An overview of one of the worlds largest content delivery networks, how it is used for accerlation of websites and applications for dynamic and static content. We will cover recent feature additions including integration of the new AWS WAF and other security features.
Ensuring Technical Readiness For Copilot in Microsoft 365
Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv
1. Amazon’s Content Delivery Service
Amazon CloudFront
Tom Witman, Global Business Development Manager
AWS Edge Services
Seattle, WA
2. CloudFront: Content Delivery Network
• Highly Scalable Distributed Caching Network
• Global Infrastructure
• Dynamic, Static, and Streaming Object Delivery
• Highly Secure
• Robust Analytics
• Self Service
• Priced to Minimize Cost
3. Content Delivery Applies to any Use Case
• Media and Entertainment
• Gaming
• eCommerce
• Digital Advertising
• Software Downloads
• Mobile
• Dynamic Websites and Applications
4. CloudFront and the AWS Ecosystem
• Integrates with AWS Resources
– Rt53 DNS
– Amazon Elastic Transcoder
– S3 Storage
– EC2 Compute and Elastic Load Balancing
– Marketplace SaaS and SI partners
– Mobile Hub
• Improves Scalability of other
Amazon Resources
• Discounts on Data Transfer from
Amazon S3 & EC2 to CloudFront
5. CloudFront and the Hybrid Ecosystem
• Origins Can be Hosted on Site or in the Cloud
– Custom origins for static / dynamic content
– Fine grained control for custom origins, pass through headers
– SSL, TLS session management between edge / origin
• Improves Scalability
6. CloudFront Security and Compliance Features
• Compliance
• PCI DSS Compliance
• ISO 9001, 27001, 27017, 27018
• Security Enhancements to your infrastructure
• Signed URL
• Signed Cookies
• Enforce HTTPS to origin
• Support for TLSv1 .1 and TLSv1.2 between edge and origin
• Add/Modify Request Headers Forwarded From CloudFront to Origin
• Integration with AWS Certificate Manager
• Integration with AWS WAF (web application firewall)
• Geographic Restriction
7. What You Look for in a CDN
• Performance: deliver content with low latency and
high availability
• Reach and Functionality: provide global network
of edge locations to optimally reach a wide audience
• Cost: ensure financial feasibility for scalable bit
delivery
8. Common Features for Web Applications
Video Streaming
• RTMP (Flash) and HTTP(S) delivery
• Adaptive Bitrate Streaming (HLS, HDS, Smooth, MPEG-DASH)
Security
• Private Content
• SSL, TLS/SNI Support
• Advanced SSL (perfect forwarding, OCSP stapling, session tickets)
• Geo Restriction
• AWS WAF
• SSL Enforcement to Origin
• Customer Headers from Edge to Origin
Content Management
• AWS Management Console
• Full control via APIs
• Programmatic Invalidation
• Online Usage Reports and Charts
• Industry-compliant, detailed Access Logs
• GZIP Comperession
Dynamic Content Acceleration
• Low Minimum Content Expiration Periods
(TTL=0)
• Multiple Cache Behaviors
• Multiple Origin Servers
• CORS Support
• Origin Connection Protocol
• Viewer Connection Protocol
• Zone Apex Support
• Query String & Cookie Support
• Put/Post HTTP Verb Support
• Full VARY Support
• User Agent Detection (Mobile/Desktop)
• Geo Targeting
• Multi-Site Hosting
• Wildcard Invalidations
• Persistent TCP Connections 8
9. CloudFront Key Infrastructure Features
Video Streaming
On-demand & Live Streaming
RTMP (Flash) and HTTP(S)
Adaptive Bitrate Live Streaming
Microsoft Smooth Streaming
Whole Site Delivery
Static & Dynamic Content
Mobile Detect, CORS Support
Multiple Cache Behaviors
Multiple Origin Servers
Security
Private Content (Signed URLs)
Custom SSL (Dedicated IP & SNI)
Geo Restriction
HTTP to HTTPS Redirect
High Availability
99.9% SLA
Automatic Origin Failover
Custom Error Pages
Serve Stale Content when Origin
unavailable
High Performance
Latency Based Routing
TCP Optimization
Persistent Connections
EDNS Client Subnet
Low TCO
Pay for use
Commit-Based lower pricing
Price Classes
Preferential Pricing for AWS origins
10. CloudFront Dynamic Site Performance
0
200
400
600
800
1000
1200
Dynmaic Delivery: Cloudfront Dynamic Dleivery: Origin
Dynamic Site Performance (ms)*
95th Percentile
75th Percentile
50th Percentile
25th Percentile
10th Percentile
Mean
*Data from Cedexis, Last 5 Days, DSA Time Measure of the Ireland region
11. Performance: Industry Leading Latency and Availability
99.483
99.373
99.037
98.848
98.056
97
97.5
98
98.5
99
99.5
100
Global Availability*
0
100
200
300
400
500
600
CDN E Cloudfront CDN B CDN D CDN C
MS
Latency (Response Time)**
*Data from Cedexis, Last 30 Days, Availability measured over All Cedexis Regions.
