AWS Webcast - Using Amazon CloudFront to Protect Your Content Delivery

5,841 views

Published on

Amazon CloudFront, AWS’s easy-to-use and cost-effective content delivery service, has recently added several features that give you the protection and control that you need to deliver your content securely to your viewers.

In this webinar we will talk about features such as:
• Geo-Restriction for restricting access to your content based on the geographic location of viewers
• Private Content to allow greater control over who is able to download your files from Amazon CloudFront.
• Custom Error Pages to customize the error responses for your viewer.
• Custom SSL Certificates so you can deliver your content securely end-to-end from your origin servers to your viewers using your own custom domain name.

We will also present several use cases and do a demo to show you how you can easily configure these features using the Amazon CloudFront Management Console.

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,841
On SlideShare
0
From Embeds
0
Number of Embeds
1,340
Actions
Shares
0
Downloads
67
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

AWS Webcast - Using Amazon CloudFront to Protect Your Content Delivery

  1. 1. Using Amazon CloudFront to Protect Your Content Delivery Geo Restriction, Private Content, and Custom SSL Certificates Nihar Bihani, Sr. Product Manager Calin Nemes, Support Engineer © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  2. 2. About Amazon CloudFront Global availability, performance and scalability Cost-effective and easy to use Deliver all of your content securely © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  3. 3. Industry Leading Availability Global Availability* 100 99.5 99 98.5 98 97.5 97 Cloudfront CDN C CDN D CDN A CDN B *Data from Cedexis, Last 30 Days, Availability measured over All Cedexis Regions. 12/30/13 © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  4. 4. CloudFront Top Tier Performance 95th Percentile 75th Percentile 25th Percentile 10th Percentile *Data from Cedexis, Last 30 Days, Response Time Measure of the United States. 11/12/13 © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  5. 5. Competitive, Flexible Pricing Data Transfer Economies of Scale On-demand, pay for use pricing Price per GB Same pricing for Static and Dynamic Content Preferential Origin Fetch Pricing for AWS Origins Data Transfer Volume Public Rates Private Rates Commitment based private pricing © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  6. 6. CloudFront’s Global Presence Americas Atlanta, GA Ashburn, VA (3) Dallas/Fort Worth, TX (2) Hayward, CA Jacksonville, FL Los Angeles, CA (2) Miami, FL New York, NY (3) Newark, NJ Palo Alto, CA San Jose, CA Seattle, WA South Bend, IN St. Louis, MO Rio de Janeiro, Brazil São Paulo, Brazil Europe Asia Australia Amsterdam, The Netherlands (2) Dublin, Ireland Frankfurt, Germany (3) London, England (3) Madrid, Spain Marseille, France Milan, Italy Paris, France (2) Stockholm, Sweden Warsaw, Poland Chennai, India Hong Kong, China (2) Mumbai, India Manila, the Philippines Osaka, Japan Seoul, Korea Singapore (2) Taipei, Taiwan Tokyo, Japan (2) Sydney © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  7. 7. CloudFront’s Global Customer Reach 9 Regions 46 Edge Locations Edge Location AWS Region http://aws.amazon.com/about-aws/globalinfrastructure/ © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  8. 8. Popular CloudFront Features Live and Video on Demand RTMP (Flash) and HTTP(S) delivery Adaptive Bitrate Streaming Security Private Content Custom SSL Support Geo Restriction Identity and Access Management (IAM) Content Management AWS Management Console Full control via APIs Programmatic Invalidation Industry-compliant, detailed Access Logs Dynamic Content Acceleration Low Minimum Content Expiration Periods (TTL=0) Multiple Cache Behaviors Multiple Origin Servers Origin Connection Protocol Viewer Connection Protocol Zone Apex Support Query String & Cookie Support Put/Post HTTP Verb Support Price Flexibility Pay for Use Price Classes Reserved Capacity Private Pricing © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 8
  9. 9. Deliver All of Your Content SSL User Input Dynamic Static Video © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  10. 10. Simple, Yet Powerful Architecture Dynamic Content OR Amazon CloudFront example.com Elastic Load Balancing Amazon EC2 Custom Origin Static Content OR Amazon S3 Custom Origin © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  11. 11. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  12. 12. CloudFront Security Features AWS Identity and Access Management (IAM) HTTPS Delivery Private Content Geo-Restriction © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  13. 13. AWS Identity and Access Management (IAM) © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  14. 14. AWS Identity and Access Management (IAM) Regulate access to CloudFront APIs Create policies to describe user role or permissions Create an IAM policy using the AWS Management Console Example Scenarios: • Limit who can submit invalidation requests • Just read access to your distribution © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  15. 15. AWS Identity and Access Management (IAM) Example 1: Allow a group read and write access to all of resources owned by the account Example 2: Allow a group read and write access to all distributions owned by the account © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  16. 