2. CloudFront CDN Overview
2
▪ Amazon CloudFront is a web service that speeds up distribution of
your static and dynamic web content, such as .html, .css, .js, and
image files, to your users. CloudFront delivers your content through
a worldwide network of data centers called edge locations.
▪ When a user requests content that you're serving with CloudFront,
the user is routed to the edge location that provides the lowest
latency (time delay), so that content is delivered with the best
possible performance.
▪ If the content is already in the edge location with the lowest
latency, CloudFront delivers it immediately.
▪ If the content is not in that edge location, CloudFront retrieves it
from an origin that you've defined—such as an Amazon S3 bucket,
an AWS Elemental MediaPackage channel, or an HTTP server (for
example, a web server) that you have identified as the source for
the definitive version of your content.
3. AWS Cloud Front
3
▪ This concept is best illustrated by an example. Suppose you're serving an
image from a traditional web server, not from CloudFront. For example, you
might serve an image, sunsetphoto.png, using the
URL http://example.com/sunsetphoto.png.
▪ Your users can easily navigate to this URL and see the image. But they
probably don't know that their request was routed from one network to
another—through the complex collection of interconnected networks that
comprise the internet—until the image was found.
▪ CloudFront speeds up the distribution of your content by routing each user
request through the AWS backbone network to the edge location that can
best serve your content.Typically, this is a CloudFront edge server that
provides the fastest delivery to the viewer. Using the AWS network
dramatically reduces the number of networks that your users' requests must
pass through, which improves performance. Users get lower latency—the time
it takes to load the first byte of the file—and higher data transfer rates.
▪ You also get increased reliability and availability because copies of your files
(also known as objects) are now held (or cached) in multiple edge locations
around the world.
4. Create a CloudFront CDN
4
You create a CloudFront
distribution to tell
CloudFront where you
want content to be
delivered from, and the
details about how to track
and manage content
delivery.Then CloudFront
uses computers—edge
servers—that are close to
your viewers to deliver that
content quickly when
someone wants to see it or
use it.
5. Create a CloudFront CDN
5
▪ Step 1: Upload your content to Amazon S3 and
grant object permissions
– It is same as we learned in previous session of S3 and IAM.
▪ Step 2: Create a CloudFront distribution
▪ Step 3:Test your links
6. Create a CloudFront distribution
6
1. To create a CloudFront distribution
2. Open the CloudFront
console at https://console.aws.amazon.com/cloudfront/.
3. Choose Create Distribution.
4. On the Select a delivery method for your content page, in
the Web section, choose Get Started.
7. Create a CloudFront distribution
7
5. On the Create Distribution page, under Origin Settings, choose
the Amazon S3 bucket that you created earlier. For Origin
ID, Origin Path, Restrict Bucket Access, and Origin Custom
Headers, accept the default values.
8. Create a CloudFront distribution
8
6. Under Default Cache Behavior Settings, accept the default values,
and CloudFront will:
– Forward all requests that use the CloudFront URL for your distribution (for
example,http://d111111abcdef8.cloudfront.net/image.jpg) to the Amazon S3
bucket that you specified in Step 4.
– Allow end users to use either HTTP or HTTPS to access your objects.
– Respond to requests for your objects.
– Cache your objects at CloudFront edge locations for 24 hours.
– Forward only the default request headers to your origin and not cache your
objects based on the values in the headers.
– Exclude cookies and query string parameters, if any, when forwarding requests
for objects to your origin. (Amazon S3 doesn't process cookies and processes only
a limited set of query string parameters.)
– Not be configured to distribute media files in the Microsoft Smooth Streaming
format.
– Allow everyone to view your content.
– Not automatically compress your content.
10. Create a CloudFront distribution
10
7. Under Distribution Settings, enter the applicable values:
• Price Class:
• Select the price class that
corresponds with the maximum
price that you want to pay for
CloudFront service. By default,
CloudFront serves your objects
from edge locations in all
CloudFront regions.
• AWSWAFWeb ACL:
• If you want to use AWSWAF to
allow or block HTTP and HTTPS
requests based on criteria that you
specify, choose the web ACL to
associate with this distribution.
For more information about AWS
WAF
11. Create a CloudFront distribution
11
7. Under Distribution Settings, enter the applicable values:
• Alternate Domain Names (CNAMEs) (Optional):
• Specify one or more domain names that you
want to use for URLs for your objects instead
of the domain name that CloudFront assigns
when you create your distribution
For example, if you want the URL for the object:
/images/image.jpg
to look like this:
http://www.example.com/images/image.jpg
instead of like this:
http://d111111abcdef8.cloudfront.net/images/image.j
pg
you would create a CNAME for www.example.com.
12. Create a CloudFront distribution
12
7. Under Distribution Settings, enter the applicable values:
• SSL Certificate:
• Accept the default value, Default
CloudFront Certificate.
• Cookie Logging:
• In this example, we're usingAmazon S3 as
the origin for your objects, and Amazon S3
doesn't process cookies, so we recommend
that you select Off for the value of Cookie
Logging.
• And Others being optional you could select
default values .
13. Create a CloudFront distribution
13
8. Choose Create Distribution.
– After CloudFront has created your distribution, the value of
the Status column for your distribution will change
from InProgress to Deployed. If you chose to enable the distribution, it
will then be ready to process requests.This typically takes between 20
and 40 minutes.
– The domain name that CloudFront assigns to your distribution appears in
the list of distributions. (It also appears on the General tab for a selected
distribution.
