AWS Edge services
Securely deliver content with low latency and high transfer speeds.
Protect your web applications from common exploits.
Maximize application availability and responsiveness with DDoS protection.
Centrally configure and manage firewall rules across your accounts.
Improve application availability, performance, and security using the AWS global network.
Amazon CloudFront, the CDN of AWS
AWS WAF to protect web applications at layer 7
AWS WAF is a Web Application Firewall that can be used to protect web applications from application-level threats. Aapplication-level threats include:
- DDoS attacks (e.g. HTTP Floods) that aim at consuming your application resources, to make it un available to legitimate users.
- Attacks that try to exploit application level vulnerabilities, and then conduct malicious activieris, such as stealing data or using your resources in un-authorized way such as bitcoin mining.
- Attacks conducted by automated bots that can harm your business in different ways such as account takeover and content scraping.
To use AWS WAF, create rules in a WebACL then attach it to resources that need protection. Global WebACL can be attached to CloudFront distributions, and regional WebACls can be attached to resources withing the same region, such as ALBs and API Gateways. When a WAF WebACL is attached to a resource, the underlying service of the resource (e.g. CloudFront or ALB) hands off a copy of the HTTP request to the AWS WAF service to evaluate configured rules within a single digit millisecond. Based on the rule evaluation, AWS WAF service instructs the underlying service how to process the request (e.g. Block, forward, challenge, etc..). Note that AWS WAF logic is solely based on HTTP request attributes (vs response attributes).
A newly created WAF WebACL only contains a default rule allowing all requests, to which you can add multiple rules of different types. First, you can create custom rules based on the attributes (e.g. IP, headers, cookies, URL, etc..) of the inspected HTTP request. Rules can also be grouped into rule groups to facilitate their management. Second, you can add Managed Rules from AWS or from vendors on the AWS Marketplace, which are added as configurable rule groups to your WebACL. For example, you can add AWS Managed Groups such as Core Rule Set and Anonymous IP list. More advanced managed rules, such as Bot Control and Account Takeover Prevention require client-side SDK integration. Rules can be configured with the following actions when matching: Allow and Count (with the possibility to send headers upstream), Block (with the possibility to respond with a custom response), Rate limit and finally challenge using CAPTCHA or silent challenges. Rules, such as AWS Managed Rules, emit Labels that could be used in the logic of subsequent rules if reached by the WAF evaluation. You can configure your own rules to emit labels, that will be available in WAF log records.
AWS Global Accelerator, an acceleration at network level
AWS Global Accelerator is a networking service that improves the performance, reliability and security of your online applications using AWS Global Infrastructure. Since AWS Global Accelerator operates at layer 4 of the OSI model, it can be used with any TCP/UDP application. Example use cases include: UDP/TCP based Multi-player gaming, Voice and Video over IP, IoT, Video ingest and FTP uploads, and other use cases such as VPN, Git, and AdTech bidding.
AWS Global Accelerator can be deployed in front of your Network Load Balancers, Application Load Balancers, AWS EC2 instances, and Elastic IPs, any of which could serve as regional endpoints for your application. To use this service, create an accelerator, which provides two global static anycast IPv4 addresses that act as a fixed entry point to your application. With Global Accelerator, you can have multiple application endpoints present in single or multiple AWS Regions but they can all be accessed by the same anycast IP address. You then configure your authoritative DNS server to point your web application’s domain name to the accelerator’s dedicated static IPs. These anycast IPs are announced across all Global Accelerator PoPs to route user traffic to the nearest PoP, and then forward them to the regional endpoint over the AWS global network.