**Data from Cedexis, Last 30 Days, Response Time Measure of the United States.
12. AWS Global Infrastructure – Spring 2016
AWS Regions and Availability Zones:
11 Regions, 30 Availability Zones
AWS Content Delivery Network:
54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents
North
America
Cities: 15
PoPs: 21
South
America
Cities: 2
PoPs: 2
Europe/Middle
East/Africa
Cities: 10
PoPs: 16
Asia Pacific
Cities: 11
PoPs: 15
Edge
location
2016 Amazon Web Services Confidential
14. North America
Cities: 15
PoPs: 21
Ashburn, VA (3)
Atlanta, GA
Chicago, IL
Dallas/Fort Worth, TX (2)
Hayward, CA
Jacksonville, FL
Los Angeles, CA (2)
Miami, FL
New York, NY (3)
Newark, NJ
Palo Alto, CA
San Jose, CA
Seattle, WA
South Bend, IN
St. Louis, MO
Amazon CloudFront, Amazon Route 53, and AWS WAF Locations
54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents
South America
Cities: 2
PoPs: 2
Rio de Janeiro,
Brazil
São Paulo, Brazil
Europe / Middle East /
Africa
Cities: 10
PoPs: 16
Amsterdam, The Netherlands (2)
Dublin, Ireland
Frankfurt, Germany (3)
London, England (3)
Madrid, Spain
Marseille, France
Milan, Italy
Paris, France (2)
Stockholm, Sweden
Warsaw, Poland
Asia Pacific
Cities: 11
PoPs: 15
Chennai, India
Hong Kong, China (2)
Manila, the Philippines
Melbourne, Australia
Mumbai, India
Osaka, Japan
Seoul, Korea (2)
Singapore (2)
Sydney, Australia
Taipei, Taiwan
Tokyo, Japan (2)
CloudFront Amazon
Route 53
AWS WAF
Edge
location
AWS
Region
2016 Amazon Web Services Confidential
15. Elastic Transcoder Region
2016 Amazon Web Services Confidential
Amazon Elastic Transcoder Regional Deployments
Six Regions
US East (Virginia)
US West (N. California)
US West (Oregon)
EU (Ireland)
Asia Pacific (Singapore)
Asia Pacific (Tokyo)
16. POST /2012-07-01/distribution HTTP/1.1
Host: cloudfront.amazonaws.com
Authorization: AWS authentication string
Date: time stamp
Other required headers
<?xml version="1.0" encoding="UTF-8"?>
<DistributionConfig
xmlns="http://cloudfront.amazonaws.com/doc/2
012-07-01/">
Manage Your Content Your Way
API Console
management and reporting
17. CloudFront Pricing: Competitive, Flexible Options
• On-demand, pay for use
elastic pricing
• Same pricing for Static and
Dynamic Content
• Usage Commitment Options
• GB delivery model
• No Platform Fees
PriceperGB
Data Transfer
Data Transfer
Economies of Scale
Public Rates Private Rates
18. CloudFront Pricing: Price Classes
performance / cost optimization on demand
All
54 PoPs, 38 Cities, 19 Countries
North America + Europe
36 PoPs, 25 Cities, 10 Countries
North America + Europe + Asia
50 PoPs, 34 Cities, 17 Countries
Deliver Content Globally and Control Pricing to Fit Performance and Cost Objectives
19. Customer Support: Help When You Need It
• Enabled Self Service
• AWS Solution Architects and CloudFront Sales
• 24 Hour AWS Customer Service
• Dedicated Support Engineers
• Fast Response Times (<15 mins)*
* Depends on level of Support (http://aws.amazon.com/premiumsupport/)
20. The Nitti Gritty: How It Works
General Use Cases
Static Content
Dynamic Content
Custom Origins
Behaviors
Error Pages
Invalidations
Media and Entertainment
Asset Download and Progressive Video Playback and Download
Streaming Media – Adaptive Bitrate Video on Demand (VoD)
Streaming Media – Live Delivery
Digital Publishing
23. Elastic Load
Balancing
Dynamic Content
Amazon EC2
Static Content
Amazon S3 Custom Origin
OR
OR
Custom OriginAmazon CloudFront
example.com
*.jpg
*.php
Reference Architecture: Overview
Static and Dynamic Content Delivery
24. Reference Architecture: HTTP METHODS
Requests to the CloudFront edge
HEAD
Identical to GET except that the
server MUST NOT return a
message-body in the response.
