Date post: | 27-Jan-2015 |
Category: |
Technology |
Upload: | amazon-web-services |
View: | 108 times |
Download: | 3 times |
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Using Amazon CloudFront to
Protect Your Content Delivery
Geo Restriction, Private Content, and Custom SSL Certificates
Nihar Bihani, Sr. Product Manager
Calin Nemes, Support Engineer
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
About Amazon CloudFront
Global availability, performance and scalability
Cost-effective and easy to use
Deliver all of your content securely
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Industry Leading Availability
97
97.5
98
98.5
99
99.5
100
Cloudfront CDN C CDN D CDN A CDN B
Global Availability*
*Data from Cedexis, Last 30 Days, Availability measured over All Cedexis Regions. 12/30/13
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
CloudFront Top Tier Performance
*Data from Cedexis, Last 30 Days, Response Time Measure of the United States. 11/12/13
10th Percentile
95th Percentile
25th Percentile
75th Percentile
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Competitive, Flexible Pricing
On-demand, pay for use
pricing
Same pricing for Static and
Dynamic Content
Preferential Origin Fetch
Pricing for AWS Origins
Commitment based private
pricing
Pri
ce p
er
GB
Data Transfer Volume
Data Transfer Economies of Scale
Public Rates Private Rates
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
CloudFront’s Global Presence Americas Atlanta, GA
Ashburn, VA (3)
Dallas/Fort Worth, TX (2)
Hayward, CA
Jacksonville, FL
Los Angeles, CA (2)
Miami, FL
New York, NY (3)
Newark, NJ
Palo Alto, CA
San Jose, CA
Seattle, WA
South Bend, IN
St. Louis, MO
Rio de Janeiro, Brazil
São Paulo, Brazil
Europe
Amsterdam, The
Netherlands (2)
Dublin, Ireland
Frankfurt, Germany (3)
London, England (3)
Madrid, Spain
Marseille, France
Milan, Italy
Paris, France (2)
Stockholm, Sweden
Warsaw, Poland
Asia
Chennai, India
Hong Kong, China (2)
Mumbai, India
Manila, the Philippines
Osaka, Japan
Seoul, Korea
Singapore (2)
Taipei, Taiwan
Tokyo, Japan (2)
Australia
Sydney
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
9 Regions 46 Edge Locations
CloudFront’s Global Customer Reach
http://aws.amazon.com/about-aws/globalinfrastructure/
Edge Location
AWS Region
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Popular CloudFront Features Live and Video on Demand
RTMP (Flash) and HTTP(S) delivery
Adaptive Bitrate Streaming
Security
Private Content
Custom SSL Support
Geo Restriction
Identity and Access Management (IAM)
Content Management
AWS Management Console
Full control via APIs
Programmatic Invalidation
Industry-compliant, detailed Access Logs
Dynamic Content Acceleration
Low Minimum Content Expiration Periods (TTL=0)
Multiple Cache Behaviors
Multiple Origin Servers
Origin Connection Protocol
Viewer Connection Protocol
Zone Apex Support
Query String & Cookie Support
Put/Post HTTP Verb Support
Price Flexibility
Pay for Use
Price Classes
Reserved Capacity Private Pricing
8
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Dynamic
Static Video
Deliver All of Your Content
User
Input
SSL
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Simple, Yet Powerful
Architecture
Elastic Load
Balancing
Dynamic Content
Amazon EC2
Static Content
Amazon S3 Custom Origin
OR
OR
Custom Origin Amazon CloudFront
example.com
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
11
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
CloudFront Security Features
AWS Identity and Access Management (IAM)
HTTPS Delivery
Private Content
Geo-Restriction
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
AWS Identity and Access Management (IAM)
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
AWS Identity and Access Management (IAM)
Regulate access to CloudFront APIs
Create policies to describe user role or permissions
Create an IAM policy using the AWS Management Console
Example Scenarios: • Limit who can submit invalidation requests
• Just read access to your distribution
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
AWS Identity and Access Management (IAM)
Example 1: Allow a group read and write access to all of resources
owned by the account
Example 2: Allow a group read and write access to all distributions
owned by the account
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
HTTPS Delivery
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
HTTPS Delivery
Configure CloudFront one of two ways: • Accept both HTTP or HTTPS connections
• Accept only HTTPS connections
HTTPS allows transfer over encrypted connection
CloudFront forwards HTTPS requests to origin.. • Over SSLv3 or TLSv1 protocols
• Supports AES128-SHA1 or RC4-MD5 ciphers
• Includes a Server Name Indication (SNI) extension
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
HTTPS Delivery
Two ways you can implement SSL with CloudFront:
Half Bridge SSL termination
Full Bridge SSL termination Region
CloudFront
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
HTTPS Delivery
Half Bridge SSL termination - HTTPS only from Viewer
to CloudFront
Use CloudFront Viewer Protocol Policy
Region
HTTP
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
HTTPS Delivery
Why use Half Bridge SSL Termination?
