Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(STG206) Using Amazon CloudFront For Your Websites & Apps

3,981 views

Published on

"Amazon CloudFront, the AWS Content Delivery Network (CDN), can be used to deliver your entire website, including dynamic, static, streaming, and interactive content using a global network of edge locations.
 
In this technical session, learn directly from CloudFront engineers on how you can improve the performance, availability, and cacheability of your website or application. Several topics will be explored in a series of flash talks including: Best Practices for Setting up Your Origin, How to Gain Visibility into Your Distribution Using Real-Time Metrics & Analytics, How to Improve Cacheability,  and How to Test Your Configuration. This session assumes a working knowledge of CDN."

Published in: Technology

(STG206) Using Amazon CloudFront For Your Websites & Apps

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Alex Dunlap GM, Amazon CloudFront Jarrod Guthrie Sr. Product Manager, Amazon CloudFront Calin Nemes Sr. Support Engineer, Amazon CloudFront Matthew Baldwin Sr. Software Development Engineer, Amazon CloudFront October 2015 Using Amazon CloudFront to Improve Performance, Availability and Cacheability STG206
  2. 2. What to expect from the session • Best practices for setting up your origin • Gaining visibility into your distribution • How to improve cacheability • How to test your configuration
  3. 3. Best practices for setting up your origin
  4. 4. Following origin best practices can give you… Easier debugging Better performance Higher availability
  5. 5. Five best practices 1. Use Amazon Route 53 health checks and DNS failover 2. Configure multiple origins 3. Secure your origin 4. Log request IDs 5. Set origin response headers
  6. 6. Failover Only return answers for resources that are healthy and reachable from the outside world, so that your end users are routed away from a failed or unhealthy part of your application Health Checks Automated requests sent over the Internet to your application to verify that your application is reachable, available, and functional + Amazon Route 53 health checks and DNS failover
  7. 7. Use Route 53 to improve availability & performance
  8. 8. Use Route 53 to improve availability & performance
  9. 9. Use Route 53 to improve availability & performance
  10. 10. Use Route 53 to improve availability & performance
  11. 11. Use Route 53 to improve availability & performance eu-west-1
  12. 12. Configure multiple origins Elastic Load Balancing Dynamic content Amazon EC2 Static content Amazon S3 * (default) /error/* /assets/* Amazon CloudFront example.com
  13. 13. Access control: Restricting origin access Amazon S3 Origin Access Identify (OAI) • Prevents direct access to your Amazon S3 bucket • Ensure performance benefits to all customers Custom origin Block by IP address • Whitelist only the Amazon CloudFront IP Range • Protects origin from overload • Ensure performance benefits to all customers
  14. 14. Object Access Identity (OAI) • Ensure only Amazon CloudFront can access Amazon S3 bucket • We make it simple for you Amazon CloudFront Region Amazon S3 bucket Custom origin
  15. 15. Object Access Identity (OAI) • Ensure only Amazon CloudFront can access Amazon S3 bucket • We make it simple for you Amazon CloudFront Region Amazon S3 bucket Custom origin
  16. 16. Shield custom origin • Shield your custom origin • Whitelist Amazon CloudFront IP range Amazon CloudFront Region Amazon S3 bucket Custom Origin
  17. 17. Shield custom origin • Shield your custom origin • Whitelist Amazon CloudFront IP range Amazon CloudFront Region Amazon S3 bucket Custom origin
  18. 18. Shield custom origin • Subscribe to Amazon SNS notifications on changes to IP ranges • Automatically update security groups AWS Lambda Amazon CloudFront Amazon SNS Security group Web app server Web app server AWS IP ranges Update IP range SNS message
  19. 19. Log Amazon CloudFront request IDs at origin Nginx: log_format main '$remote_addr - $remote_user [$time_local] "$request" ‘ '$status $body_bytes_sent "$http_referer" ‘ '"$http_user_agent" http_x_forwarded_for" "$http_x_amz_cf_id"'; Apache: LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" "%{X-Amz-Cf-Id}i"" combined
  20. 20. Set origin response headers *Strict-Transport-Security: max-age=15552000; *X-Frame-Options: SAMEORIGIN *X-XSS-Protection: 1; mode=block Options *Cache-Control: max-age=300; public
  21. 21. Demo
  22. 22. Key takeaways • Use Amazon Route53’s health checks and DNS failover • Improve security by setting headers at your origin • Enable logging • Serve your static assets on Amazon S3 • Serve error pages from Amazon S3
