Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv
•Download as PPTX, PDF•
3 likes•3,595 views
An overview of one of the worlds largest content delivery networks, how it is used for accerlation of websites and applications for dynamic and static content. We will cover recent feature additions including integration of the new AWS WAF and other security features.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv
Similar to Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv (20)
More from Amazon Web Services
More from Amazon Web Services (20)
Recently uploaded
Recently uploaded (20)
Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv
- 1. Amazon’s Content Delivery Service Amazon CloudFront Tom Witman, Global Business Development Manager AWS Edge Services Seattle, WA
- 2. CloudFront: Content Delivery Network • Highly Scalable Distributed Caching Network • Global Infrastructure • Dynamic, Static, and Streaming Object Delivery • Highly Secure • Robust Analytics • Self Service • Priced to Minimize Cost
- 3. Content Delivery Applies to any Use Case • Media and Entertainment • Gaming • eCommerce • Digital Advertising • Software Downloads • Mobile • Dynamic Websites and Applications
- 4. CloudFront and the AWS Ecosystem • Integrates with AWS Resources – Rt53 DNS – Amazon Elastic Transcoder – S3 Storage – EC2 Compute and Elastic Load Balancing – Marketplace SaaS and SI partners – Mobile Hub • Improves Scalability of other Amazon Resources • Discounts on Data Transfer from Amazon S3 & EC2 to CloudFront
- 5. CloudFront and the Hybrid Ecosystem • Origins Can be Hosted on Site or in the Cloud – Custom origins for static / dynamic content – Fine grained control for custom origins, pass through headers – SSL, TLS session management between edge / origin • Improves Scalability
- 6. CloudFront Security and Compliance Features • Compliance • PCI DSS Compliance • ISO 9001, 27001, 27017, 27018 • Security Enhancements to your infrastructure • Signed URL • Signed Cookies • Enforce HTTPS to origin • Support for TLSv1 .1 and TLSv1.2 between edge and origin • Add/Modify Request Headers Forwarded From CloudFront to Origin • Integration with AWS Certificate Manager • Integration with AWS WAF (web application firewall) • Geographic Restriction
- 7. What You Look for in a CDN • Performance: deliver content with low latency and high availability • Reach and Functionality: provide global network of edge locations to optimally reach a wide audience • Cost: ensure financial feasibility for scalable bit delivery
- 8. Common Features for Web Applications Video Streaming • RTMP (Flash) and HTTP(S) delivery • Adaptive Bitrate Streaming (HLS, HDS, Smooth, MPEG-DASH) Security • Private Content • SSL, TLS/SNI Support • Advanced SSL (perfect forwarding, OCSP stapling, session tickets) • Geo Restriction • AWS WAF • SSL Enforcement to Origin • Customer Headers from Edge to Origin Content Management • AWS Management Console • Full control via APIs • Programmatic Invalidation • Online Usage Reports and Charts • Industry-compliant, detailed Access Logs • GZIP Comperession Dynamic Content Acceleration • Low Minimum Content Expiration Periods (TTL=0) • Multiple Cache Behaviors • Multiple Origin Servers • CORS Support • Origin Connection Protocol • Viewer Connection Protocol • Zone Apex Support • Query String & Cookie Support • Put/Post HTTP Verb Support • Full VARY Support • User Agent Detection (Mobile/Desktop) • Geo Targeting • Multi-Site Hosting • Wildcard Invalidations • Persistent TCP Connections 8
- 9. CloudFront Key Infrastructure Features Video Streaming On-demand & Live Streaming RTMP (Flash) and HTTP(S) Adaptive Bitrate Live Streaming Microsoft Smooth Streaming Whole Site Delivery Static & Dynamic Content Mobile Detect, CORS Support Multiple Cache Behaviors Multiple Origin Servers Security Private Content (Signed URLs) Custom SSL (Dedicated IP & SNI) Geo Restriction HTTP to HTTPS Redirect High Availability 99.9% SLA Automatic Origin Failover Custom Error Pages Serve Stale Content when Origin unavailable High Performance Latency Based Routing TCP Optimization Persistent Connections EDNS Client Subnet Low TCO Pay for use Commit-Based lower pricing Price Classes Preferential Pricing for AWS origins
- 10. CloudFront Dynamic Site Performance 0 200 400 600 800 1000 1200 Dynmaic Delivery: Cloudfront Dynamic Dleivery: Origin Dynamic Site Performance (ms)* 95th Percentile 75th Percentile 50th Percentile 25th Percentile 10th Percentile Mean *Data from Cedexis, Last 5 Days, DSA Time Measure of the Ireland region
- 11. Performance: Industry Leading Latency and Availability 99.483 99.373 99.037 98.848 98.056 97 97.5 98 98.5 99 99.5 100 Global Availability* 0 100 200 300 400 500 600 CDN E Cloudfront CDN B CDN D CDN C MS Latency (Response Time)** *Data from Cedexis, Last 30 Days, Availability measured over All Cedexis Regions. **Data from Cedexis, Last 30 Days, Response Time Measure of the United States.
