cloudfront로 동적 컨텐츠를 전송하는 네가지 이유 - 김일호 솔루션즈...

CloudFront CDN로동적컨텐츠를사용하는 4가지이유김일호 | Solutions Architect

Do you know CloudFront support Dynamic content acceleration?

No reasons not to use~

1. Simple configuration2. DDoS Mitigation + WAF3. Cost Saving4. Speed up

Configure multiple origins

Elastic Load Balancing

Dynamic content

Amazon EC2

Static content

Amazon S3

* (default)

/error/*/assets/*

Amazon CloudFrontexample.com

CloudFront Behaviors

CloudFront

CustomerLocationwww.mysite.com

PathPatternMatching/*.jpg;/*.php etc.

GEThttp://mysite.com/images/1.jpgtoORIGINAGEThttp://mysite.com/index.php toORIGINB

GEThttp://mysite.com/web/home.csstoORIGINCGEThttp://mysite.com/*(DEFAULT)toORIGIND

OriginA: S3bucket

OriginB:www.mysite.com

OriginC: S3Bucket

OriginD:www.mysite.com

PathPatternMatching

/*.php

/images/*.jpg

/web/*.css

/*.*(DEFAULT)

CloudFront Behaviors at console

1. Simple configuration2. DDoS Mitigation + WAF3. Cost Saving4. Speed up

AWS Global Presence and Redundancy

Route A

Route B

Route C

CloudFront

CountryB

CountryA

CountryCCloudFront

ValidObjectRequest

InvalidProtocol

InvalidObjectRequest

InternetConnectionC

InternetConnection A

InternetConnectionB

Your VPC only has to deal with layer 7 traffic

CloudFront

DDoS

HTTP

SYN/UDP

HTTP Customer Solution

80%ofDDoS trafficisL3/L4floodattack

20%isDDoS attackisvalidHTTPrequests.

WAF(Web Application Firewall)Match any part of the web request

Host:www.example.comUser-Agent:Mozilla/5.0(Macintosh;…Accept:image/png,image/*;q=0.8,*/*;q=0.5Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip,deflateReferrer:http://www.example.com/Connection: keep-alive

AWSWAF

RAW request headers

CloudFront

Check:Header“Referrer”MatchType:ContainsMatch:“example.com”

Action:ALLOW

Rule

String match condition

Good users

WAF(Web Application Firewall)Use transforms to stop evasion

Host:www.example.comUser-Agent:badbotAccept:image/png,image/*;q=0.8,*/*;q=0.5Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip,deflateReferrer:http://www.example.com/Connection: keep-alive

AWSWAF

RAW request headers

CloudFront

Check:Header“User-Agent”MatchType:ContainsMatch:“badbot”

Action:BLOCK

Rule

String match condition

Scraper bot

WAF(Web Application Firewall)Use transforms to stop evasion

Host:www.example.comUser-Agent:bAdBoTAccept:image/png,image/*;q=0.8,*/*;q=0.5Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip,deflateReferrer:http://www.InTeRnEtkItTiEs.com/Connection: keep-alive

RAW request headers

Check:Header“User-Agent”Transform:TolowerMatchType:ContainsMatch:“badbot”

Action:BLOCK

Rule

String match condition

AWSWAF

CloudFrontScraper bot

1. Simple configuration2. DDoS Mitigation + WAF3. Cost Saving4. Speed up

Lower traffic cost

Amazon CloudFront

Region

Amazon S3 bucket

Custom origin

$$

$$

$ Free

Note:CostwillvarydependingonCFRC(CloudFront ReservedCapacity)

1. Simple configuration2. DDoS Mitigation + WAF3. Cost Saving4. Speed up

example.com

Clients

Clients

Clients

Clients

Clients

Clients

Two Users without CloudFrontSYN

SYN-ACK

ACK

GET/index.jsp

ACK

SYN-ACK

GET/index.jsp

2nd User

Region

SYN

90ms

360ms

360ms

Without Keep-Alive Connections

• Loadonyourwebserverincreasesthetimetofirstbyte

TTFB(Time to First Byte)DNS Lookup

Connection Content Download

SYN

SYN-ACK

ACK

GET/index.jsp

GET/index.jsp

Keep Alive Connections

2nd Request

CloudFront Keep AliveSYN

SYN-ACK

ACK

GET/index.jsp

ACK

SYN-ACK

GET/index.jsp

Region

SYN

30ms

SYN

SYN-ACK

ACK

GET/index.jsp

GET/index.jsp

60ms

2nd User

360ms

180ms

5. Shield Origin contents

Access control: Restricting origin access

§Amazon S3§Origin Access Identify (OAI)• Prevents direct access to your Amazon

S3 bucket

• Ensure performance benefits to all customers

§Custom origin§Block by IP address

• Whitelist only the Amazon CloudFront IP Range

• Protects origin from overload• Ensure performance benefits to all

customers

Object Access Identity (OAI)

• Ensure only Amazon CloudFront can access Amazon S3 bucket

• We make it simple for youAmazon CloudFront

Region

Amazon S3 bucket

Custom origin

Object Access Identity (OAI)

• Ensure only Amazon CloudFront can access Amazon S3 bucket

• We make it simple for youAmazon CloudFront

Region

Amazon S3 bucket

Custom origin

Shield custom origin• Shield your custom origin

• Whitelist Amazon CloudFront IP rangeAmazon CloudFront

Region

Amazon S3 bucket

Custom Origin

Shield custom origin• Shield your custom origin

• Whitelist Amazon CloudFront IP rangeAmazon CloudFront

Region

Amazon S3 bucket

Custom origin

Shield custom origin• Subscribe to Amazon SNS notifications on changes to

IP ranges• Automatically update security groups

AWS Lambda

Amazon CloudFront

Amazon SNS

Security group

Web appserver

Web appserver

AWS IP ranges

Update IP rangeSNS message