In this session, we talk about how customers running their websites or APIs on AWS can improve security while increasing performance of their applications by using Amazon CloudFront’s globally distributed edge locations. We go through architectural patterns such as TLS termination at the edge, inherent DDoS Protection, and AWS Web Application Firewall (WAF). Then Slack, makers of cloud-based team collaboration software, discuss how they are using ELB and CloudFront to accelerate their APIs.
Challenges with Delivering APIs
API Response Time
APIs are often not
Improving performance is
Security & DDoS Target
Protect from DDoS attacks
Block malicious activity
Scaling & Availability
How can Amazon CloudFront help APIs
Global Content Delivery Network
Accelerate Web Applications and APIs
Also, Accelerate images, video etc.
CloudFront for API Delivery: Benefits
Inherent DDoS Protection
Designed for High
Global Edge Network
DDoS Protection for AWS Infrastructure
You don’t have to
Layer 3/4 attacks like
SYN and UDP floods.
Layer 7 attacks like
Inline Detection &
Targeted and heuristic
virtual private cloud
AWS global infrastructure
DDoS Mitigation Techniques
e.g., block any UDP
destined to CloudFront
Prioritize good vs bad
traffic based on several
- DNS Request validation
- Source IP
- Source ASN
- Traffic Levels
- Validated Sources
Capacity Network Paths
Viewers always have a path
to reach CloudFront
No Impact to Availability even during DDoS Attack
Sample Attack on CloudFront Customer
API Delivery: Availability
Designed for High
Global Edge Network
Designed for High Availability
Ensures DDoS attacks
don’t cause outages
Scale for Traffic Surge
Load based dynamic routing
Multiple transit providers
Fault tolerant deployment
Mitigate the Top 3 Risks for Availability
Built to handle large scale events
Slack uses CloudFront for API Acceleration
● POSTs and GETs to an HTTPS endpoint
Responses will come back as json objects
● All Slack clients are API consumers
Mobile, Desktop and Web clients use our API
● Accelerated Globally using CloudFront
Requests to slack.com and the HTTPS API are powered by
● Search for all files or messages containing the string “Hello”
● List all channels along with their members
● Create a new channel called “#test”
Web API Examples
3 Million Daily Active Users
Each user is making API calls all day.
1.5 Billion Total Requests Per Day
Over 10 Billion per week!
52% of those are API requests
Over 5 Billion API requests per week!
Web API Stats
DDoS Protection & Security Benefits
Amazon has some tricks up their sleeve.
AWS Global Network Backbone
Performance and Reliability
CloudFront is designed for high volumes of traffic.
Benefits with Amazon CloudFront
● Flexibility and ability to customize
No magic switches, everything can be configured.
● Outperformed all other DDoS and CDN providers
CloudFront stability was better than the other providers we tested.
● Pairs nicely with existing AWS technology
CloudFront is easy to configure with ELB and S3.
Why We Chose Amazon CloudFront
All API responses are dynamic so nothing is cached.
Forward all headers, cookies and query strings to origin
Forward all the things!
S3 bucket with static HTML error pages
If the origin is not responding we will still serve an error page from
Amazon CloudFront Configuration
● Less affected by internet outages and route leaks.
Traffic enters the AWS backbone closer to the client.
● Slack loads more quickly all around the world.
The client spends less time waiting for API calls.
● Automatic DDoS protection
We let AWS deal with DDoS attacks without waking up the ops team.
Direct Benefits for Slack
● Pushing Rate Limits to the edge.
Less infrastructure to maintain means less time and money.
● Limiting unauthenticated requests at the edge.
Stop high layer DDoS attacks early by setting per IP request limits.
● Alerting or posting to Slack when rate limits are tripped.
We want to know about this, it might be an attack or misconfiguration.
● Manually adding rules to mitigate an attack
If our infrastructure is overwhelmed we can block at the edge.
● Blocking known bad IPs
Block known botnets using IP Blacklists.
● Using Lambda and WAF to block based on rule sets
Determine safe limits and temporarily block offenders.
Blocking Malicious Traffic