- 12. AWS Global Infrastructure – Spring 2016 AWS Regions and Availability Zones: 11 Regions, 30 Availability Zones AWS Content Delivery Network: 54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents North America Cities: 15 PoPs: 21 South America Cities: 2 PoPs: 2 Europe/Middle East/Africa Cities: 10 PoPs: 16 Asia Pacific Cities: 11 PoPs: 15 Edge location 2016 Amazon Web Services Confidential
- 13. Amazon CloudFront, Amazon Route 53, and AWS WAF Locations 54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents CloudFront Amazon Route 53 AWS WAF 2016 Amazon Web Services Confidential
- 14. North America Cities: 15 PoPs: 21 Ashburn, VA (3) Atlanta, GA Chicago, IL Dallas/Fort Worth, TX (2) Hayward, CA Jacksonville, FL Los Angeles, CA (2) Miami, FL New York, NY (3) Newark, NJ Palo Alto, CA San Jose, CA Seattle, WA South Bend, IN St. Louis, MO Amazon CloudFront, Amazon Route 53, and AWS WAF Locations 54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents South America Cities: 2 PoPs: 2 Rio de Janeiro, Brazil São Paulo, Brazil Europe / Middle East / Africa Cities: 10 PoPs: 16 Amsterdam, The Netherlands (2) Dublin, Ireland Frankfurt, Germany (3) London, England (3) Madrid, Spain Marseille, France Milan, Italy Paris, France (2) Stockholm, Sweden Warsaw, Poland Asia Pacific Cities: 11 PoPs: 15 Chennai, India Hong Kong, China (2) Manila, the Philippines Melbourne, Australia Mumbai, India Osaka, Japan Seoul, Korea (2) Singapore (2) Sydney, Australia Taipei, Taiwan Tokyo, Japan (2) CloudFront Amazon Route 53 AWS WAF Edge location AWS Region 2016 Amazon Web Services Confidential
- 15. Elastic Transcoder Region 2016 Amazon Web Services Confidential Amazon Elastic Transcoder Regional Deployments Six Regions US East (Virginia) US West (N. California) US West (Oregon) EU (Ireland) Asia Pacific (Singapore) Asia Pacific (Tokyo)
- 16. POST /2012-07-01/distribution HTTP/1.1 Host: cloudfront.amazonaws.com Authorization: AWS authentication string Date: time stamp Other required headers <?xml version="1.0" encoding="UTF-8"?> <DistributionConfig xmlns="http://cloudfront.amazonaws.com/doc/2 012-07-01/"> Manage Your Content Your Way API Console management and reporting
- 17. CloudFront Pricing: Competitive, Flexible Options • On-demand, pay for use elastic pricing • Same pricing for Static and Dynamic Content • Usage Commitment Options • GB delivery model • No Platform Fees PriceperGB Data Transfer Data Transfer Economies of Scale Public Rates Private Rates
- 18. CloudFront Pricing: Price Classes performance / cost optimization on demand All 54 PoPs, 38 Cities, 19 Countries North America + Europe 36 PoPs, 25 Cities, 10 Countries North America + Europe + Asia 50 PoPs, 34 Cities, 17 Countries Deliver Content Globally and Control Pricing to Fit Performance and Cost Objectives
- 19. Customer Support: Help When You Need It • Enabled Self Service • AWS Solution Architects and CloudFront Sales • 24 Hour AWS Customer Service • Dedicated Support Engineers • Fast Response Times (<15 mins)* * Depends on level of Support (http://aws.amazon.com/premiumsupport/)
- 20. The Nitti Gritty: How It Works General Use Cases Static Content Dynamic Content Custom Origins Behaviors Error Pages Invalidations Media and Entertainment Asset Download and Progressive Video Playback and Download Streaming Media – Adaptive Bitrate Video on Demand (VoD) Streaming Media – Live Delivery Digital Publishing
- 21. Dynamic Static Video Deliver All of Your Content: whole site delivery User Input SSL
- 22. Automatic Scalability CloudFront scales with demand while reducing load on your origin User A User B User C Request A OriginCloudFront
- 23. Elastic Load Balancing Dynamic Content Amazon EC2 Static Content Amazon S3 Custom Origin OR OR Custom OriginAmazon CloudFront example.com *.jpg *.php Reference Architecture: Overview Static and Dynamic Content Delivery
