Get started with AWS Edge Services

Hands-on tutorials and content covering the basic concepts.

AWS Edge services

An AWS Region is a physical location where AWS clusters data centers and operates regional services, like EC2 and S3. In the specific case of online applications, user traffic may traverse multiple public networks to reach a regional infrastructure. If you want to address the drawbacks of traversing uncontrolled networks in terms of performance, reliability and security, you should consider adding AWS edge services to your architecture. AWS Edge Services like Amazon CloudFront and AWS Global Accelerator, operate across hundreds of worldwide distributed Points of Presence (PoPs) outside of AWS Regions. Users are served from these PoPs within 20 to 30 milliseconds on average, and, when needed, their traffic is carried back to your regional infrastructure over the AWS global network instead of going over the public internet. The AWS Global Infrastructure is a purpose-built, highly available, and low-latency private infrastructure built on a global, fully redundant, metro fiber network that is linked via terrestrial and trans-oceanic cables across the world.

Securely deliver content with low latency and high transfer speeds.

Protect your web applications from common exploits.

Maximize application availability and responsiveness with DDoS protection.

Centrally configure and manage firewall rules across your accounts.

Improve application availability, performance, and security using the AWS global network.

Amazon CloudFront, the CDN of AWS

CloudFront is Amazon’s Content Delivery Network (CDN). CloudFront is used to accelerate HTTP(S) based web applications, and enhance their availability and security. CloudFront can be used in use cases such as full website delivery, API protection and acceleration, adaptive video streaming, and software download. To use this service, create a CloudFront distribution, configure your origin (any origin that has a publicly accessible domain name), issue and attach a valid TLS certificate using Amazon Certificate Manager, and then configure your authoritative DNS server to point your web application’s domain name to the distribution’s generated domain name (xyz.cloudfront.net). During the DNS resolution phase, when users navigate to your web application, an HTTP(S) request is dynamically routed to the best CloudFront PoP in terms of latency and availability. Once the PoP is selected, the user terminates the TCP connection, including the TLS handshake, on one of the PoP’s servers, and then sends the HTTP request. If the content is cached in one of the cache layers of CloudFront, the request will be fulfilled locally by CloudFront. Otherwise, the request is forwarded to the origin. CloudFront has by two layers in its infrastructure. The first layer is based on Edge locations, where users' connections are terminated and layer 3/4 DDoS attacks are mitigated. They provide caching capabilities, and if configured, execute CloudFront Functions, and apply WAF rules. The second layer is based on Regional Edge Caches, hosted in AWS regions. It provides longer cache retention times, improving cache hit ratios, and execute Lambda@Edge functions when configured. CloudFront dynamically optimizes the use of these layers for each HTTP depending on its nature. For example, HTTP requests tagged as dynamic (e.g. Caching disabled, POST/PUT/DELETE requests, requests for objects tagged as non-cacheable using Cache-Control response header, etc..) skip caching layers, and as a result are sent from Edge locations directly to your origin.
Finally, CloudFront executes logic in a specific order. First CloudFront executes its native security controls (e.g. TLS policy, HTTP to HTTPS redirection, Geoblocking, Signed URLs), then it executes the rules of an AWS WAF WebACL if configured, then it executes the code of an edge function if configured on viewer request event, then it checks its cache if the request is cacheable, then it executes the code of Lambda@Edge if configured on origin request event, and finally forwards the request to the origin if needed. To learn more about the lifecycle of an HTTP request within the layers of CloudFront, watch the following re:Invent talk. Note that CloudFront Functions feature was not launched at the time of recoding this talk.

AWS WAF to protect web applications at layer 7

AWS WAF is a Web Application Firewall that can be used to protect web applications from application-level threats. Aapplication-level threats include:

  • DDoS attacks (e.g. HTTP Floods) that aim at consuming your application resources, to make it un available to legitimate users. 
  • Attacks that try to exploit application level vulnerabilities, and then conduct malicious activieris, such as stealing data or using your resources in un-authorized way such as bitcoin mining. 
  • Attacks conducted by automated bots that can harm your business in different ways such as account takeover and content scraping. 

