Upload
phunganh
View
222
Download
0
Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Alessandro Esposito – Cloudfront Account Representative [email protected]
14th April 2016
Distributing content securely
Using Amazon CloudFront, AWS WAF and AWS Lambda
Multiple Users Static & Dynamic
Contents
Different Devices
Delivering Content – Challenges
Easy Cost Effective Secure
Delivering Content – Requirements
Content Delivery
A content delivery network (CDN) is a globally distributed network
of proxy servers deployed in multiple data centers. The goal of a
CDN is bringing content closer to end users, lowering latency when
they download or stream the objects.
What is a Content Delivery network? (CDN)
User A
User B
User C
Request A
Origin CDN
Amazon Cloudfront - CDN
• Global content delivery network (CDN)
• Full feature caching – Dynamic & Static Content
• Integrated with other Amazon Web Services
• Easy way to distribute content to end users
• Pay as you go, no integration fee Amazon
CloudFront
AWS Global Infrastructure
Region
Edge Location
12 Regions
33 Availability Zones
54 Edge Locations
AWS Edge Locations
54 Edge Locations
19 Countries
38 Cities
5 Continents
Dynamic
Static Video
User
Input
SSL
Amazon.com - whole site delivery
Video Streaming On-demand & Live Streaming
RTMP (Flash) and HTTP(S)
Adaptive Bitrate Live Streaming
Microsoft Smooth Streaming
Whole Site Delivery Static & Dynamic Content
Mobile Detect, CORS Support
Multiple Cache Behaviors
Multiple Origin Servers
Security Private Content (Signed URLs)
Custom SSL (Dedicated IP & SNI)
Geo Restriction
HTTP to HTTPS Redirect
High Availability 99.9% SLA
Automatic Origin Failover
Custom Error Pages
Serve Stale Content when Origin unavailable
High Performance Latency Based Routing
TCP Optimization
Persistent Connections
EDNS Client Subnet
Low TCO Pay for use
Commit-Based lower pricing
Price Classes
Preferential Pricing for AWS origins
Popular CloudFront Features and Use Cases
Clementoni S.p.A. Clempad Project
Daniele Silenzi IT Manager Clempad Project
• Games available in16 languages and distributed over 60 countries.
• 8 sales offices: Benelux, Germany, Spain, France, Portugal, UK, Poland, Turkey and Hong Kong.
• Hight quality toys with high educational contents which help children grow up since first mounts
Clementoni S.p.A.
•Clementoni is an all-Italian
company with more than 500
employees, the first Italian
company in educational
games
Clempad Project
Android Educational Tablet for Kids
• 2012 Clementoni started the development in Clempad Project, the first educational tablet for kids
• The first year, starting from a forecast of 5TB data transfer, by the end of
the year Clementoni delivered 40TB traffic. • The forecast for the 2013 was 250TB data trasfer in 8 countries • Now we have around 500TB every year, with around 3M HTTP requests
per day managed by CloudFront (Clementoni market, catalogs, WhiteList, and others)
Clempad Project
• From
• Few Devices
• Only Italy
• ~ 10 custom Apps
• no Video Channel
• no official Clementoni market
Clempad Challenge
• To
• Many Devices
• All Europe
• ~ 110 custom Apps
• Video Channel
• Official Clementoni market
• Clementoni Books
• www.planetclemetoni.com
• Others
AWS Architecture
• 5 EC2 Instances • 1 RDS (MySQL) • 3 Bucket S3 • 2 CloudFront
Instances
• All the contents are delivered only via CloudFront
Clemetoni AWS architecture
• High bandwidth Amazon CloudFront
• each device can reach remote resources without latency or delay, around 500TB every year
• Great Scalability
• we can scale without modifying the architecture during the “hot” months
• Increased reliability
• Multi A-Z (Amazon RDS), backup...
