CloudFront Functions – A New Security Paradigm for CDN Edge Computing
In July 2017, Amazon CloudFront announced Lambda@Edge, which enables customers to modify HTTP requests flowing through Amazon CloudFront using the flexible and highly secure AWS Lambda. Customers such as DAZN, Truecar, Disney, and OLX have since built applications including website micro-frontends, image resizing, enhanced origin selection, and custom search engine optimization for single page applications without having to worry about regional deployments or dynamically routing to the best AWS region for individual viewers. While Lambda@Edge is immensely flexible and powerful, it isn’t a perfect fit for all use cases, especially those requiring a small amount of compute before a request is served by the CloudFront cache at edge locations, or right before the responses to such requests are delivered to end-users. Examples of these cases are URL rewrites, custom user authentication schemes or the insertion of response headers. For these use cases, we needed a solution better suited for higher volume and even lower latency, one that would execute functions at edge locations instead of AWS Regions.
CloudFront’s edge locations, which are called PoPs, or Points of Presence, are generally located in urban areas, close to the viewers, in locations where AWS, ISPs, and other network operators meet to connect to one another. Those facilities are not the very large data centers that run Amazon Elastic Compute Compute (EC2), Amazon Simple Storage Service (S3), and AWS Lambda. In contrast, the 225+ CloudFront PoPs are relatively small but much more distributed – spread across 90 cities in 47 countries to offer the best latency and the most optimal network path to end-users. This distributed nature also means that compared to the AWS Regions, the CloudFront PoPs have very different general-purpose computing resources.
When we started designing CloudFront Functions, the challenge we had was to deliver a high-density code execution environment operating at CloudFront scale – tens of millions of requests per second – while still delivering sub-millisecond latency. We are sure you are not hearing this for the first time, but at AWS, security is our number one priority. For the CloudFront team, this meant not only meeting the performance and efficiency goals we had set for running code at the edge, but also meeting the AWS security bar that customers have come to expect.
In designing CloudFront Functions, security was always the biggest challenge from the very beginning, and embracing it from the early stages of the project allowed us to achieve something we hope you will find both useful and worthy of your trust. As always, this is just day one, and we look forward to sharing the further enhancements we are planning for CloudFront Functions. Give it a try and give us your feedback.