  23. 23. Gaining visibility into your distribution
  24. 24. Visibility into your distribution Four different ways to get visibility: • AWS CloudTrail – for monitoring distribution config changes • Near real-time metrics – Provided by Amazon CloudFront • Amazon CloudFront reports – for analytics • Amazon CloudWatch Logs – for custom monitoring
  25. 25. Monitor distribution config changes • Monitor changes to distribution configuration using AWS CloudTrail • Get alarms when: • Distribution is disabled • Trusted signers are disabled • Custom TLS certificate changes
  26. 26. Amazon CloudFront near real-time metrics • Provided in near real-time • Via Amazon CloudWatch • Alarm on 6 metrics: • Requests • Bytes downloaded • Bytes uploaded • 4XX error rate • 5XX error rate • Total error rate
  27. 27. Amazon CloudFront reports to identify trends • Cache hit/miss • Incomplete downloads • Top countries • Mobile users • Popular objects
  28. 28. Generate custom metrics • Amazon CloudFront access logs • Delivered via Amazon Kinesis to Amazon S3 buckets • Typically within an hour of an event happening Edge location Amazon S3 Edge location Edge location
  29. 29. Generate custom metrics • Upload logs to Amazon CloudWatch using AWS Lambda Amazon CloudFront Amazon S3 AWS Lambda Amazon CloudWatch Alarm Keywords e.g. Bots Granular Response Code e.g. 4XX Request to certain URLs TLS versions
  30. 30. Demo
  31. 31. Key takeaways • Enable AWS CloudTrail • Monitor your Amazon CloudFront reports • Create alarms • Subscribe to Amazon CloudFront access logs • Push logs to Amazon CloudWatch
  32. 32. How to improve cacheability
  33. 33. Improving cacheability of your objects • Versioning website assets • Cache headers • Shared distribution • Forwarded values • Path prefix invalidations
  34. 34. Versioning website assets <link href="//assets.example.com/assets/v1/css/jumbotron-narrow.css“ rel="stylesheet"> <link href="//assets.example.com/assets/v2/css/jumbotron-narrow.css“ rel="stylesheet"> <link href="//assets.example.com/assets/css/jumbotron-narrow.css?<md5sum>“ rel="stylesheet">
  35. 35. Cache-Control & expires < Cache-Control: max-age=300 < Cache-Control: max-age=30, s-maxage=3000 < Expires: Thu, 18 Sep 2025 21:34:50 GMT Min TTL Default TTL Max TTL Set min, max and default TTL on Amazon CloudFront
  36. 36. Cache-Control & expires *.css, *.js or Images Cache-Control: public; max- age=31536000 index.html Cache-Control: no-cache=Set- Cookie; max- age=30 Live streaming /*.m3u8 => Cache- Control: public; max-age=2
  37. 37. Shared distributions • Shared assets across multiple properties Static content Amazon S3 Amazon CloudFront assets.example.com www.example.com www.example.org
  38. 38. Forwarded values • Check forwarded headers • Query string forwarding • Cookie forwarding • Trusted Advisor checks
  39. 39. Invalidations • Last resort • Only applies to Amazon CloudFront cache, not browsers or intermediary caches
  40. 40. Demo
  41. 41. Key takeaways • Use versioning • Use multiple cache behaviors • Forward only required headers • Use invalidations as last resort
  42. 42. How to test your configuration
  43. 43. Test your configuration • Test in development mode • Ensure content is cached correctly • Performance testing • Load testing • Test SSL configuration
  44. 44. Turn on development mode • Set maximum TTL to 0 • Without need to constantly invalidate! • Forwarding all headers changes behavior • Whitelist your IP using AWS WAF so only accessible from corporate network • Signed cookies
  45. 45. Ensure content is cached correctly Check cache/hit miss ratio of distribution on reports Developer console on Chrome or Firefox • Age header • X-Cache • Cache-Control headers • HSTS headers
  46. 46. Performance testing Backbone testing Last mile testing Real user testing
  47. 47. Load testing Traditional load testing • Use one client • From a single region • Hits single IP DNS load balancing  Simulate real user environment  Ideal load testing • Clients from multiple locations • Independent DNS requests • Distribute across IPs DNS load balancing  Simulate real user environment 
  48. 48. SSL labs • Verify your SSL config
  49. 49. Demo
  50. 50. Key takeaways • Switch off caching during development mode • Use RUM for performance testing • If you load test - test from multiple locations
  51. 51. Thank you!
  52. 52. Remember to complete your evaluations!
  53. 53. Related Sessions SEC323: Securing Web Applications with AWS WAF Friday, Oct 9 at 9:00 AM – 10:00 AM Lando 4301B

×