Secured API Acceleration with Engineers from Amazon CloudFront and Slack

4,160 views

Published on

In this session, we talk about how customers running their websites or APIs on AWS can improve security while increasing performance of their applications by using Amazon CloudFront’s globally distributed edge locations. We go through architectural patterns such as TLS termination at the edge, inherent DDoS Protection, and AWS Web Application Firewall (WAF). Then Slack, makers of cloud-based team collaboration software, discuss how they are using ELB and CloudFront to accelerate their APIs.

Published in: Technology

Secured API Acceleration with Engineers from Amazon CloudFront and Slack

  1. 1. Secured API Acceleration June 23, 2016 Nihar Bihani Principal Product Manager, Amazon CloudFront Alex Graham Sr. Operations Engineer, Slack
  2. 2. Agenda Challenges with Delivering APIs CloudFront for API Delivery Customer Story: Slack @cloudfront
  3. 3. Delivering APIs @cloudfront
  4. 4. API Proliferation 2,418 10,302 0 2000 4000 6000 8000 10000 12000 Jun-05 Sep-05 Dec-05 Mar-06 Jun-06 Sep-06 Dec-06 Mar-07 Jun-07 Sep-07 Dec-07 Mar-08 Jun-08 Sep-08 Dec-08 Mar-09 Jun-09 Sep-09 Dec-09 Mar-10 Jun-10 Sep-10 Dec-10 Mar-11 Jun-11 Sep-11 Dec-11 Mar-12 Jun-12 Sep-12 Dec-12 Mar-13 Jun-13 Sep-13 * Data from ProgrammableWeb #ofpublishedAPIs @cloudfront
  5. 5. Challenges with Delivering APIs API Response Time APIs are often not cacheable Improving performance is non-trivial Security & DDoS Target Protect from DDoS attacks Block malicious activity Scaling & Availability Operational burden Availability risks @cloudfront
  6. 6. How can Amazon CloudFront help APIs @cloudfront
  7. 7. Amazon CloudFront  Global Content Delivery Network  Accelerate Web Applications and APIs  Also, Accelerate images, video etc. @cloudfront
  8. 8. CloudFront for API Delivery: Benefits Application Acceleration Network Optimizations Secured Delivery AWS WAF Inherent DDoS Protection Designed for High Availability Global Edge Network Intelligent Routing AWS WAF @cloudfront
  9. 9. Let’s Dive Deeper @cloudfront
  10. 10. API Delivery: App Acceleration Application Acceleration Network Optimizations AWS WAF @cloudfront
  11. 11. Behind the Scenes: Application Acceleration  CloudFront Latency Based Routing  TCP/IP Optimizations for the Network Path  Keep-Alive Connections to reduce RTT  AWS Backbone Network  SSL/TLS Optimizations @cloudfront
  12. 12. SSL/TLS Optimizations  SSL/TLS Termination close to viewers  OCSP Stapling  Caching Session Tickets CloudFront Edge location Caching Session tickets @cloudfront
  13. 13. API Delivery: Security Secured Delivery AWS WAF Inherent DDoS Protection AWS WAF @cloudfront
  14. 14. DDoS Protection for AWS Infrastructure  Inherent Protection You don’t have to enable anything Layer 3/4 attacks like SYN and UDP floods. Layer 7 attacks like Slowloris  Inline Detection & Mitigation Low MTTR Microsecond latencies  Proven DDoS Mitigation Techniques Targeted and heuristic mitigations virtual private cloud AWS global infrastructure DDoS attack Users AWS DDoS mitigation Amazon CloudFront Amazon Route 53 @cloudfront
  15. 15. DDoS Mitigation Techniques Basic Hygiene Automatically filters invalid Packets e.g., block any UDP destined to CloudFront Traffic ACLs Prioritize good vs bad traffic based on several factors - DNS Request validation - Source IP - Source ASN - Traffic Levels - Validated Sources Redundant High Capacity Network Paths Viewers always have a path to reach CloudFront @cloudfront
  16. 16. DDoS Mitigation No Impact to Availability even during DDoS Attack Sample Attack on CloudFront Customer @cloudfront
  17. 17. AWS WAF for Secured API Delivery @cloudfront
  18. 18. API Delivery: Availability Designed for High Availability Global Edge Network Intelligent Routing AWS WAF @cloudfront