• Extended scalability and durability with Amazon S3
• Increased security
AWS Advantages
…. More data
• More than 1 Billion HTTP requests every year
• 30/40 TB trasfered every month (December, January and February more than 65TB)
• Application (app) size increase
• New Clementoni games take advantage from AWS
• New WebSite
Clementoni saved around 40% on data transfer cost
Future developments
New products will take advantage from AWS and CloudFront
Traffic Management
Web Application Firewall (AWS WAF)
Recent Security and Compliance Features
• Compliance
• PCI DSS Compliance
• ISO 9001, 27001, 27017, 27018
• Security Enhancements
• Signed Cookies
• Enforce HTTPS to origin
• Support for TLSv1 .1 and TLSv1.2 between
edge and origin
• Add/Modify Request Headers Forwarded
From CloudFront to Origin
• Integration with AWS WAF
• Integration with AWS Certificate Manager
AWS WAF
AWS ACM
Web Application Firewall (WAF)
What is a Web Application Firewall?
Web Application Firewall (WAF) is an appliance, server plugin, or
filter that applies a set of rules to HTTP traffic.
Exploit
Attackers
Good users
Web site
CloudFront without WAF
Amazon CloudFront
Edge
Location
site
scraping
SQL Injection,
XSS, other attacks
legitimate
traffic
EC2 ELB S3
AND/OR
On Premises Environment
Origin Server Origin Storage
Traditional WAF Deployment
Amazon CloudFront
Edge
Location
site
scraping
SQL Injection,
XSS, other attacks
legitimate
traffic EC2 ELB WAF ELB
ELB Sandwich
On Premises Environment
Origin Origin Storage WAF
Traditional WAF
Complex and slow
setup
Many False
Positives
Limited API for
automation
Expensive to set up
and mantain
AWS WAF - Web Application Firewall
• WAF protection at the Edge Location
• Customizable security
• Integrated with Amazon CloudFront
• Exploits, abuse, and application DDoS protection
• Easy to deploy and mantain
• Pay as you go AWS WAF
AWS WAF - Web Application Firewall
CloudFront with AWS WAF
Amazon CloudFront
site
scraping
SQL Injection,
XSS, other attacks
legitimate
traffic
Edge
Location WAF EC2 ELB S3
AND/OR
On Premises Environment
Origin Server Origin Storage
The AWS WAF
Customizable and
flexible
Full featured API Easy and
quick setup Pay as you go
AWS WAF Components
Conditions Rules Web ACL
Cloudfront
distribution
Apply
Amazon
CloudWatch
Report/Logs
Automated Security
POST /2012-07-01/distribution HTTP/1.1
Host: cloudfront.amazonaws.com
Authorization: AWS authentication string
Date: time stamp
Other required headers
<?xml version="1.0" encoding="UTF-8"?>
<DistributionConfig
xmlns="http://cloudfront.amazonaws.com/doc/2012-07-01/">
API
Console management and reporting
AWS - Manage Content Your Way
AWS Lambda - Run code without servers
Lambda automatically runs your code without
requiring you to provision servers.
• “Server-less” scripting - event driven actions
• Integrated with other AWS services
• Use cases: scheduled events, provisioning
services, and customer analysis AWS
Lambda
Automated security – traditional data center
Good users
Logs Threat analysis
Rule updater
Web site Exploit
Attackers
Rules
Automated security – AWS makes it easier
Good users
CloudFront Access Logs Exploit
Attackers
AWS WAF AWS Lambda
AWS Lambda
Amazon
CloudFront
AWSLABS – Cloudformation template available
https://github.com/awslabs/aws-waf-
sample/tree/master/waf-reactive-blacklist
Resources
• Amazon Cloudfront Product Page
http://aws.amazon.com/cloudfront/
• AWS WAF Product Page
https://aws.amazon.com/waf/
• Webinar | Introducing AWS WAF
http://bit.ly/1N63GvO
• Webinar | Using Using AWS WAF and Lambda for Automatic Protection
http://bit.ly/1qFLBe9
• Preconfigured Rules & Tutorials for AWS WAF
http://aws.amazon.com/waf/preconfiguredrules/
Thank You!