Get started with AWS Edge Services

Hands-on tutorials and content covering the basic concepts.

AWS Edge services

An AWS Region is a physical location where AWS clusters data centers and operates regional services, like EC2 and S3. In the specific case of online applications, user traffic may traverse multiple public networks to reach a regional infrastructure. If you want to address the drawbacks of traversing uncontrolled networks in terms of performance, reliability and security, you should consider adding AWS edge services to your architecture. AWS Edge Services like Amazon CloudFront and AWS Global Accelerator, operate across hundreds of worldwide distributed Points of Presence (PoPs) outside of AWS Regions. Users are served from these PoPs within 20 to 30 milliseconds on average, and, when needed, their traffic is carried back to your regional infrastructure over the AWS global network instead of going over the public internet. The AWS Global Infrastructure is a purpose-built, highly available, and low-latency private infrastructure built on a global, fully redundant, metro fiber network that is linked via terrestrial and trans-oceanic cables across the world.

Securely deliver content with low latency and high transfer speeds.

Protect your web applications from common exploits.

Maximize application availability and responsiveness with DDoS protection.

Centrally configure and manage firewall rules across your accounts.

Improve application availability, performance, and security using the AWS global network.

Amazon CloudFront, the CDN of AWS

CloudFront is Amazon’s Content Delivery Network (CDN). CloudFront is used to accelerate HTTP(S) based web applications, and enhance their availability and security. CloudFront can be used in use cases such as full website delivery, API protection and acceleration, adaptive video streaming, and software download. To use this service, create a CloudFront distribution, configure your origin (any origin that has a publicly accessible domain name), issue and attach a valid TLS certificate using Amazon Certificate Manager, and then configure your authoritative DNS server to point your web application’s domain name to the distribution’s generated domain name (xyz.cloudfront.net). During the DNS resolution phase, when users navigate to your web application, an HTTP(S) request is dynamically routed to the best CloudFront PoP in terms of latency and availability. Once the PoP is selected, the user terminates the TCP connection, including the TLS handshake, on one of the PoP’s servers, and then sends the HTTP request. If the content is cached in one of the cache layers of CloudFront, the request will be fulfilled locally by CloudFront. Otherwise, the request is forwarded to the origin. CloudFront has by two layers in its infrastructure. The first layer is based on Edge locations, where users' connections are terminated and layer 3/4 DDoS attacks are mitigated. They provide caching capabilities, and if configured, execute CloudFront Functions, and apply WAF rules. The second layer is based on Regional Edge Caches, hosted in AWS regions. It provides longer cache retention times, improving cache hit ratios, and execute Lambda@Edge functions when configured. CloudFront dynamically optimizes the use of these layers for each HTTP depending on its nature. For example, HTTP requests tagged as dynamic (e.g. Caching disabled, POST/PUT/DELETE requests, requests for objects tagged as non-cacheable using Cache-Control response header, etc..) skip caching layers, and as a result are sent from Edge locations directly to your origin.
Finally, CloudFront executes logic in a specific order. First CloudFront executes its native security controls (e.g. TLS policy, HTTP to HTTPS redirection, Geoblocking, Signed URLs), then it executes the rules of an AWS WAF WebACL if configured, then it executes the code of an edge function if configured on viewer request event, then it checks its cache if the request is cacheable, then it executes the code of Lambda@Edge if configured on origin request event, and finally forwards the request to the origin if needed. To learn more about the lifecycle of an HTTP request within the layers of CloudFront, watch the following re:Invent talk. Note that CloudFront Functions feature was not launched at the time of recoding this talk.

AWS WAF to protect web applications at layer 7

AWS WAF is a Web Application Firewall that can be used to protect web applications from application-level threats. Aapplication-level threats include:

  • DDoS attacks (e.g. HTTP Floods) that aim at consuming your application resources, to make it un available to legitimate users. 
  • Attacks that try to exploit application level vulnerabilities, and then conduct malicious activieris, such as stealing data or using your resources in un-authorized way such as bitcoin mining. 
  • Attacks conducted by automated bots that can harm your business in different ways such as account takeover and content scraping. 

To use AWS WAF, create rules in a WebACL then attach it to resources that need protection. Global WebACL can be attached to CloudFront distributions, and regional WebACls can be attached to resources withing the same region, such as ALBs and API Gateways. When a WAF WebACL is attached to a resource, the underlying service of the resource (e.g. CloudFront or ALB) hands off a copy of the HTTP request to the AWS WAF service to evaluate configured rules within a single digit millisecond. Based on the rule evaluation, AWS WAF service instructs the underlying service how to process the request (e.g. Block, forward, challenge, etc..). Note that AWS WAF logic is solely based on HTTP request attributes (vs response attributes).

A newly created WAF WebACL only contains a default rule allowing all requests, to which you can add multiple rules of different types. First, you can create custom rules based on the attributes (e.g. IP, headers, cookies, URL, etc..) of the inspected HTTP request. Rules can also be grouped into rule groups to facilitate their management. Second, you can add Managed Rules from AWS or from vendors on the AWS Marketplace, which are added as configurable rule groups to your WebACL. For example, you can add AWS Managed Groups such as Core Rule Set and Anonymous IP list. More advanced managed rules, such as Bot Control and Account Takeover Prevention require client-side SDK integration. Rules can be configured with the following actions when matching: Allow and Count (with the possibility to send headers upstream), Block (with the possibility to respond with a custom response), Rate limit and finally challenge using CAPTCHA or silent challenges. Rules, such as AWS Managed Rules, emit Labels that could be used in the logic of subsequent rules if reached by the WAF evaluation. You can configure your own rules to emit labels, that will be available in WAF log records.

AWS Global Accelerator, an acceleration at network level

AWS Global Accelerator is a networking service that improves the performance, reliability and security of your online applications using AWS Global Infrastructure. Since AWS Global Accelerator operates at layer 4 of the OSI model, it can be used with any TCP/UDP application. Example use cases include: UDP/TCP based Multi-player gaming, Voice and Video over IP, IoT, Video ingest and FTP uploads, and other use cases such as VPN, Git, and AdTech bidding. 

AWS Global Accelerator can be deployed in front of your Network Load Balancers, Application Load Balancers, AWS EC2 instances, and Elastic IPs, any of which could serve as regional endpoints for your application. To use this service, create an accelerator, which provides two global static anycast IPv4 addresses that act as a fixed entry point to your application. With Global Accelerator, you can have multiple application endpoints present in single or multiple AWS Regions but they can all be accessed by the same anycast IP address. You then configure your authoritative DNS server to point your web application’s domain name to the accelerator’s dedicated static IPs. These anycast IPs are announced across all Global Accelerator PoPs to route user traffic to the nearest PoP, and then forward them to the regional endpoint over the AWS global network.

Developer learning resources

  • Priority
1

Was this page helpful?