Used for obtaining meta-information
about the entity implied by the
request without transferring the
entity-body itself
POST
Used to request the origin
server to accept the entity
enclosed in the request as a
new subordinate of the
resource identified by the
Request-URI in the Request-
Line.
PUT
The fundamental difference
between the POST and PUT
requests is reflected in the
different meaning of the
Request-URI.
PATCH
Used to apply partial
modifications to a
resource
DELETE
Requests that the origin
server delete the resource
identified by the Request-
URI
OPTIONS
Request for information
about the communication
options available on the
request/response chain
identified by the Request-
URI
GET
Requests for content
from the cache HTTP,
HTTPS and RTMP
25. Reference Architecture: Determining Content Source
Overview of Rt53 Intelligent Routing Options
Customer Location
1
53
Request to www.mysite.com
Location A: Resolve to xyz.cloudfront.net
Location B: Resolve to IP address of EC2
Location C: Resolve to IP address of S3
Location D: Resolve to IP address of non-AWS end point
3
Examine geo source, weights, latency, health checks
Elastic Cloud
Compute S3CloudFront
Non-AWS End Point
1
2
3
4
4 Return IP Address based on precedent criteria
2
5 If request sent to CloudFront, then CloudFront determines
best PoP to send requestor to based on the CDN rules
5
26. Reference Architecture: Overview – Media/Entertainment
Streaming in Front of Your Origin
• Deliver Static and Dynamic
Content
• Offload origin traffic to
CloudFront CDN
• Serve LIVE Event Traffic to
Large Crowds
• Serve VOD Media to any
device
• Alter content based on User
Agent
• Secure connections via SSL
• Authenticate via signed URLs
• Supports 3rd Party DRM
Static Content
Served from S3
*.jpg, *.m3u8, *.ts, *.css
Dynamic or Static Content
Served from ELB and/or EC2
*.php, *.js, *m3u8, *.ts
27. CloudFront
Reference Architecture: CloudFront Origin Selection
Origin Selection Based on Intelligent Behavior Rules
Customer Location
www.mysite.com
Path Pattern Matching
/*.jpg; /*.php etc.
GET http://mysite.com/images/1.jpg to ORIGIN A
GET http://mysite.com/index.php to ORIGIN B
GET http://mysite.com/web/home.css to ORIGIN C
GET http://mysite.com/* (DEFAULT) to ORIGIN D
Origin A:
origin.mysite.com
Origin B:
origin2.mysite.com
Origin C:
origin3.mysite.com
Origin D:
origin4.mysite.com
Path Pattern Matching
/*.php
/images/*.jpg
/web/*.css
/*.* (DEFAULT)
28. Reference Architecture: HTTP Headers for Dynamic Content
VARY content served based on HTTP Headers
Content delivered to a request may vary depending on the request headers that
were passed in the GET request. The header is used as a cache key and passed
onto origin for the appropriate content. Common headers supported are listed:
Header Use of Header
Accept Determine which content types are acceptable for the response
Accept-Charset Determine which Character sets that are acceptable
Accept-Datetime Determine which version in time is acceptable
Accept-Language Determine the list of acceptable human languages for response
Authorization Used for credentials for HTTP authentication
CloudFront-Forward-Proto HTTP protocol detected to vary content based on session security (SSL vs. Non SSL)
CloudFront-Is-Desktop-Viewer CloudFront user agent (UA) detected and set to desktop based on mapping
CloudFront-Is-Mobile-Viewer CloudFront user agent (UA) detected and set to mobile based on mapping
CloudFront-Is-Tablet-Viewer CloudFront user agent (UA) detected and set to tablet based on mapping
CloudFront-Viewer-Country CloudFront geo detected country code
Host domain name and TCP port of the server
Origin used for CORS, sets allowed domain for origin to honor and share assets
Referrer sends URL/URI to origin to log referrers
*Note: custom headers are also supported, not just those listed here
29. Reference Architecture: CloudFront HTTP Headers Examples
VARY content served and cached based on Headers in the GET request
1) Vary response based on User Agent.