14. Create a CloudFront distribution
14
Step 3:Test your links:
1. After you've created your distribution,
CloudFront knows where yourAmazon S3 origin
server is, and you know the domain name
associated with the distribution.You can create a
link to yourAmazon S3 bucket content with that
domain name, and have CloudFront serve it.
▪ Note: You must wait until the status of your
distribution changes to Deployed before testing
your links.
15. Create a CloudFront distribution
15
1. Copy the following HTML into a new file:
– Replace <domain name> with the domain name that CloudFront
assigned to your distribution.
– Replace <object name> with the name of a file in your Amazon S3
bucket.
▪ <html> <head>My CloudFrontTest</head> <body> <p>My text
content goes here.</p> <p><img src="http://domain name/object
name" alt="my test image"/> </body> </html>
▪ For example, if your domain name
was d111111abcdef8.cloudfront.net and your object
was image.jpg, the URL for the link would be:
– http://d111111abcdef8.cloudfront.net/image.jpg.
▪ If your object is in a folder within your bucket, include the folder
in the URL. For example, if image.jpg is located in an images
folder, then the URL would be:
– http://d111111abcdef8.cloudfront.net/images/image.jpp
16. Create a CloudFront distribution
16
2. Save the text in a file that has a .html filename
extension.
3. Open your web page in a browser to ensure that
you can see your content. If you cannot see the
content, confirm that you have performed all of
the steps correctly
17. S3: Security and encryption
17
▪ AWS S3 security consideration comes under below
points.
▪ protecting data while
– in-transit (as it travels to and from Amazon S3) , 2 ways:
▪ by using SSL
▪ client-side encryption.
– at rest (while it is stored on disks inAmazon S3 data
centers) 2 ways:
▪ Server Side encryption. (SSE)
▪ client-side encryption.
18. S3: Security and encryption
18
▪ EncryptionTypes
– Server Side
▪ encrypt your object before saving it on S3 disks ○ decrypt it
when you download the objects from S3.
– Client Side
▪ Client-side encryption refers to encrypting data before
sending it to Amazon S3
– Use an AWS KMS-managed customer master key.
– Use a client-side master key
– Disadvantage: Less matching the AWS ecosystem.You need to
manage keys.
19. S3: Security and encryption
19
▪ Client side master key
– Your client-side master keys and your unencrypted data are never sent to AWS
– manage your own encryption keys
– If you lose them, you won't be able to decrypt your data.
– When uploading an object
▪ You provide a client-side master key to the Amazon S3 encryption client
▪ for each object , encryption client locally generates a one-time-use symmetric key ○
The client uploads the encrypted data key and its material description as part of the
object metadata
▪ The material description helps the client later determine which client-side master key
to use for decryption
▪ The client then uploads the encrypted data to Amazon S3 and also saves the encrypted
data key as object metadata
– When downloading an object
▪ The client first downloads the encrypted object fromAmazon S3 along with the
metadata
▪ Using the material description in the metadata, the client first determines which master
key to use to decrypt
▪ the encrypted data key.
20. S3: Security and encryption
20
▪ Client Side KMS–Managed Customer Master Key (CMK)
– you provide only an AWS KMS customer master key ID (CMK ID)
– you don't have to worry about providing any encryption keys to the Amazon
S3 encryption client (for example, the AmazonS3EncryptionClient in the
AWS SDK for Java). 2options
▪ A plain text version
▪ A cipher blob
– unique data encryption key for each object it uploads.
21. S3: Security and encryption
21
▪ Server Side Encryption (SSE)
– Server-side encryption is about data encryption at rest
– 3 methods
▪ Server-Side Encryption with Customer-Provided Keys (SSE-C)
▪ S3-Managed Keys (SSE-S3)
▪ AWS KMS-Managed Keys (SSE-KMS)
22. S3: Security and encryption
22
▪ New Amazon S3 Encryption & Security Features
24. AWS Storage Gateway
24
▪ AWS Storage Gateway connects an on-premises software
appliance with cloud-based storage to provide seamless
integration with data security features between your on-
premises IT environment and the AWS storage infrastructure.
You can use the service to store data in the AWS Cloud for
scalable and cost-effective storage that helps maintain data
security.
▪ AWS Storage Gateway offers file-based, volume-based, and
tape-based storage solutions:
– File Gateway:
▪ A file gateway supports a file interface into Amazon Simple Storage Service
(Amazon S3) and combines a service and a virtual software appliance.
25. AWS Storage Gateway
25
▪ Volume Gateway:
– A volume gateway provides cloud-backed storage volumes that you can
mount as Internet Small Computer System Interface (iSCSI) devices
from your on-premises application servers
▪ Tape Gateway :
– With a tape gateway, you can cost-effectively and durably archive
backup data in Amazon Glacier.
– A tape gateway provides a virtual tape infrastructure that scales
seamlessly with your business needs and eliminates the operational
burden of provisioning, scaling, and maintaining a physical tape
infrastructure.
26. Snowball
26
• Snowball is a petabyte-scale data transport solution that uses devices
designed to be secure to transfer large amounts of data into and out of the
AWS Cloud.
• Using Snowball addresses common challenges with large-scale data
transfers including high network costs, long transfer times, and security
concerns.
• Customers today use Snowball to migrate analytics data, genomics data,
video libraries, image repositories, backups, and to archive part of data
center shutdowns, tape replacement or application migration projects.
• Transferring data with Snowball is simple, fast, more secure, and can be as
little as one-fifth the cost of transferring data via high-speed Internet.
• https://youtu.be/9uc2DSZ1wL8