  19. 19. Designed for High Availability DDoS Attacks Ensures DDoS attacks don’t cause outages Scale for Traffic Surge Load based dynamic routing Multiple transit providers Collapse forwarding Maintain buffer Operator Errors Fault tolerant deployment Mitigate the Top 3 Risks for Availability @cloudfront
  20. 20. Scalability Built to handle large scale events @cloudfront
  21. 21. Slack uses CloudFront for API Acceleration Amazon CloudFront
  22. 22. Alex Graham Sr. Operations Engineer
  23. 23. Secure API Acceleration using Amazon CloudFront
  24. 24. Agenda: 1. Slack API Overview 2. Why Amazon CloudFront? 3. Migration from ELB 4. Performance Metrics 5. Future Plans
  25. 25. Slack API Overview
  26. 26. ● POSTs and GETs to an HTTPS endpoint Responses will come back as json objects ● All Slack clients are API consumers Mobile, Desktop and Web clients use our API ● Accelerated Globally using CloudFront Requests to slack.com and the HTTPS API are powered by CloudFront Web API
  27. 27. ● Search for all files or messages containing the string “Hello” GET https://slack.com/api/search.all?token=xoxp-...&query=Hello ● List all channels along with their members GET https://slack.com/api/channels.list?token=xoxp-... ● Create a new channel called “#test” GET https://slack.com/api/channels.create?token=xoxp-...&name=test Web API Examples
  28. 28. 3 Million Daily Active Users Each user is making API calls all day. 1.5 Billion Total Requests Per Day Over 10 Billion per week! 52% of those are API requests Over 5 Billion API requests per week! 👤 🚀 📈 Web API Stats
  29. 29. Why Amazon CloudFront?
  30. 30. DDoS Protection & Security Benefits Amazon has some tricks up their sleeve. Network Infrastructure AWS Global Network Backbone Performance and Reliability CloudFront is designed for high volumes of traffic. 🔒 📈 📡 Benefits with Amazon CloudFront
  31. 31. ● Flexibility and ability to customize No magic switches, everything can be configured. ● Outperformed all other DDoS and CDN providers CloudFront stability was better than the other providers we tested. ● Pairs nicely with existing AWS technology CloudFront is easy to configure with ELB and S3. Why We Chose Amazon CloudFront
  32. 32. Migration from ELB
  33. 33. Caching Disabled All API responses are dynamic so nothing is cached. Forward all headers, cookies and query strings to origin Forward all the things! S3 bucket with static HTML error pages If the origin is not responding we will still serve an error page from S3. 💥 📉 Amazon CloudFront Configuration
  34. 34. Slack API Before Amazon CloudFront
  35. 35. Slack API During Migration to Amazon CloudFront
  36. 36. Slack API Today
  37. 37. Performance Metrics
  38. 38. Average latency around the world to slack.com dropped from 90ms to 15ms. Network Latency
  39. 39. Average response time around the world to slack.com dropped from 480ms to 200ms. Response Time
  40. 40. Connection Breakdown Amazon CloudFrontus-east-1 ELB
  41. 41. ● Less affected by internet outages and route leaks. Traffic enters the AWS backbone closer to the client. ● Slack loads more quickly all around the world. The client spends less time waiting for API calls. ● Automatic DDoS protection We let AWS deal with DDoS attacks without waking up the ops team. Direct Benefits for Slack
  42. 42. Future Plans
  43. 43. ● Pushing Rate Limits to the edge. Less infrastructure to maintain means less time and money. ● Limiting unauthenticated requests at the edge. Stop high layer DDoS attacks early by setting per IP request limits. ● Alerting or posting to Slack when rate limits are tripped. We want to know about this, it might be an attack or misconfiguration. Rate Limiting
  44. 44. ● Manually adding rules to mitigate an attack If our infrastructure is overwhelmed we can block at the edge. ● Blocking known bad IPs Block known botnets using IP Blacklists. ● Using Lambda and WAF to block based on rule sets Determine safe limits and temporarily block offenders. Blocking Malicious Traffic
  45. 45. Thanks!
  46. 46. We are Hiring! slack.com/jobs

×