- 24. Reference Architecture: HTTP METHODS Requests to the CloudFront edge HEAD Identical to GET except that the server MUST NOT return a message-body in the response. Used for obtaining meta-information about the entity implied by the request without transferring the entity-body itself POST Used to request the origin server to accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request- Line. PUT The fundamental difference between the POST and PUT requests is reflected in the different meaning of the Request-URI. PATCH Used to apply partial modifications to a resource DELETE Requests that the origin server delete the resource identified by the Request- URI OPTIONS Request for information about the communication options available on the request/response chain identified by the Request- URI GET Requests for content from the cache HTTP, HTTPS and RTMP
- 25. Reference Architecture: Determining Content Source Overview of Rt53 Intelligent Routing Options Customer Location 1 53 Request to www.mysite.com Location A: Resolve to xyz.cloudfront.net Location B: Resolve to IP address of EC2 Location C: Resolve to IP address of S3 Location D: Resolve to IP address of non-AWS end point 3 Examine geo source, weights, latency, health checks Elastic Cloud Compute S3CloudFront Non-AWS End Point 1 2 3 4 4 Return IP Address based on precedent criteria 2 5 If request sent to CloudFront, then CloudFront determines best PoP to send requestor to based on the CDN rules 5
- 26. Reference Architecture: Overview – Media/Entertainment Streaming in Front of Your Origin • Deliver Static and Dynamic Content • Offload origin traffic to CloudFront CDN • Serve LIVE Event Traffic to Large Crowds • Serve VOD Media to any device • Alter content based on User Agent • Secure connections via SSL • Authenticate via signed URLs • Supports 3rd Party DRM Static Content Served from S3 *.jpg, *.m3u8, *.ts, *.css Dynamic or Static Content Served from ELB and/or EC2 *.php, *.js, *m3u8, *.ts
- 27. CloudFront Reference Architecture: CloudFront Origin Selection Origin Selection Based on Intelligent Behavior Rules Customer Location www.mysite.com Path Pattern Matching /*.jpg; /*.php etc. GET http://mysite.com/images/1.jpg to ORIGIN A GET http://mysite.com/index.php to ORIGIN B GET http://mysite.com/web/home.css to ORIGIN C GET http://mysite.com/* (DEFAULT) to ORIGIN D Origin A: origin.mysite.com Origin B: origin2.mysite.com Origin C: origin3.mysite.com Origin D: origin4.mysite.com Path Pattern Matching /*.php /images/*.jpg /web/*.css /*.* (DEFAULT)
- 28. Reference Architecture: HTTP Headers for Dynamic Content VARY content served based on HTTP Headers Content delivered to a request may vary depending on the request headers that were passed in the GET request. The header is used as a cache key and passed onto origin for the appropriate content. Common headers supported are listed: Header Use of Header Accept Determine which content types are acceptable for the response Accept-Charset Determine which Character sets that are acceptable Accept-Datetime Determine which version in time is acceptable Accept-Language Determine the list of acceptable human languages for response Authorization Used for credentials for HTTP authentication CloudFront-Forward-Proto HTTP protocol detected to vary content based on session security (SSL vs. Non SSL) CloudFront-Is-Desktop-Viewer CloudFront user agent (UA) detected and set to desktop based on mapping CloudFront-Is-Mobile-Viewer CloudFront user agent (UA) detected and set to mobile based on mapping CloudFront-Is-Tablet-Viewer CloudFront user agent (UA) detected and set to tablet based on mapping CloudFront-Viewer-Country CloudFront geo detected country code Host domain name and TCP port of the server Origin used for CORS, sets allowed domain for origin to honor and share assets Referrer sends URL/URI to origin to log referrers *Note: custom headers are also supported, not just those listed here
- 29. Reference Architecture: CloudFront HTTP Headers Examples VARY content served and cached based on Headers in the GET request 1) Vary response based on User Agent. Example: Desktop, Mobile, Tablet 2) Vary response based on Language. Example: user would prefer Danish but will accept British English and other types of English. (Accept-Language: da, en-gb;q=0.8, en;q=0.7 ) 3) Vary response based on Protocol. Example: CloudFront-Forward-Proto detected and customer sent different content based on connection type. Mobile User (CloudFront-Is- Mobile-Viewer) Desktop User (CloudFront-Is- Desktop-Viewer) 1 1 2 3
