More Related Content More from Amazon Web Services (20) AWS Webcast - Using Amazon CloudFront to Protect Your Content Delivery1. Using Amazon CloudFront to
Protect Your Content Delivery
Geo Restriction, Private Content, and Custom SSL Certificates
Nihar Bihani, Sr. Product Manager
Calin Nemes, Support Engineer
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
2. About Amazon CloudFront
Global availability, performance and scalability
Cost-effective and easy to use
Deliver all of your content securely
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
3. Industry Leading Availability
Global Availability*
100
99.5
99
98.5
98
97.5
97
Cloudfront
CDN C
CDN D
CDN A
CDN B
*Data from Cedexis, Last 30 Days, Availability measured over All Cedexis Regions. 12/30/13
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
4. CloudFront Top Tier Performance
95th Percentile
75th Percentile
25th Percentile
10th Percentile
*Data from Cedexis, Last 30 Days, Response Time Measure of the United States. 11/12/13
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
5. Competitive, Flexible Pricing
Data Transfer
Economies of Scale
On-demand, pay for use
pricing
Price per GB
Same pricing for Static and
Dynamic Content
Preferential Origin Fetch
Pricing for AWS Origins
Data Transfer Volume
Public Rates
Private Rates
Commitment based private
pricing
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
6. CloudFront’s Global Presence
Americas
Atlanta, GA
Ashburn, VA (3)
Dallas/Fort Worth, TX (2)
Hayward, CA
Jacksonville, FL
Los Angeles, CA (2)
Miami, FL
New York, NY (3)
Newark, NJ
Palo Alto, CA
San Jose, CA
Seattle, WA
South Bend, IN
St. Louis, MO
Rio de Janeiro, Brazil
São Paulo, Brazil
Europe
Asia
Australia
Amsterdam, The
Netherlands (2)
Dublin, Ireland
Frankfurt, Germany (3)
London, England (3)
Madrid, Spain
Marseille, France
Milan, Italy
Paris, France (2)
Stockholm, Sweden
Warsaw, Poland
Chennai, India
Hong Kong, China (2)
Mumbai, India
Manila, the Philippines
Osaka, Japan
Seoul, Korea
Singapore (2)
Taipei, Taiwan
Tokyo, Japan (2)
Sydney
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
7. CloudFront’s Global Customer Reach
9 Regions
46 Edge Locations
Edge Location
AWS Region
http://aws.amazon.com/about-aws/globalinfrastructure/
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
8. Popular CloudFront Features
Live and Video on Demand
RTMP (Flash) and HTTP(S) delivery
Adaptive Bitrate Streaming
Security
Private Content
Custom SSL Support
Geo Restriction
Identity and Access Management (IAM)
Content Management
AWS Management Console
Full control via APIs
Programmatic Invalidation
Industry-compliant, detailed
Access Logs
Dynamic Content Acceleration
Low Minimum Content Expiration Periods
(TTL=0)
Multiple Cache Behaviors
Multiple Origin Servers
Origin Connection Protocol
Viewer Connection Protocol
Zone Apex Support
Query String & Cookie Support
Put/Post HTTP Verb Support
Price Flexibility
Pay for Use
Price Classes
Reserved Capacity Private Pricing
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
8
9. Deliver All of Your Content
SSL
User
Input
Dynamic
Static
Video
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
10. Simple, Yet Powerful
Architecture
Dynamic Content
OR
Amazon CloudFront
example.com
Elastic Load
Balancing
Amazon EC2
Custom Origin
Static Content
OR
Amazon S3
Custom Origin
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
11. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
12. CloudFront Security Features
AWS Identity and Access Management (IAM)
HTTPS Delivery
Private Content
Geo-Restriction
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
13. AWS Identity and Access Management (IAM)
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
14. AWS Identity and Access Management (IAM)
Regulate access to CloudFront APIs
Create policies to describe user role or permissions
Create an IAM policy using the AWS Management Console
Example Scenarios:
• Limit who can submit invalidation requests
• Just read access to your distribution
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
15. AWS Identity and Access Management (IAM)
Example 1: Allow a group read and write access to all of resources
owned by the account
Example 2: Allow a group read and write access to all distributions
owned by the account
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
16. HTTPS Delivery
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
17. HTTPS Delivery
Configure CloudFront one of two ways:
• Accept both HTTP or HTTPS connections
• Accept only HTTPS connections
HTTPS allows transfer over encrypted connection
CloudFront forwards HTTPS requests to origin..