Example: Desktop, Mobile, Tablet
2) Vary response based on Language.
Example: user would prefer Danish but will accept British
English and other types of English. (Accept-Language: da,
en-gb;q=0.8, en;q=0.7 )
3) Vary response based on Protocol.
Example: CloudFront-Forward-Proto detected and
customer sent different content based on connection type.
Mobile User
(CloudFront-Is-
Mobile-Viewer)
Desktop User
(CloudFront-Is-
Desktop-Viewer)
1
1
2
3
30. Reference Architecture: CloudFront Signed URL (Authentication)
Protecting Content from Unauthorized Access
Customer Location
http://mysite.com/asset.mp4?&Expires=1357034400
5&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA-
j19DzZr vDh6hQ73lDx~-ar3UocvvRQVw6EkC~GdpGQyyOSKQim-
TxAnW7d8F5Kkai9HVx0FIu-
jcQb0UEmatEXAMPLE3ReXySpLSMj0yCd3ZAB4UcBCAqEijkytL6f
3fVYNGQI6&Key-Pair-Id=APKA9ONS7QCOWEXAMPLE
1) Request for Content first goes to an
authentication server to validate user
and generate a signed URL.
2) A signed URL is sent back as a 302
redirect from the auth server
3) Request to CloudFront made with
signed URL, authentication with policy
statement, and verification of content
freshness (hasn’t expired)
4) CloudFront authenticates policy
statement for signed URL, sets cache
key, and sends content to requestor
EC2 Auth Server
Send content to requestor via cache edge
www.mysite.com/asset.mp4
EC2 Auth Server
Authenticate URL, Policy Statement, and Expiration
CloudFront Logic
CloudFront Edge Cache
31. Reference Architecture: CloudFront Routing Rules
Latency Based PoP Selection, Geo-Restriction, Price Classes
1) Request routed based on latency.
Example: Customer in Rio routed to least latent node:
Rio De Janeiro PoP location
2) Request denied based on geo
restriction.
Example: Customer in restricted country, access
denied and custom error page sent back.
3) Request routed based on Price Class.
Example: Price Classes set up to restrict content
delivery to nodes in N.America and Europe for cost
savings.
Send content to requestor via cache edge
Rio De Janeiro
CloudFront
Edge Cache
Content blocked due to geo rules
CloudFront Edge
Cache Denies
Request
X
Rio De Janeiro Customer Location
Restricted Customer Location
Custom Error Page Sent for a 403
Miami CloudFront
Edge CacheRio De Janeiro Customer Location
Content served from Price Class enabled node
32. CNAME =
xyz.cloudfront.net
CloudFront
53
Load Balance
Non-AWS End Point
Custom Origin or
Alternative CDN
Reference Architecture: Load Balancing
Load Balance between your CDN providers using Rt53
Customer Location
www.mysite.com
Weighted Round Robin Routing
CNAME = xyz.cloudfront.net, weight = 0-255
CNAME = xyz.somecdn.com, weight = 0-255
CNAME =
xyz.somecdn.com
Latency Based Routing
CNAME = xyz.cloudfront.net, latency metric
CNAME = xyz.somecdn.com, latency metric
Fail Over Routing
CNAME = xyz.cloudfront.net, PRIMARY
CNAME = xyz.somecdn.com, SECONDARY
Geolocation Routing
CNAME = xyz.cloudfront.net, LOCATION 1…LOCATION X
CNAME = xyz.somecdn.com, LOCATION 2…LOCATION Y
33. origin.mysite.com
CloudFront
53
Load Balance
Non-AWS End Point
Custom Origin or
Alternative CDN
Reference Architecture: Load Balancing Cache Fills
Load Balance between your ORIGINs to fill the CloudFront Caches
Customer Location
www.mysite.com
Weighted Round Robin Routing
CNAME = xyz.cloudfront.net, weight = 0-255
CNAME = xyz.somecdn.com, weight = 0-255
Latency Based Routing
CNAME = origin.mysite.com, latency metric
CNAME = origin.mysite.com, latency metric
Fail Over Routing
CNAME = origin.mysite.com, PRIMARY
CNAME = origin.mysite.com, SECONDARY
Geolocation Routing
CNAME = origin.mysite.com, LOCATION 1…LOCATION X
CNAME = origin.mysite.com, LOCATION 2…LOCATION Y
EC2S3 ELB
EC2S3 ELB
us-east
us-west
origin.mysite.com
origin.mysite.com
origin.mysite.com
34. CNAME =
xyz.cloudfront.net
CloudFront
EC2S3 ELB53
Load Balance via DNS
Non-AWS End Point
Custom Origin or
Alternative CDN
Reference Architecture: Intelligent Routing
Using CloudFront with Rt53: In front of the CDN and the Origins
Customer Location
www.mysite.com
53
For Cache Fills: Rt53 Load
Balances between origins based
on weighted round robin or based
on geo determination
CloudFront selects the optimal
edge location to serve content from
based on Latency, Price Class
CloudFront POP Locations
Customer
Requests/Receives
content from optimal
CloudFront PoP
Request made for content,
DNS resolved to a CloudFront
CNAME and customer
request sent to CloudFront
1
4 2
3
Editor's Notes
CloudFront latency SLA is 99.99%. There is no availability SLA at this time but CloudFront has historically had the highest availability of any CDN based on third party, and internal, metrics reports.