- 30. Reference Architecture: CloudFront Signed URL (Authentication) Protecting Content from Unauthorized Access Customer Location http://mysite.com/asset.mp4?&Expires=1357034400 5&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA- j19DzZr vDh6hQ73lDx~-ar3UocvvRQVw6EkC~GdpGQyyOSKQim- TxAnW7d8F5Kkai9HVx0FIu- jcQb0UEmatEXAMPLE3ReXySpLSMj0yCd3ZAB4UcBCAqEijkytL6f 3fVYNGQI6&Key-Pair-Id=APKA9ONS7QCOWEXAMPLE 1) Request for Content first goes to an authentication server to validate user and generate a signed URL. 2) A signed URL is sent back as a 302 redirect from the auth server 3) Request to CloudFront made with signed URL, authentication with policy statement, and verification of content freshness (hasn’t expired) 4) CloudFront authenticates policy statement for signed URL, sets cache key, and sends content to requestor EC2 Auth Server Send content to requestor via cache edge www.mysite.com/asset.mp4 EC2 Auth Server Authenticate URL, Policy Statement, and Expiration CloudFront Logic CloudFront Edge Cache
- 31. Reference Architecture: CloudFront Routing Rules Latency Based PoP Selection, Geo-Restriction, Price Classes 1) Request routed based on latency. Example: Customer in Rio routed to least latent node: Rio De Janeiro PoP location 2) Request denied based on geo restriction. Example: Customer in restricted country, access denied and custom error page sent back. 3) Request routed based on Price Class. Example: Price Classes set up to restrict content delivery to nodes in N.America and Europe for cost savings. Send content to requestor via cache edge Rio De Janeiro CloudFront Edge Cache Content blocked due to geo rules CloudFront Edge Cache Denies Request X Rio De Janeiro Customer Location Restricted Customer Location Custom Error Page Sent for a 403 Miami CloudFront Edge CacheRio De Janeiro Customer Location Content served from Price Class enabled node
- 32. CNAME = xyz.cloudfront.net CloudFront 53 Load Balance Non-AWS End Point Custom Origin or Alternative CDN Reference Architecture: Load Balancing Load Balance between your CDN providers using Rt53 Customer Location www.mysite.com Weighted Round Robin Routing CNAME = xyz.cloudfront.net, weight = 0-255 CNAME = xyz.somecdn.com, weight = 0-255 CNAME = xyz.somecdn.com Latency Based Routing CNAME = xyz.cloudfront.net, latency metric CNAME = xyz.somecdn.com, latency metric Fail Over Routing CNAME = xyz.cloudfront.net, PRIMARY CNAME = xyz.somecdn.com, SECONDARY Geolocation Routing CNAME = xyz.cloudfront.net, LOCATION 1…LOCATION X CNAME = xyz.somecdn.com, LOCATION 2…LOCATION Y
- 33. origin.mysite.com CloudFront 53 Load Balance Non-AWS End Point Custom Origin or Alternative CDN Reference Architecture: Load Balancing Cache Fills Load Balance between your ORIGINs to fill the CloudFront Caches Customer Location www.mysite.com Weighted Round Robin Routing CNAME = xyz.cloudfront.net, weight = 0-255 CNAME = xyz.somecdn.com, weight = 0-255 Latency Based Routing CNAME = origin.mysite.com, latency metric CNAME = origin.mysite.com, latency metric Fail Over Routing CNAME = origin.mysite.com, PRIMARY CNAME = origin.mysite.com, SECONDARY Geolocation Routing CNAME = origin.mysite.com, LOCATION 1…LOCATION X CNAME = origin.mysite.com, LOCATION 2…LOCATION Y EC2S3 ELB EC2S3 ELB us-east us-west origin.mysite.com origin.mysite.com origin.mysite.com
- 34. CNAME = xyz.cloudfront.net CloudFront EC2S3 ELB53 Load Balance via DNS Non-AWS End Point Custom Origin or Alternative CDN Reference Architecture: Intelligent Routing Using CloudFront with Rt53: In front of the CDN and the Origins Customer Location www.mysite.com 53 For Cache Fills: Rt53 Load Balances between origins based on weighted round robin or based on geo determination CloudFront selects the optimal edge location to serve content from based on Latency, Price Class CloudFront POP Locations Customer Requests/Receives content from optimal CloudFront PoP Request made for content, DNS resolved to a CloudFront CNAME and customer request sent to CloudFront 1 4 2 3
Editor's Notes
- CloudFront latency SLA is 99.99%. There is no availability SLA at this time but CloudFront has historically had the highest availability of any CDN based on third party, and internal, metrics reports.