• Over SSLv3 or TLSv1 protocols
• Supports AES128-SHA1 or RC4-MD5 ciphers
• Includes a Server Name Indication (SNI) extension
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
18. HTTPS Delivery
Two ways you can implement SSL with CloudFront:
Half Bridge SSL termination
CloudFront
Full Bridge SSL termination
Region
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
19. HTTPS Delivery
Half Bridge SSL termination - HTTPS only from Viewer
to CloudFront
Use CloudFront Viewer Protocol Policy
HTTP
Region
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
20. HTTPS Delivery
Why use Half Bridge SSL Termination?
Better Performance By Leveraging HTTP Connections To Origin
CloudFront
HTTP
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
21. HTTPS Delivery
Full Bridge SSL Termination - HTTPS from Viewer to
CloudFront and from CloudFront to Origin.
Use CloudFront Origin Protocol Policy
HTTPS
Region
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
22. HTTPS Delivery
CloudFront provides two options for delivery over SSL
Using Default CloudFront SSL Domain Name
• e.g. d123.cloudfront.net
Using a Custom SSL Domain Name
• e.g. www.mysite.com
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
23. HTTPS Delivery
Using a Custom SSL Domain Name
You bring your own custom SSL certificate
No restrictions on the type of certificate: EV certificates, Wildcard certificates, SAN
certificate, etc.
You get a dedicated set of IP addresses at each of our edge locations worldwide
Use your own domain name in the URLs for objects delivered via CloudFront
(https://www.example.com/image.jpg)
Benefits:
High Performance – use of all edge locations
High Security – your own certificate (vs. shared cert)
High Availability – full browser support
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
24. HTTPS Delivery
Getting started with using your own SSL certificate on CloudFront:
1.
You upload your own SSL certificate to AWS IAM.
2.
Request access to this feature by submitting this form:
http://aws.amazon.com/cloudfront/custom-ssl-domains/
3.
Once approved by AWS, you can associate your SSL certificate to one or more
CloudFront distributions.
4.
Start using your own domain name (e.g. mysite.com) in your HTTPS URLs
delivered via CloudFront.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
25. Serving Private Content
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
26. Private Content
Deliver your content ONLY to authorized viewers
Two ways to control end user access:
• Origin Access Identity (OAI) to restrict direct access to objects in
Amazon S3.
• Signed URLs to restrict access to objects at the CloudFront
edge.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
27. Private Content
Origin Access Identify (OAI)
• Ensure customers don’t have direct access to your Amazon S3
origin bucket.
• Ensure performance benefits to all customers.
• Protects origin from overload.
Region
Access Denied
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
28. Private Content
Signed URLs prevent unauthorized access to objects at the
CloudFront edge.
Programmatically create access control policies to define how your
content can be accessed.
For example, allow access…
• only until certain date or time
• only to users who have paid a fee
• only from certain IP addresses
Access Denied
Region
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
29. Private Content
Here is an example of a policy statement for signed URLs
More Information:
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
(Find sample code to create URL signature in Perl, PHP, C# and .NET, Java)
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
30. Geo-Restriction
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
31. Geo-Restriction
Restrict access to your content based on the location
(country) of your users.
Configure a whitelist or a blacklist.
CloudFront returns an HTTP status code of 403
(forbidden) to the user.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
32. Geo-Restriction
Scenarios:
Online video publishers can distribute videos only in the
country where they have distribution rights.
• e.g. use a whitelist of geo-locations
Software distributors can prevent download of their software
in countries with licensing regulations.
• e.g. use a blacklist of geo-locations
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
33. Configuring Custom Error Responses
Show a user friendly message in case of an Error.
Configure a custom page and a custom response code
for each error.
An error could be:
• Object not found
• Unauthorized user access
• ..or any other 4xx or 5xx HTTP error
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
34. Custom Error Responses
Performance considerations:
• Set “Error Caching Minimum TTL” to cache the error response.
• CloudFront responds with error page for the duration of the TTL.
• Setting the TTL too low would increase origin load.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
35. Demo
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.