AWS 边缘服务入门

涵盖基本概念的动手教程和内容。

AWS 边缘服务

AWS 区域是 AWS 集群数据中心和运营区域服务(如 EC2 和 S3)的物理位置。对于在线应用程序的特定案例,用户流量可能会穿越多个公共网络到达区域基础设施。如果您想解决遍历不受控制的网络在性能、可靠性和安全性方面的缺陷,则应考虑将 AWS 边缘服务添加到您的架构中。Amazon CloudFront 和 AWS Global Accelerator 等 AWS 边缘服务在 AWS 区域以外的数百个全球分布式入网点(PoP)上运行。平均来说,这些 PoP 会在 20 到 30 毫秒内为用户提供服务,并且在需要时,它们的流量会通过 AWS 全球网络而非通过公共互联网传回您的区域基础设施。AWS 全球基础设施是一个专门建造、高度可用和低延迟的私有基础设施,它基于完全冗余的全球性城域光纤网络构建,该网络通过世界各地的地面和跨洋电缆相连。

以低延迟和高传输速度安全地分发内容。

保护您的 Web 应用程序免遭常见漏洞的攻击。

借助 DDoS 保护,最大限度提高可用性和响应能力。

跨账户集中配置和管理防火墙规则。

使用 AWS 全球网络提升应用程序的可用性、性能和安全性。

Amazon CloudFront,AWS 的 CDN

CloudFront 是 Amazon 的内容分发网络(CDN)。CloudFront 用于加速基于 HTTP(S) 的 Web 应用程序,并增强其可用性和安全性。CloudFront 可用于完整网站交付、API 保护和加速、自适应视频流和软件下载等使用案例。要使用此服务,请创建 CloudFront 发行版,配置您的源(任何具有可公开访问域名的源),使用 Amazon Certificate Manager 颁发并附加有效的 TLS 证书,然后配置您的授权型 DNS 服务器,以将您的 Web 应用程序的域名指向该发行版生成的域名(xyz.cloudfront.net)。在 DNS 解析阶段,当用户导航到您的 Web 应用程序时,HTTP(S) 请求会动态路由到延迟和可用性方面最好的 CloudFront PoP。选择 PoP 后,用户将在 PoP 的服务器之一上终止 TCP 连接,包括 TLS 握手,然后发送 HTTP 请求。如果内容缓存在 CloudFront 的某个缓存层中,则请求将由 CloudFront 在本地完成。否则,请求将被转发到源。CloudFront 在其基础设施中有两层。第一层基于边缘站点,用户的连接在此被终止,第 3/4 层 DDoS 攻击得到缓解。它们提供缓存功能,如已配置,则可以执行 CloudFront Functions 并应用 WAF 规则。第二层基于托管在 AWS 区域中的区域边缘缓存。它可提供更长的缓存保留时间,提高了缓存命中率,并在配置后执行 Lambda@Edge 函数。CloudFront 会根据每个 HTTP 的性质动态地优化其对这些层的使用。例如,标记为动态的 HTTP 请求(例如,禁用缓存、POST/PUT/DELETE 请求、使用 Cache-Control 响应标头标记为不可缓存的对象的请求等)会跳过缓存层,因此从边缘站点直接发送到您的源。
最后,CloudFront 按特定顺序执行逻辑。首先,CloudFront 执行其原生安全控制(例如,TLS 策略、HTTP 到 HTTPS 重定向、地理封锁、签名 URL),然后它执行 AWS WAF WebACL 的规则(如已配置),然后它会执行边缘函数的代码(如已在查看器请求事件上配置),然后检查其缓存(如果请求可缓存),然后执行 Lambda@Edge 的代码(如已在源请求事件上配置),最后根据需要将请求转发到源。要详细了解 HTTP 请求在 CloudFront 各层中的生命周期,请观看以下 re:Invent 讲座。请注意,在录制本讲座时,CloudFront Functions 功能尚未推出。

AWS WAF 在第 7 层保护 Web 应用程序

AWS WAF 是一种 Web 应用程序防火墙,可用于保护 Web 应用程序免受应用程序级威胁。应用程序级威胁包括:

  • DDoS 攻击(例如,HTTP Floods),它旨在消耗您的应用程序资源,使其无法供合法用户使用。 
  • 试图利用应用程序级漏洞然后进行恶意活动的攻击,例如窃取数据或以未经授权的方式使用您的资源,例如比特币挖矿。 
  • 自动机器人发起的攻击,可能以不同的方式损害您的业务,例如帐户接管和内容抓取。 

要使用 AWS WAF,请在 WebACL 中创建规则,然后将其附加到需要保护的资源。全球 WebACL 可以附加到 CloudFront 发行版,区域性 WebACL 可以附加到同一区域内的资源,例如 ALB 和 API 网关。当 WAF WebACL 附加到资源时,该资源的底层服务(例如,CloudFront 或 ALB)会将 HTTP 请求的副本交给 AWS WAF 服务,以在几毫秒内评估配置的规则。根据规则评估,AWS WAF 服务指示底层服务如何处理请求(例如,阻止、转发、质询等)。请注意,AWS WAF 逻辑仅基于 HTTP 请求属性(与响应属性相对)。

新创建的 WAF WebACL 仅包含允许所有请求的默认规则,您可以向其中添加多个不同类型的规则。首先,您可以根据检查的 HTTP 请求的属性(例如,IP、标头、cookie、URL 等)创建自定义规则。也可以将规则分成规则组,以便于管理。其次,您可以添加来自 AWS 或 AWS Marketplace 供应商的托管规则,这些规则将作为可配置规则组添加到您的 WebACL 中。例如,您可以添加 AWS 托管组,例如核心规则集和匿名 IP 列表。更高级的托管规则,例如机器人控制功能和账户盗用防护,需要集成客户端 SDK。匹配时可以使用以下操作来配置规则:允许和计数(可以向上游发送标头)、屏蔽(可以使用自定义响应进行响应)、速率限制,最后使用验证码或静默质询进行质询。如果 WAF 评估已达到,则 AWS 管理规则之类的规则会发出标签,这些标签可用于后续规则的逻辑。您可以配置自己的规则来发出标签,这些标签将在 WAF 日志记录中可用。

AWS Global Accelerator,网络层的加速

AWS Global Accelerator 是一项联网服务,可使用 AWS 全球基础设施提高在线应用程序的性能、可靠性和安全性。由于 AWS Global Accelerator 在 OSI 模型的第 4 层运行,因此可与任何 TCP/UDP 应用程序一起使用。 示例使用案例包括:基于 UDP/TCP 的多人游戏、IP 语音和视频、物联网、视频采集和 FTP 上传,以及其他使用案例,例如 VPN、Git 和 AdTech 竞价。 

AWS Global Accelerator 可以部署在您的网络负载均衡器、应用程序负载均衡器、AWS EC2 实例和弹性 IP 之前,任何一个都可以作为应用程序的区域端点。要使用此服务,请创建一个加速器,该加速器提供两个全局静态任播 IPv4 地址,充当应用程序的固定入口点。使用 Global Accelerator,您可以在单个或多个 AWS 区域中存在多个应用程序端点,但它们都可以通过相同的任播 IP 地址访问。然后,您可以配置您的授权性 DNS 服务器,将 Web 应用程序的域名指向加速器的专用静态 IP。这些任播 IP 在所有 Global Accelerator PoP 上发布,用于将用户流量路由到最近的 PoP,然后通过 AWS 全球网络将其转发到区域端点。

开发人员学习资源

内容类型
Showing results: 1-9
Total results: 17
  • 优先级
  • Back to Basics: Accelerate and protect your websites using Amazon CloudFront and AWS WAF

    Internet users increasingly expect responsive web applications and APIs with lower latency and higher availability. Additionally, publicly accessible web applications and APIs are exposed to threats such as commonly occurring vulnerabilities described in the OWASP Top 10, SQL injection, automated requests, and HTTP floods (Denial of Service (DoS)) that can affect availability, compromise security, or consume excessive resources. Developers looking to keep their web application performant, resilient, and secure, introduce Amazon CloudFront‘s global edge network with AWS WAF to their hosting infrastructure. Both services protect web applications from being exposed to potential attacks and being vulnerable to unpredictable traffic spikes that impact performance and availability. In this post, you learn the basic concepts of configuring CloudFront and AWS WAF to add them to your web application technology stack.
    Blog
    2023-09-12
  • How to boost the performance and security of your dynamic websites with AWS edge services in a few steps