To use AWS WAF, create rules in a WebACL then attach it to resources that need protection. Global WebACL can be attached to CloudFront distributions, and regional WebACls can be attached to resources withing the same region, such as ALBs and API Gateways. When a WAF WebACL is attached to a resource, the underlying service of the resource (e.g. CloudFront or ALB) hands off a copy of the HTTP request to the AWS WAF service to evaluate configured rules within a single digit millisecond. Based on the rule evaluation, AWS WAF service instructs the underlying service how to process the request (e.g. Block, forward, challenge, etc..). Note that AWS WAF logic is solely based on HTTP request attributes (vs response attributes).

A newly created WAF WebACL only contains a default rule allowing all requests, to which you can add multiple rules of different types. First, you can create custom rules based on the attributes (e.g. IP, headers, cookies, URL, etc..) of the inspected HTTP request. Rules can also be grouped into rule groups to facilitate their management. Second, you can add Managed Rules from AWS or from vendors on the AWS Marketplace, which are added as configurable rule groups to your WebACL. For example, you can add AWS Managed Groups such as Core Rule Set and Anonymous IP list. More advanced managed rules, such as Bot Control and Account Takeover Prevention require client-side SDK integration. Rules can be configured with the following actions when matching: Allow and Count (with the possibility to send headers upstream), Block (with the possibility to respond with a custom response), Rate limit and finally challenge using CAPTCHA or silent challenges. Rules, such as AWS Managed Rules, emit Labels that could be used in the logic of subsequent rules if reached by the WAF evaluation. You can configure your own rules to emit labels, that will be available in WAF log records.

AWS Global Accelerator, an acceleration at network level

AWS Global Accelerator is a networking service that improves the performance, reliability and security of your online applications using AWS Global Infrastructure. Since AWS Global Accelerator operates at layer 4 of the OSI model, it can be used with any TCP/UDP application. Example use cases include: UDP/TCP based Multi-player gaming, Voice and Video over IP, IoT, Video ingest and FTP uploads, and other use cases such as VPN, Git, and AdTech bidding. 

AWS Global Accelerator can be deployed in front of your Network Load Balancers, Application Load Balancers, AWS EC2 instances, and Elastic IPs, any of which could serve as regional endpoints for your application. To use this service, create an accelerator, which provides two global static anycast IPv4 addresses that act as a fixed entry point to your application. With Global Accelerator, you can have multiple application endpoints present in single or multiple AWS Regions but they can all be accessed by the same anycast IP address. You then configure your authoritative DNS server to point your web application’s domain name to the accelerator’s dedicated static IPs. These anycast IPs are announced across all Global Accelerator PoPs to route user traffic to the nearest PoP, and then forward them to the regional endpoint over the AWS global network.

Developer learning resources

Content Type
Showing results: 1-9
Total results: 17
  • Priority
  • Back to Basics: Accelerate and protect your websites using Amazon CloudFront and AWS WAF

    Internet users increasingly expect responsive web applications and APIs with lower latency and higher availability. Additionally, publicly accessible web applications and APIs are exposed to threats such as commonly occurring vulnerabilities described in the OWASP Top 10, SQL injection, automated requests, and HTTP floods (Denial of Service (DoS)) that can affect availability, compromise security, or consume excessive resources. Developers looking to keep their web application performant, resilient, and secure, introduce Amazon CloudFront‘s global edge network with AWS WAF to their hosting infrastructure. Both services protect web applications from being exposed to potential attacks and being vulnerable to unpredictable traffic spikes that impact performance and availability. In this post, you learn the basic concepts of configuring CloudFront and AWS WAF to add them to your web application technology stack.
    Blog
    2023-09-12
  • How to boost the performance and security of your dynamic websites with AWS edge services in a few steps

