AWS Webcast - Using Amazon CloudFront to Protect Your Content Delivery

Using Amazon CloudFront to
Protect Your Content Delivery
Geo Restriction, Private Content, and Custom SSL Certificates

Nihar Bihani, Sr. Product Manager
Calin Nemes, Support Engineer
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.

About Amazon CloudFront
Global availability, performance and scalability

Cost-effective and easy to use
Deliver all of your content securely


Industry Leading Availability
Global Availability*
100
99.5

99
98.5
98

97.5
97

Cloudfront

CDN C

CDN D

CDN A

CDN B

*Data from Cedexis, Last 30 Days, Availability measured over All Cedexis Regions. 12/30/13

CloudFront Top Tier Performance
95th Percentile
75th Percentile

25th Percentile
10th Percentile

*Data from Cedexis, Last 30 Days, Response Time Measure of the United States. 11/12/13

Competitive, Flexible Pricing
Data Transfer
Economies of Scale

On-demand, pay for use
pricing

Price per GB

Same pricing for Static and
Dynamic Content
Preferential Origin Fetch
Pricing for AWS Origins
Data Transfer Volume
Public Rates

Private Rates

Commitment based private
pricing


CloudFront’s Global Presence
Americas
Atlanta, GA
Ashburn, VA (3)
Dallas/Fort Worth, TX (2)
Hayward, CA
Jacksonville, FL
Los Angeles, CA (2)
Miami, FL
New York, NY (3)
Newark, NJ
Palo Alto, CA
San Jose, CA
Seattle, WA
South Bend, IN
St. Louis, MO
Rio de Janeiro, Brazil
São Paulo, Brazil

Europe

Asia

Australia

Amsterdam, The
Netherlands (2)
Dublin, Ireland
Frankfurt, Germany (3)
London, England (3)
Madrid, Spain
Marseille, France
Milan, Italy
Paris, France (2)
Stockholm, Sweden
Warsaw, Poland

Chennai, India
Hong Kong, China (2)
Mumbai, India
Manila, the Philippines
Osaka, Japan
Seoul, Korea
Singapore (2)
Taipei, Taiwan
Tokyo, Japan (2)

Sydney


CloudFront’s Global Customer Reach

9 Regions

46 Edge Locations
Edge Location
AWS Region

http://aws.amazon.com/about-aws/globalinfrastructure/

Popular CloudFront Features
Live and Video on Demand
RTMP (Flash) and HTTP(S) delivery
Adaptive Bitrate Streaming
Security
Private Content
Custom SSL Support
Geo Restriction
Identity and Access Management (IAM)
Content Management
AWS Management Console
Full control via APIs
Programmatic Invalidation
Industry-compliant, detailed
Access Logs

Dynamic Content Acceleration
Low Minimum Content Expiration Periods
(TTL=0)
Multiple Cache Behaviors
Multiple Origin Servers
Origin Connection Protocol
Viewer Connection Protocol
Zone Apex Support
Query String & Cookie Support
Put/Post HTTP Verb Support
Price Flexibility
Pay for Use
Price Classes
Reserved Capacity Private Pricing


8

Deliver All of Your Content
SSL

User
Input

Dynamic
Static

Video


Simple, Yet Powerful
Architecture

Dynamic Content
OR

Amazon CloudFront
example.com

Elastic Load
Balancing

Amazon EC2

Custom Origin

Static Content
OR
Amazon S3

Custom Origin


CloudFront Security Features
AWS Identity and Access Management (IAM)

HTTPS Delivery
Private Content
Geo-Restriction

Regulate access to CloudFront APIs
Create policies to describe user role or permissions
Create an IAM policy using the AWS Management Console

Example Scenarios:
• Limit who can submit invalidation requests
• Just read access to your distribution


Example 1: Allow a group read and write access to all of resources
owned by the account

Example 2: Allow a group read and write access to all distributions
owned by the account


HTTPS Delivery


HTTPS Delivery
Configure CloudFront one of two ways:
• Accept both HTTP or HTTPS connections
• Accept only HTTPS connections

