CloudFront로 동적 컨텐츠를 전송하는 네가지 이유 - 김일호 솔루션즈 아키텍트:: AWS Cloud Track 3 Gaming
5 likes3,890 views
CloudFront CDN을 사용하여 동적 콘텐츠를 제공하는 4가지 이유가 있습니다. 1. 설정이 간단합니다. 2. DDoS 방어와 WAF 기능을 제공합니다. 3. 비용 절감이 가능합니다. 4. 속도 향상효과가 있습니다.
CloudFront로 동적 컨텐츠를 전송하는 네가지 이유 - 김일호 솔루션즈 아키텍트:: AWS Cloud Track 3 Gaming
- 1. CloudFront CDN로 동적 컨텐츠를 사용하는 4가지 이유 김일호 | Solutions Architect
- 2. Do you know CloudFront support Dynamic content acceleration?
- 3. No reasons not to use~
- 4. 1. Simple configuration 2. DDoS Mitigation + WAF 3. Cost Saving 4. Speed up
- 5. Configure multiple origins Elastic Load Balan cing Dynamic content Amazon EC2 Static content Amazon S3 * (default) /error/* /assets/* Amazon CloudFront example.com
- 7. CloudFront Behaviors at console
- 8. 1. Simple configuration 2. DDoS Mitigation + WAF 3. Cost Saving 4. Speed up
- 9. AWS Global Presence and Redundancy Route A Route B Route C CloudFront Country B Country A Country C CloudFront Valid Object Request Invalid Protocol Invalid Object Request Internet Connection C Internet Connection A Internet Connection B
- 10. Your VPC only has to deal with layer 7 traffic CloudFront DDoS HTTP SYN / UDP HTTP Customer Solution 80% of DDoS traffic is L3/L4 flood attack 20% is DDoS attack is valid HTTP requests.
- 11. WAF(Web Application Firewall) Match any part of the web request Host: www.example.com User-Agent: Mozilla/5.0 (Macintosh; … Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.example.com/ Connection: keep-alive AWS WAF RAW request headers CloudFront Check: Header “Referrer” Match Type: Contains Match: “example.com” Action: ALLOW Rule String match condition Good users
- 12. WAF(Web Application Firewall) Use transforms to stop evasion Host: www.example.com User-Agent: badbot Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.example.com/ Connection: keep-alive AWS WAF RAW request headers CloudFront Check: Header “User-Agent” Match Type: Contains Match: “badbot” Action: BLOCK Rule String match condition Scraper bot
- 13. WAF(Web Application Firewall) Use transforms to stop evasion Host: www.example.com User-Agent: bAdBoT Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.InTeRnEtkItTiEs.com/ Connection: keep-alive RAW request headers Check: Header “User-Agent” Transform: To lower Match Type: Contains Match: “badbot” Action: BLOCK Rule String match condition AWS WAF CloudFrontScraper bot
- 14. 1. Simple configuration 2. DDoS Mitigation + WAF 3. Cost Saving 4. Speed up
- 15. Lower traffic cost Amazon CloudFront Region Amazon S3 bucket Custom origin $$ $$ $ Free Note: Cost will vary depending on CFRC(CloudFront Reserved Capacity)
- 16. 1. Simple configuration 2. DDoS Mitigation + WAF 3. Cost Saving 4. Speed up
- 18. Two Users without CloudFront SYN SYN-ACK ACK GET /index.jsp ACK SYN-ACK GET /index.jsp 2nd User Region SYN 90ms 360ms 360ms
- 19. Without Keep-Alive Connections • Load on your web server increases the time to first byte TTFB(Time to First Byte)DNS Lookup Connection ContentDownload
- 21. CloudFront Keep Alive SYN SYN-ACK ACK GET /index.jsp ACK SYN-ACK GET /index.jsp Region SYN 30ms SYN SYN-ACK ACK GET /index.jsp GET /index.jsp 60ms 2nd User 360ms 180ms
- 22. 5. Shield Origin contents
- 23. Access control: Restricting origin access §Amazon S3 §Origin Access Identify (OAI) • Prevents direct access to your Amazon S3 bucket • Ensure performance benefits to all customers §Custom origin §Block by IP address • Whitelist only the Amazon CloudFront IP Range • Protects origin from overload • Ensure performance benefits to all customers
- 24. Object Access Identity (OAI) • Ensure only Amazon CloudFront can access Amazon S3 bucket • We make it simple for you Amazon CloudFront Region Amazon S3 bucket Custom origin
- 25. Object Access Identity (OAI) • Ensure only Amazon CloudFront can access Amazon S3 bucket • We make it simple for you Amazon CloudFront Region Amazon S3 bucket Custom origin
- 26. Shield custom origin • Shield your custom origin • Whitelist Amazon CloudFront IP range Amazon CloudFront Region Amazon S3 bucket Custom Origin
- 27. Shield custom origin • Shield your custom origin • Whitelist Amazon CloudFront IP range Amazon CloudFront Region Amazon S3 bucket Custom origin
- 28. Shield custom origin • Subscribe to Amazon SNS notifications on changes to IP ranges • Automatically update security groups AWS Lambda Amazon CloudFront Amazon SNS Security group Web app server Web app server AWS IP ranges Update IP range SNS message