Better Performance By Leveraging HTTP Connections To Origin
HTTP
CloudFront
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
HTTPS Delivery
Full Bridge SSL Termination - HTTPS from Viewer to
CloudFront and from CloudFront to Origin.
Use CloudFront Origin Protocol Policy
Region
HTTPS
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
HTTPS Delivery
CloudFront provides two options for delivery over SSL
Using Default CloudFront SSL Domain Name
• e.g. d123.cloudfront.net
Using a Custom SSL Domain Name
• e.g. www.mysite.com
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
HTTPS Delivery
Using a Custom SSL Domain Name
You bring your own custom SSL certificate
No restrictions on the type of certificate: EV certificates, Wildcard certificates, SAN certificate, etc.
You get a dedicated set of IP addresses at each of our edge locations worldwide
Use your own domain name in the URLs for objects delivered via CloudFront (https://www.example.com/image.jpg)
Benefits:
High Performance – use of all edge locations
High Security – your own certificate (vs. shared cert)
High Availability – full browser support
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
HTTPS Delivery
Getting started with using your own SSL certificate on CloudFront:
1. You upload your own SSL certificate to AWS IAM.
2. Request access to this feature by submitting this form: http://aws.amazon.com/cloudfront/custom-ssl-domains/
3. Once approved by AWS, you can associate your SSL certificate to one or more CloudFront distributions.
4. Start using your own domain name (e.g. mysite.com) in your HTTPS URLs delivered via CloudFront.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Serving Private Content
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Private Content
Deliver your content ONLY to authorized viewers
Two ways to control end user access:
• Origin Access Identity (OAI) to restrict direct access to objects in
Amazon S3.
• Signed URLs to restrict access to objects at the CloudFront
edge.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Private Content
Origin Access Identify (OAI)
• Ensure customers don’t have direct access to your Amazon S3
origin bucket.
• Ensure performance benefits to all customers.
• Protects origin from overload.
Region
Access Denied
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Private Content
Signed URLs prevent unauthorized access to objects at the CloudFront edge.
Programmatically create access control policies to define how your content can be accessed.
For example, allow access… • only until certain date or time
• only to users who have paid a fee
• only from certain IP addresses
Region
Access Denied
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Private Content
Here is an example of a policy statement for signed URLs
More Information: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
(Find sample code to create URL signature in Perl, PHP, C# and .NET, Java)
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Geo-Restriction
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Geo-Restriction
Restrict access to your content based on the location
(country) of your users.
Configure a whitelist or a blacklist.
CloudFront returns an HTTP status code of 403
(forbidden) to the user.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Geo-Restriction
Scenarios:
Online video publishers can distribute videos only in the country where they have distribution rights.
• e.g. use a whitelist of geo-locations
Software distributors can prevent download of their software in countries with licensing regulations.
• e.g. use a blacklist of geo-locations
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Configuring Custom Error Responses
Show a user friendly message in case of an Error.
Configure a custom page and a custom response code
for each error.
An error could be:
• Object not found
• Unauthorized user access
• ..or any other 4xx or 5xx HTTP error
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Custom Error Responses
Performance considerations:
• Set “Error Caching Minimum TTL” to cache the error response.
• CloudFront responds with error page for the duration of the TTL.
• Setting the TTL too low would increase origin load.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Demo
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Questions
http://aws.amazon.com/cloudfront
@cloudfront