HTTPS allows transfer over encrypted connection
CloudFront forwards HTTPS requests to origin..
• Over SSLv3 or TLSv1 protocols
• Supports AES128-SHA1 or RC4-MD5 ciphers
• Includes a Server Name Indication (SNI) extension


HTTPS Delivery
Two ways you can implement SSL with CloudFront:

Half Bridge SSL termination
CloudFront

Full Bridge SSL termination

Region


HTTPS Delivery
Half Bridge SSL termination - HTTPS only from Viewer
to CloudFront

Use CloudFront Viewer Protocol Policy
HTTP

Region


HTTPS Delivery
Why use Half Bridge SSL Termination?
Better Performance By Leveraging HTTP Connections To Origin
CloudFront

HTTP


HTTPS Delivery
Full Bridge SSL Termination - HTTPS from Viewer to
CloudFront and from CloudFront to Origin.

Use CloudFront Origin Protocol Policy

HTTPS

Region


HTTPS Delivery
CloudFront provides two options for delivery over SSL

Using Default CloudFront SSL Domain Name
• e.g. d123.cloudfront.net

Using a Custom SSL Domain Name
• e.g. www.mysite.com


HTTPS Delivery
Using a Custom SSL Domain Name
You bring your own custom SSL certificate
No restrictions on the type of certificate: EV certificates, Wildcard certificates, SAN
certificate, etc.

You get a dedicated set of IP addresses at each of our edge locations worldwide
Use your own domain name in the URLs for objects delivered via CloudFront
(https://www.example.com/image.jpg)

Benefits:
High Performance – use of all edge locations
High Security – your own certificate (vs. shared cert)
High Availability – full browser support


HTTPS Delivery
Getting started with using your own SSL certificate on CloudFront:
1.

You upload your own SSL certificate to AWS IAM.

2.

Request access to this feature by submitting this form:
http://aws.amazon.com/cloudfront/custom-ssl-domains/

3.

Once approved by AWS, you can associate your SSL certificate to one or more
CloudFront distributions.

4.

Start using your own domain name (e.g. mysite.com) in your HTTPS URLs
delivered via CloudFront.


Serving Private Content


Private Content
Deliver your content ONLY to authorized viewers

Two ways to control end user access:
• Origin Access Identity (OAI) to restrict direct access to objects in
Amazon S3.
• Signed URLs to restrict access to objects at the CloudFront
edge.


Private Content
Origin Access Identify (OAI)
• Ensure customers don’t have direct access to your Amazon S3
origin bucket.
• Ensure performance benefits to all customers.
• Protects origin from overload.

Region

Access Denied


Private Content
Signed URLs prevent unauthorized access to objects at the
CloudFront edge.

Programmatically create access control policies to define how your
content can be accessed.
For example, allow access…
• only until certain date or time
• only to users who have paid a fee
• only from certain IP addresses

Access Denied

Region


Private Content
Here is an example of a policy statement for signed URLs

More Information:

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html

(Find sample code to create URL signature in Perl, PHP, C# and .NET, Java)


Geo-Restriction


Geo-Restriction
Restrict access to your content based on the location
(country) of your users.
Configure a whitelist or a blacklist.
CloudFront returns an HTTP status code of 403
(forbidden) to the user.


Geo-Restriction
Scenarios:
Online video publishers can distribute videos only in the
country where they have distribution rights.
• e.g. use a whitelist of geo-locations

Software distributors can prevent download of their software
in countries with licensing regulations.
• e.g. use a blacklist of geo-locations


Configuring Custom Error Responses
Show a user friendly message in case of an Error.
Configure a custom page and a custom response code
for each error.
An error could be:
• Object not found
• Unauthorized user access
• ..or any other 4xx or 5xx HTTP error


Custom Error Responses
Performance considerations:
• Set “Error Caching Minimum TTL” to cache the error response.

• CloudFront responds with error page for the duration of the TTL.
• Setting the TTL too low would increase origin load.


Demo


Questions

http://aws.amazon.com/cloudfront
@cloudfront


AWS Webcast - Using Amazon CloudFront to Protect Your Content Delivery

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (19)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

AWS Webcast - Using Amazon CloudFront to Protect Your Content Delivery