Networking & Content Delivery

Category: Security, Identity, & Compliance

Deploy centralized traffic filtering using AWS Network Firewall

In this blog, we will walk through the steps to accelerate your centralized deployment of AWS Network Firewall using a new deployment automation solution—AWS Network Firewall deployment automation for AWS Transit Gateway. We will also discuss common use cases for AWS Network Firewall in a centralized architecture that uses AWS Transit Gateway. Though this post […]

Read More

Simulating Site-to-Site VPN customer gateways using strongSwan part 2: Certificate-based authentication

Do you need to either demonstrate or learn more about using certificate-based authentication with AWS Site-to-Site VPN capabilities? In part 1 of this series, we showed how to use an AWS CloudFormation template to deploy the open source strongSwan VPN solution to implement the on-premises side of an AWS Site-to-Site VPN connection. The open source […]

Read More

Customize 403 error pages from Amazon CloudFront Origin with Lambda@Edge

AWS Web Application Firewall (AWS WAF) is commonly used to protect HTTP and HTTPS requests forwarded to Amazon CloudFront. When you are using this approach, default 403 error pages do not distinguish whether the error came from AWS WAF or the CloudFront Origin. As an AWS WAF and Amazon CloudFront user, you may want to […]

Read More

Automating DNS infrastructure using Route 53 Resolver endpoints

Introduction DNS name resolution is a fundamental part of all on-premises and cloud networks. For customers with hybrid networks, additional infrastructure and configuration are needed for private DNS resolution to work seamlessly across environments. However, building this type of DNS infrastructure in a multi-account environment is complex. In this post, we show how to automate […]

Read More

Serving SSE-KMS encrypted content from S3 using CloudFront

Update: We’ve updated this blog and the AWS Lambda function code to work with both “custom” and “s3” style origins in Amazon CloudFront. Previously, only “custom” types were covered. Introduction A best practice for your web applications is to use Amazon S3 to store content and Amazon CloudFront to deliver it to users. When building this way, […]

Read More

Accessing private Application Load Balancers and EC2 instances through AWS Global Accelerator

Many Content Distribution Networks (CDNs) offer a feature to obfuscate the source origin through functionality commonly referred to as origin cloaking. Using AWS Global Accelerator with Client IP Address Preservation capability, similar functionally can be facilitated. Private Application Load Balancers (ALBs) and private EC2 instances can be accessed through Global Accelerator in a secure and simplified manner. AWS […]

Read More
TransitGatewayArchitectureDiagram

Automating AWS Transit Gateway attachments to a transit gateway in a central account

As IT environments grow, they can become more complex, with additional accounts, VPCs, and the networking between them. AWS Transit Gateway is a service that addresses networking complexity by building a hub-and-spoke network to simplify your network routing and security. With Transit Gateway, you can connect your Virtual Private Clouds (VPCs) that span multiple accounts […]

Read More

Accelerating WordPress with CloudFront using the AWS for WordPress Plugin

AWS for WordPress WordPress is a technological marvel in the number of internet sites it powers and the momentum with which developers actively contribute to the community. Recent estimates put WordPress at powering more than 34% of internet sites, and more than 50,000 plugins are available through WordPress.org covering everything from security enhancements to SEO […]

Read More

Authorization@Edge using cookies: Protect your Amazon CloudFront content from being downloaded by unauthenticated users

Enterprise customers who host private web apps on Amazon CloudFront may struggle with a challenge: how to prevent unauthenticated users from downloading the web app’s source code (for example, React, Angular, or Vue). In a separate blog post, you can learn one way to provide that security using Amazon Lambda@Edge and Amazon Cognito, with an example […]

Read More

Continually Enhancing Domain Security on Amazon CloudFront

Last year, a colleague of mine wrote a blog post about new security measures that Amazon CloudFront was implementing to enhance the security of how domains are used on CloudFront distributions. This included mitigations to prevent the abusive use of domain fronting practices by not allowing SSL handshake requests and subsequent requests over the secured […]

Read More