Main Point: For Availability CloudFront is a leader. For latency, the top tier CDN’s are all within a few milliseconds (ms) of each other and the top seat varies from day to day and region by region. What you’ll find is there is a zone of acceptable latency performance that the CDN’s provide. Some CDN’s have better regional coverage than others. For static/cachable content, CloudFront performs among the top tier of CDNs. And there is a significant performance improvement using a top tier CDN compared to an origin server such as EC2. (50% improvement over origin is not uncommon)
Graph: The line represents the range of expected response times for each CDN. The line ranges from 10th percentile (at the bottom) to the 95th percentile (at the top). This means that 95% of all customers should get performance in or below this range. The Box on the line is from the 25th percentile to the 75th percentile. This means that 50% of requests should see performance inside this range.
Amazon CloudFront and Amazon Route 53 services are offered at AWS Edge Locations
Not only do we serve all of your content, we make it easy for you to manage content as well. We have an easy to use GUI console and api support so you can make changes the way your prefer because all features are supported in both.
And the changes taking place immediately…
(Speak to the bullets)
ADD Global Coverage is still here, but less edge locations
If you do need help, AWS customer service is here!
We have enabled users to be able so self solve problems– Our documentation is updated with every new release and goes into great detail about how to work with our service.
SA Help (work w/ sales) (Trial Credits available)
AWS support –
24 hour customer service
Dedicated support engineers
And depending on the level of AWS support, we even have very fast response times
(More information at http://aws.amazon.com/premiumsupport
With the caching and acceleration technology that CloudFront has, we can deliver all of your content from static images to user inputted content.
Static: images, js, html, etc
Video: rtmp and http streaming support
Dynamic: customizations and non-cachable cotnent
User Input: http verb support including Put/Post, etc
SSL: Serve the content securely with SSL (https)
Scale- Content cached in CloudFront so less requests go to the origin
Image: User A, B & C all request the same content, but after Request A goes to the origin, CloudFront has the content cached and serves User B and C without having to send another request to the origin.
Dynamic routing avoids issues with edge location outages
IN NOTES: USE CASE
So no matter if you are using a custom origin or AWS, and no matter the content type, CloudFront will work with you to improve your users’ experience.
User to CloudFront
Routing based on lowest latency
SSL termination close to viewers
CloudFront to Origin
TCP optimizations
Keep-alive connections
Network paths monitoring
http verb optimization (get,put,etc)
NOTES: PUT/POST will use a CloudFront edge as a proxy to send back to origin.
CloudFront proxies ONLY, it is NOT a store and forward CDN meaning you can’t use PUT or POST to pre-load a cache. Caches are only filled upon a request, or GET.
Use Rt53 to load balance between your CDN providers OR between a CDN and your own infrastructure.
There are many other examples to highlight, this slide just shows a few common VARY actions.
Also common is the CORS support where an asset in one domain can be served by an origin in another that has been set up to share assets. This has been a very popular feature request.
CloudFront can be used to authenticate content. For added security encrypt the connection via SSL.
Signed URL’s require a canned or custom policy statement to be made for CloudFront. The customer will specify parameters such as:
Query Sting (?color, image_size, etc.)
Expiration time/date in UNIX format
IP Address
They will also need to include in the signed URL the:
Hashed and signed version of the policy statement
Key Pair ID used to generate the signature