrer:http://www.example.com/Connection: keep-alive
AWSWAF
RAW request headers
CloudFront
Check:Header“Referrer”MatchType:ContainsMatch:“example.com”
Action:ALLOW
Rule
String match condition
Good users
WAF(Web Application Firewall)Use transforms to stop evasion
Host:www.example.comUser-Agent:badbotAccept:image/png,image/*;q=0.8,*/*;q=0.5Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip,deflateReferrer:http://www.example.com/Connection: keep-alive
AWSWAF
RAW request headers
CloudFront
Check:Header“User-Agent”MatchType:ContainsMatch:“badbot”
Action:BLOCK
Rule
String match condition
Scraper bot
WAF(Web Application Firewall)Use transforms to stop evasion
Host:www.example.comUser-Agent:bAdBoTAccept:image/png,image/*;q=0.8,*/*;q=0.5Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip,deflateReferrer:http://www.InTeRnEtkItTiEs.com/Connection: keep-alive
RAW request headers
Check:Header“User-Agent”Transform:TolowerMatchType:ContainsMatch:“badbot”
Action:BLOCK
Rule
String match condition
AWSWAF
CloudFrontScraper bot
1. Simple configuration2. DDoS Mitigation + WAF3. Cost Saving4. Speed up
Lower traffic cost
Amazon CloudFront
Region
Amazon S3 bucket
Custom origin
$$
$$
$ Free
Note:CostwillvarydependingonCFRC(CloudFront ReservedCapacity)
1. Simple configuration2. DDoS Mitigation + WAF3. Cost Saving4. Speed up
example.com
Clients
Clients
Clients
Clients
Clients
Clients
Two Users without CloudFrontSYN
SYN-ACK
ACK
GET/index.jsp
ACK
SYN-ACK
GET/index.jsp
2nd User
Region
SYN
90ms
360ms
360ms
Without Keep-Alive Connections
• Loadonyourwebserverincreasesthetimetofirstbyte
TTFB(Time to First Byte)DNS Lookup
Connection Content Download
SYN
SYN-ACK
ACK
GET/index.jsp
GET/index.jsp
Keep Alive Connections
2nd Request
CloudFront Keep AliveSYN
SYN-ACK
ACK
GET/index.jsp
ACK
SYN-ACK
GET/index.jsp
Region
SYN
30ms
SYN
SYN-ACK
ACK
GET/index.jsp
GET/index.jsp
60ms
2nd User
360ms
180ms
5. Shield Origin contents
Access control: Restricting origin access
§Amazon S3§Origin Access Identify (OAI)• Prevents direct access to your Amazon
S3 bucket
• Ensure performance benefits to all customers
§Custom origin§Block by IP address
• Whitelist only the Amazon CloudFront IP Range
• Protects origin from overload• Ensure performance benefits to all
customers
Object Access Identity (OAI)
• Ensure only Amazon CloudFront can access Amazon S3 bucket
• We make it simple for youAmazon CloudFront
Region
Amazon S3 bucket
Custom origin
Object Access Identity (OAI)
• Ensure only Amazon CloudFront can access Amazon S3 bucket
• We make it simple for youAmazon CloudFront
Region
Amazon S3 bucket
Custom origin
Shield custom origin• Shield your custom origin
• Whitelist Amazon CloudFront IP rangeAmazon CloudFront
Region
Amazon S3 bucket
Custom Origin
Shield custom origin• Shield your custom origin
• Whitelist Amazon CloudFront IP rangeAmazon CloudFront
Region
Amazon S3 bucket
Custom origin
Shield custom origin• Subscribe to Amazon SNS notifications on changes to
IP ranges• Automatically update security groups
AWS Lambda
Amazon CloudFront
Amazon SNS
Security group
Web appserver
Web appserver
AWS IP ranges
Update IP rangeSNS message