16. HTTPS Delivery © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  17. 17. HTTPS Delivery Configure CloudFront one of two ways: • Accept both HTTP or HTTPS connections • Accept only HTTPS connections HTTPS allows transfer over encrypted connection CloudFront forwards HTTPS requests to origin.. • Over SSLv3 or TLSv1 protocols • Supports AES128-SHA1 or RC4-MD5 ciphers • Includes a Server Name Indication (SNI) extension © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  18. 18. HTTPS Delivery Two ways you can implement SSL with CloudFront: Half Bridge SSL termination CloudFront Full Bridge SSL termination Region © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  19. 19. HTTPS Delivery Half Bridge SSL termination - HTTPS only from Viewer to CloudFront Use CloudFront Viewer Protocol Policy HTTP Region © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  20. 20. HTTPS Delivery Why use Half Bridge SSL Termination? Better Performance By Leveraging HTTP Connections To Origin CloudFront HTTP © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  21. 21. HTTPS Delivery Full Bridge SSL Termination - HTTPS from Viewer to CloudFront and from CloudFront to Origin. Use CloudFront Origin Protocol Policy HTTPS Region © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  22. 22. HTTPS Delivery CloudFront provides two options for delivery over SSL Using Default CloudFront SSL Domain Name • e.g. d123.cloudfront.net Using a Custom SSL Domain Name • e.g. www.mysite.com © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  23. 23. HTTPS Delivery Using a Custom SSL Domain Name You bring your own custom SSL certificate No restrictions on the type of certificate: EV certificates, Wildcard certificates, SAN certificate, etc. You get a dedicated set of IP addresses at each of our edge locations worldwide Use your own domain name in the URLs for objects delivered via CloudFront (https://www.example.com/image.jpg) Benefits: High Performance – use of all edge locations High Security – your own certificate (vs. shared cert) High Availability – full browser support © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  24. 24. HTTPS Delivery Getting started with using your own SSL certificate on CloudFront: 1. You upload your own SSL certificate to AWS IAM. 2. Request access to this feature by submitting this form: http://aws.amazon.com/cloudfront/custom-ssl-domains/ 3. Once approved by AWS, you can associate your SSL certificate to one or more CloudFront distributions. 4. Start using your own domain name (e.g. mysite.com) in your HTTPS URLs delivered via CloudFront. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  25. 25. Serving Private Content © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  26. 26. Private Content Deliver your content ONLY to authorized viewers Two ways to control end user access: • Origin Access Identity (OAI) to restrict direct access to objects in Amazon S3. • Signed URLs to restrict access to objects at the CloudFront edge. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  27. 27. Private Content Origin Access Identify (OAI) • Ensure customers don’t have direct access to your Amazon S3 origin bucket. • Ensure performance benefits to all customers. • Protects origin from overload. Region Access Denied © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  28. 28. Private Content Signed URLs prevent unauthorized access to objects at the CloudFront edge. Programmatically create access control policies to define how your content can be accessed. For example, allow access… • only until certain date or time • only to users who have paid a fee • only from certain IP addresses Access Denied Region © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  29. 29. Private Content Here is an example of a policy statement for signed URLs More Information: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html (Find sample code to create URL signature in Perl, PHP, C# and .NET, Java) © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  30. 30. Geo-Restriction © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  31. 31. Geo-Restriction Restrict access to your content based on the location (country) of your users. Configure a whitelist or a blacklist. CloudFront returns an HTTP status code of 403 (forbidden) to the user. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  32. 32. Geo-Restriction Scenarios: Online video publishers can distribute videos only in the country where they have distribution rights. • e.g. use a whitelist of geo-locations Software distributors can prevent download of their software in countries with licensing regulations. • e.g. use a blacklist of geo-locations © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  33. 33. Configuring Custom Error Responses Show a user friendly message in case of an Error. Configure a custom page and a custom response code for each error. An error could be: • Object not found • Unauthorized user access • ..or any other 4xx or 5xx HTTP error © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  34. 34. Custom Error Responses Performance considerations: • Set “Error Caching Minimum TTL” to cache the error response. • CloudFront responds with error page for the duration of the TTL. • Setting the TTL too low would increase origin load. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  35. 35. Demo © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  36. 36. Questions http://aws.amazon.com/cloudfront @cloudfront © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.

×