Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Few Milliseconds in the Life of an HTTP Request (CTD416) - AWS re:Invent 2018

545 views

Published on

In Amazon CloudFront, a lot happens in just a few milliseconds. Join us for a dive deep into the infrastructure and architecture of the AWS edge services, including Amazon CloudFront, Amazon Route 53, AWS Shield, and AWS WAF. We break down the life of an HTTP request, and any request in general, and walk you through how each of the AWS edge services work together in just a few milliseconds to consistently deliver your application’s content with high availability, security, and performance. Learn how edge services intelligently route requests to the most ideal edge location, secure your content behind the scenes, and leverage the AWS private network for improved performance. 

  • Be the first to comment

A Few Milliseconds in the Life of an HTTP Request (CTD416) - AWS re:Invent 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. A Few Milliseconds in the Life of an HTTP Request Jorge Vasquez Software Engineer Amazon CloudFront C T D 4 1 6 Hongmin Liu Software Engineer Amazon CloudFront
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Ø Overview Ø DNS lookup Ø TCP/TLS Ø Request flow inside Amazon CloudFront Ø CloudFront Layers
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon CloudFront?
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lake Crescent, Olympic Peninsula, WA
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. d1886tp5fhflpy.cloudfront.net? CloudFront DNS CloudFront POP Http request lifecycle
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Request lifecycle DNS TCP/TLS Request flow Layer 1 Cache layers Layer 3
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. DNS lookup Resolver POP Performance Server Capacity POP Health Network Capacity DNS • AWS re:Invent 2017: Measuring the Internet in Real Time (CTD406 https://www.youtube.com/watch?v=54kPAADonqA)
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. DNS TCP/TLS Request flow Layer 1 Cache layers Layer 3
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. TCP connection 2 RTT 1 RTT TCP/TLS
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. TLS security • Security • Secrecy • Identity • Non-replayability TCP/TLS • CloudFront • On top of security issues • Best practices • Compliance
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. TLS performance 2 RTT Server 1 RTT Server TCP/TLS
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. DNS TCP/TLS Request flow Layer 1 Cache layers Layer 3
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. POP architecture Request flow
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. POP architecture Request flow → Infrequent → Dynamic → Dynamic & frequent
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Regional Edge Caches architecture Request flow → Dynamic
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. DNS TCP/TLS Request flow Layer 1 Cache layers Layer 3
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. → Dynamic
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security - Content protection • Signed URLs • Field-Level Encryption(FLE) • AWS WAF • Lambda@Edge Signed URLS FLE WAF Lambda@Edge Layer 1
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security - Content protection Signed URLs FLE AWS WAF Lambda@edge Layer 1
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Signed URLs 403 x Signature Signature Layer 1
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Signed URL Policy Layer 1
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Signed URLs Example signed URL for a web distribution: http://d111111abcdef8.cloudfront.net/image.jpg ? color=red&size=medium &Policy=eyANCiAgICEXAMPLEW1lbnQiOiBbeyANCiAgICAgICJSZXNvdXJjZSI6Imh0dHA 6Ly9kemJlc3FtN3VuMW0wLmNsb3VkZnJvbnQubmV0L2RlbW8ucGhwIiwgDQogICAgI CAiQ 29uZGl0aW9uIjp7IA0KICAgICAgICAgIklwQWRkcmVzcyI6eyJBV1M6U291cmNlSXAiOiI yMDcuMTcxLjE4MC4xMDEvMzIifSwNCiAgICAgICAgICJEYXRlR3JlYXRlclRoYW4iOnsi Q VdTOkVwb2NoVGltZSI6MTI5Njg2MDE3Nn0sDQogICAgICAgICAiRGF0ZUxlc3NUaGFuIjp 7IkFXUzpFcG9jaFRpbWUiOjEyOTY4NjAyMjZ9DQogICAgICB9IA0KICAgfV0gDQp9DQo &Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA-j19DzZrvDh6hQ73lDx~ - ar3UocvvRQVw6EkC~GdpGQyyOSKQim-TxAnW7d8F5Kkai9HVx0FIu-5jcQb0UEmat EXAMPLE3Re XySpLSMj0yCd3ZAB4UcBCAqEijkytL6f3fVYNGQI6&Key-Pair-Id=APKA9ONS7QCOWEXAMPLE Layer 1
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security - Content protection Signed URLs FLE AWS WAF Lambda@edge Layer 1
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. FLE (Field-Level Encryption) TLS Layer 1
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Intercept sensitive fields at the edge POST / HTTP/1.1 Host: origin.example.com Content-Type: application/x-www-form-urlencoded Content-Length: 56 UserId=1234&CreditCardNum=<encrypted>ejYx52fx...</encrypted> POST / HTTP/1.1 Host: www.example.com Content-Type: application/x-www-form-urlencoded Content-Length: 32 UserId=1234&CreditCardNum=12345678 Layer 1
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Signed URLs FLE AWS WAF Lambda@edge Security - Content protection Layer 1
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS WAF (Web Application Firewall) x Layer 1
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security - Content protection Signed URLs FLE AWS WAF Lambda@Edge Layer 1
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda@Edge Session-Id valid? Signed-In Users Layer 1
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda@Edge Layer 1
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. DNS TCP/TLS Architecture Layer 1 Cache layers Layer 3
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Performance - Collapse Forwarding Live Content Caching POP REC Origin POP Cache layers
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Performance - Collapse Forwarding Collapse Cache layers
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Performance - Collapse Forwarding Live Content Caching POP REC Origin POP Cache layers
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Availability - When things go wrong… Cache layers
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Availability - When things go wrong… Configuring Custom Error Pages • CloudFront returns and caches the custom error page • Error caching minimum TTL (five minutes by default) • Allows changing HTTP status code Cache layers
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Availability - When things go wrong… Origin Failover Cache layers
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. DNS TCP/TLS Architecture Layer 1 Cache layers Layer 3
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. → Dynamic
  43. 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Origin Facing Optimizations • Regional Edge Cache (REC) • Compression • Lambda@Edge • Persistent Connections Layer 3
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Persistent connections Layer 3
  45. 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Finish Line HTTP Request
  46. 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Additional Resources • AWS re:Invent 2017: Measuring the Internet in Real Time (CTD406 https://www.youtube.com/watch?v=54kPAADonqA) • Serving Private Content with Signed URLs and Signed Cookies (https://docs.aws.amazon.com/AmazonCloudFront/latest/Developer Guide/PrivateContent.html) • Using Field-Level Encryption to Help Protect Sensitive Data (https://docs.aws.amazon.com/AmazonCloudFront/latest/Developer Guide/field-level-encryption.html) • How CloudFront Processes and Caches HTTP 4xx and 5xx Status Codes from Your Origin (https://docs.aws.amazon.com/AmazonCloudFront/latest/Developer Guide/HTTPStatusCodes.html)
  47. 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Thursday, Nov 29 SEC402-R1 - [REPEAT 1] AWS, I Choose You: Pokemon's Battle against the Bots 3:15 PM - 4:15 PM | Venetian, Level 4, Marcello 4505 Thursday, Nov 29 CTD415-R1 - [REPEAT 1] Rendering Websites at the Edge with AWS Lambda@Edge 2:30 PM - 4:45 PM | Bellagio, Level 1, Grand Ballroom 6 Wednesday, Nov 28 CTD416 – Meet & Greet 1:30 – 2:00 PM | Aria East, Level 1, Willow Lounge
  48. 48. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Jorge Vasquez jorgevas@amazon.com Hongmin Liu hongmliu@amazon.com
  49. 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×