    Customers use AWS edge services to improve the performance and the security of their websites. In certain cases, they appreciate being able to quickly set up a Content Delivery Network (CDN) and a Web Application Firewall (WAF) to stop a DDoS attack targeting their website, or to decrease page load times. And they prefer doing this without investing time beforehand to read the service documentation and configure everything from scratch. If this resonates with you, then you should benefit from reading this post. In this post, you deploy just a few clicks, using an AWS CloudFormation template, an Amazon CloudFront distribution as a reverse proxy to your origin servers, protected by an AWS WAF WebACL. CloudFormation is a service that takes care of provisioning and configuring resources described in a YAML configuration template. CloudFront helps you accelerate your website thanks to caching when it applies, advanced internet protocols (e.g., HTTP3, TL1.3), and the AWS Global network. CloudFront natively protects your application against infrastructure DDoS attacks, and it integrates with AWS WAF to allow you to write rules for managing threats at application layer.
    Blog
    2023-09-27
  • CloudFront Hosting Toolkit

    Now with CloudFront Hosting Toolkit, you can quickly deploy well-architected front-ends on AWS while retaining full control of the underlying cloud infrastructure. CloudFront Hosting Toolkit automatically creates the required infrastructure resources in your AWS account and configures Git-based deployments to deploy applications within minutes—without the need for you to have prior AWS experience. You can take full control over the underlying AWS resources to tailor your application to your exact needs by modifying elements of the existing infrastructure rather than starting from scratch.
    Blog
    2024-06-04
  • Getting started with AWS WAF- Service Overview

    AWS WAF is a web application firewall that helps protect your applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. You can control how traffic reaches your applications based on security rules to manage bot traffic and block common attack patterns. You can deploy AWS WAF on Amazon CloudFront as part of your CDN solution, the Application Load Balancer that fronts your web servers or origin servers running on EC2, Amazon API Gateway for your REST APIs, or AWS AppSync for your GraphQL APIs. With AWS WAF, you pay only for what you use and the pricing is based on how many rules you deploy and how many web requests your application receives.
    Short Video
    2022-09-29
  • Getting started with AWS Shield Advanced

    Learn how to get started with AWS Shield, a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. Shield provides dynamic detections and automatic inline mitigations that minimize application downtime and latency. Learn more about AWS Shield - https://go.aws/3kGpNgN In this video, you’ll learn how to enable AWS Shield Advanced to get additional tailored detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and AWS Firewall Manager and AWS WAF at no additional cost for usage on resources protected by AWS Shield Advanced as described on the Shield pricing page. Shield Advanced provides a higher level of protection against attacks targeting your applications running on Amazon EC2 with associated Elastic IP addresses, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 resources. Shield Advanced also gives you 24x7 access to the AWS Shield Response Team (SRT) and cost protection against DDoS related spikes in your Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 charges.
    Short Video
    2021-11-15
  • Getting started with AWS WAF- Common Configuration Patterns

    AWS WAF is a web application firewall that helps protect your applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. You can control how traffic reaches your applications based on security rules to manage bot traffic and block common attack patterns. You can deploy AWS WAF on Amazon CloudFront as part of your CDN solution, the Application Load Balancer that fronts your web servers or origin servers running on EC2, Amazon API Gateway for your REST APIs, or AWS AppSync for your GraphQL APIs. With AWS WAF, you pay only for what you use and the pricing is based on how many rules you deploy and how many web requests your application receives.
    Short Video
    2023-02-03
  • CloudFront Foundation I

    In this workshop you will learn how to set up CloudFront, and optimize the performance of your application.
    Workshop
    2023-07-13
  • CloudFront Foundation II

    In this workshop you will learn how to improve improve the security and resilience of your application.
    Workshop
    2023-07-13
  • AWS Shield Advanced

    This workshop is part of an Immersion day about "AWS Shield Advanced" please refer to your AWS contacts to know more about this Immersion Day. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency. Since the DDoS protection is automatic, you can expect minimum engagement with AWS Support. There are two tiers of AWS Shield - Standard and Advanced. All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks. For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced. In addition to the network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. AWS Shield Advanced also gives you 24x7 access to the AWS Shield Response Team (SRT) and protection against DDoS related spikes in your Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 charges.
    Workshop
    2023-12-01
1 2

此页内容对您是否有帮助?