- Main Point: For Availability CloudFront is a leader. For latency, the top tier CDN’s are all within a few milliseconds (ms) of each other and the top seat varies from day to day and region by region. What you’ll find is there is a zone of acceptable latency performance that the CDN’s provide. Some CDN’s have better regional coverage than others. For static/cachable content, CloudFront performs among the top tier of CDNs. And there is a significant performance improvement using a top tier CDN compared to an origin server such as EC2. (50% improvement over origin is not uncommon) Graph: The line represents the range of expected response times for each CDN. The line ranges from 10th percentile (at the bottom) to the 95th percentile (at the top). This means that 95% of all customers should get performance in or below this range. The Box on the line is from the 25th percentile to the 75th percentile. This means that 50% of requests should see performance inside this range.
- Amazon CloudFront and Amazon Route 53 services are offered at AWS Edge Locations
- Not only do we serve all of your content, we make it easy for you to manage content as well. We have an easy to use GUI console and api support so you can make changes the way your prefer because all features are supported in both. And the changes taking place immediately…
- (Speak to the bullets)
- ADD Global Coverage is still here, but less edge locations
- If you do need help, AWS customer service is here! We have enabled users to be able so self solve problems– Our documentation is updated with every new release and goes into great detail about how to work with our service. SA Help (work w/ sales) (Trial Credits available) AWS support – 24 hour customer service Dedicated support engineers And depending on the level of AWS support, we even have very fast response times (More information at http://aws.amazon.com/premiumsupport
- With the caching and acceleration technology that CloudFront has, we can deliver all of your content from static images to user inputted content. Static: images, js, html, etc Video: rtmp and http streaming support Dynamic: customizations and non-cachable cotnent User Input: http verb support including Put/Post, etc SSL: Serve the content securely with SSL (https)
- Scale- Content cached in CloudFront so less requests go to the origin Image: User A, B & C all request the same content, but after Request A goes to the origin, CloudFront has the content cached and serves User B and C without having to send another request to the origin. Dynamic routing avoids issues with edge location outages IN NOTES: USE CASE
- So no matter if you are using a custom origin or AWS, and no matter the content type, CloudFront will work with you to improve your users’ experience. User to CloudFront Routing based on lowest latency SSL termination close to viewers CloudFront to Origin TCP optimizations Keep-alive connections Network paths monitoring http verb optimization (get,put,etc)
- NOTES: PUT/POST will use a CloudFront edge as a proxy to send back to origin. CloudFront proxies ONLY, it is NOT a store and forward CDN meaning you can’t use PUT or POST to pre-load a cache. Caches are only filled upon a request, or GET.
- Use Rt53 to load balance between your CDN providers OR between a CDN and your own infrastructure.
- There are many other examples to highlight, this slide just shows a few common VARY actions. Also common is the CORS support where an asset in one domain can be served by an origin in another that has been set up to share assets. This has been a very popular feature request.
- CloudFront can be used to authenticate content. For added security encrypt the connection via SSL. Signed URL’s require a canned or custom policy statement to be made for CloudFront. The customer will specify parameters such as: Query Sting (?color, image_size, etc.) Expiration time/date in UNIX format IP Address They will also need to include in the signed URL the: Hashed and signed version of the policy statement Key Pair ID used to generate the signature