    Customers use AWS edge services to improve the performance and the security of their websites. In certain cases, they appreciate being able to quickly set up a Content Delivery Network (CDN) and a Web Application Firewall (WAF) to stop a DDoS attack targeting their website, or to decrease page load times. And they prefer doing this without investing time beforehand to read the service documentation and configure everything from scratch. If this resonates with you, then you should benefit from reading this post. In this post, you deploy just a few clicks, using an AWS CloudFormation template, an Amazon CloudFront distribution as a reverse proxy to your origin servers, protected by an AWS WAF WebACL. CloudFormation is a service that takes care of provisioning and configuring resources described in a YAML configuration template. CloudFront helps you accelerate your website thanks to caching when it applies, advanced internet protocols (e.g., HTTP3, TL1.3), and the AWS Global network. CloudFront natively protects your application against infrastructure DDoS attacks, and it integrates with AWS WAF to allow you to write rules for managing threats at application layer.
    Blog
    2023-09-27
  • CloudFront Hosting Toolkit

    Now with CloudFront Hosting Toolkit, you can quickly deploy well-architected front-ends on AWS while retaining full control of the underlying cloud infrastructure. CloudFront Hosting Toolkit automatically creates the required infrastructure resources in your AWS account and configures Git-based deployments to deploy applications within minutes—without the need for you to have prior AWS experience. You can take full control over the underlying AWS resources to tailor your application to your exact needs by modifying elements of the existing infrastructure rather than starting from scratch.
    Blog
    2024-06-04
  • Getting started with AWS WAF- Service Overview

    AWS WAF is a web application firewall that helps protect your applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. You can control how traffic reaches your applications based on security rules to manage bot traffic and block common attack patterns. You can deploy AWS WAF on Amazon CloudFront as part of your CDN solution, the Application Load Balancer that fronts your web servers or origin servers running on EC2, Amazon API Gateway for your REST APIs, or AWS AppSync for your GraphQL APIs. With AWS WAF, you pay only for what you use and the pricing is based on how many rules you deploy and how many web requests your application receives.
    Short Video
    2022-09-29
  • Getting started with AWS Shield Advanced

    Learn how to get started with AWS Shield, a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. Shield provides dynamic detections and automatic inline mitigations that minimize application downtime and latency. Learn more about AWS Shield - https://go.aws/3kGpNgN In this video, you’ll learn how to enable AWS Shield Advanced to get additional tailored detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and AWS Firewall Manager and AWS WAF at no additional cost for usage on resources protected by AWS Shield Advanced as described on the Shield pricing page. Shield Advanced provides a higher level of protection against attacks targeting your applications running on Amazon EC2 with associated Elastic IP addresses, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 resources. Shield Advanced also gives you 24x7 access to the AWS Shield Response Team (SRT) and cost protection against DDoS related spikes in your Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 charges.
    Short Video
    2021-11-15
  • Getting started with AWS WAF- Common Configuration Patterns

    AWS WAF is a web application firewall that helps protect your applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. You can control how traffic reaches your applications based on security rules to manage bot traffic and block common attack patterns. You can deploy AWS WAF on Amazon CloudFront as part of your CDN solution, the Application Load Balancer that fronts your web servers or origin servers running on EC2, Amazon API Gateway for your REST APIs, or AWS AppSync for your GraphQL APIs. With AWS WAF, you pay only for what you use and the pricing is based on how many rules you deploy and how many web requests your application receives.
    Short Video
    2023-02-03
  • CloudFront Foundation I

    In this workshop you will learn how to set up CloudFront, and optimize the performance of your application.
    Workshop
    2023-07-13
  • CloudFront Foundation II

    In this workshop you will learn how to improve improve the security and resilience of your application.
    Workshop
    2023-07-13
  • AWS Shield Advanced

    This workshop is part of an Immersion day about "AWS Shield Advanced" please refer to your AWS contacts to know more about this Immersion Day. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency. Since the DDoS protection is automatic, you can expect minimum engagement with AWS Support. There are two tiers of AWS Shield - Standard and Advanced. All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks. For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced. In addition to the network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. AWS Shield Advanced also gives you 24x7 access to the AWS Shield Response Team (SRT) and protection against DDoS related spikes in your Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 charges.
    Workshop
    2023-12-01
1 2

Was this page helpful?