Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CloudFront CDN로 동적 컨텐츠를 사용하는 4가지
이유
김일호 | Solutions Architect
Do you know CloudFront support
Dynamic content acceleration?
No reasons not to use~
1. Simple configuration
2. DDoS Mitigation + WAF
3. Cost Saving
4. Speed up
Configure multiple origins
Elastic Load Balan
cing
Dynamic content
Amazon EC2
Static content
Amazon S3
* (default)
/error/...
CloudFront Behaviors
CloudFront
Customer	Location
www.mysite.com
Path	Pattern	Matching
/*.jpg;	/*.php etc.
GET	http://mysi...
CloudFront Behaviors at console
1. Simple configuration
2. DDoS Mitigation + WAF
3. Cost Saving
4. Speed up
AWS Global Presence and Redundancy
Route A
Route B
Route C
CloudFront
Country	B
Country	A
Country	C
CloudFront
Valid
Objec...
Your VPC only has to deal with layer 7 traffic
CloudFront
DDoS
HTTP
SYN	/	UDP
HTTP Customer
Solution
80%	of	DDoS traffic	i...
WAF(Web Application Firewall)
Match any part of the web request
Host:	www.example.com
User-Agent:	Mozilla/5.0	(Macintosh;	...
WAF(Web Application Firewall)
Use transforms to stop evasion
Host:	www.example.com
User-Agent:	badbot
Accept:	image/png,im...
WAF(Web Application Firewall)
Use transforms to stop evasion
Host:	www.example.com
User-Agent:	bAdBoT
Accept:	image/png,im...
1. Simple configuration
2. DDoS Mitigation + WAF
3. Cost Saving
4. Speed up
Lower traffic cost
Amazon CloudFront
Region
Amazon S3
bucket
Custom origin
$$
$$
$ Free
Note:	Cost	will	vary	depending	on	...
1. Simple configuration
2. DDoS Mitigation + WAF
3. Cost Saving
4. Speed up
example.com
Clients
Clients
Clients
Clients
Clients
Clients
Two Users without CloudFront
SYN
SYN-ACK
ACK
GET	/index.jsp
ACK
SYN-ACK
GET	/index.jsp
2nd User
Region
SYN
90ms
360ms
360ms
Without Keep-Alive Connections
• Load	on	your	web	server	increases	the	time	
to	first	byte
TTFB(Time to First Byte)DNS Loo...
SYN
SYN-ACK
ACK
GET	/index.jsp
GET	/index.jsp
Keep Alive Connections
2nd Request
CloudFront Keep Alive
SYN
SYN-ACK
ACK
GET	/index.jsp
ACK
SYN-ACK
GET	/index.jsp
Region
SYN
30ms
SYN
SYN-ACK
ACK
GET	/index...
5. Shield Origin contents
Access control: Restricting origin access
§Amazon S3
§Origin Access Identify (OAI)
• Prevents direct access to your Amazon...
Object Access Identity (OAI)
• Ensure only Amazon CloudFront
can access Amazon S3 bucket
• We make it simple for you
Amazo...
Object Access Identity (OAI)
• Ensure only Amazon CloudFront
can access Amazon S3 bucket
• We make it simple for you
Amazo...
Shield custom origin
• Shield your custom origin
• Whitelist Amazon CloudFront IP range
Amazon CloudFront
Region
Amazon S3...
Shield custom origin
• Shield your custom origin
• Whitelist Amazon CloudFront IP range
Amazon CloudFront
Region
Amazon S3...
Shield custom origin
• Subscribe to Amazon SNS notifications on changes to
IP ranges
• Automatically update security group...
Upcoming SlideShare
Loading in …5
×

CloudFront로 동적 컨텐츠를 전송하는 네가지 이유 - 김일호 솔루션즈 아키텍트:: AWS Cloud Track 3 Gaming

1,614 views

Published on

2016년 1월 7일 AWS Cloud행사에서 김일호 솔루션즈 아키텍트 께서 발표하신 “ CloudFront로 동적 컨텐츠를 전송하는 네가지 이유 “ 발표자료입니다.

Published in: Technology

CloudFront로 동적 컨텐츠를 전송하는 네가지 이유 - 김일호 솔루션즈 아키텍트:: AWS Cloud Track 3 Gaming

  1. 1. CloudFront CDN로 동적 컨텐츠를 사용하는 4가지 이유 김일호 | Solutions Architect
  2. 2. Do you know CloudFront support Dynamic content acceleration?
  3. 3. No reasons not to use~
  4. 4. 1. Simple configuration 2. DDoS Mitigation + WAF 3. Cost Saving 4. Speed up
  5. 5. Configure multiple origins Elastic Load Balan cing Dynamic content Amazon EC2 Static content Amazon S3 * (default) /error/* /assets/* Amazon CloudFront example.com
  6. 6. CloudFront Behaviors CloudFront Customer Location www.mysite.com Path Pattern Matching /*.jpg; /*.php etc. GET http://mysite.com/images/1.jpg to ORIGIN A GET http://mysite.com/index.phpto ORIGIN B GET http://mysite.com/web/home.css to ORIGIN C GET http://mysite.com/* (DEFAULT) to ORIGIN D Origin A: S3 bucket Origin B: www.mysite .com Origin C: S3 Bucket Origin D: www.mysite .com Path Pattern Matching /*.php /images/*.jpg /web/*.css /*.* (DEFAULT)
  7. 7. CloudFront Behaviors at console
  8. 8. 1. Simple configuration 2. DDoS Mitigation + WAF 3. Cost Saving 4. Speed up
  9. 9. AWS Global Presence and Redundancy Route A Route B Route C CloudFront Country B Country A Country C CloudFront Valid Object Request Invalid Protocol Invalid Object Request Internet Connection C Internet Connection A Internet Connection B
  10. 10. Your VPC only has to deal with layer 7 traffic CloudFront DDoS HTTP SYN / UDP HTTP Customer Solution 80% of DDoS traffic is L3/L4 flood attack 20% is DDoS attack is valid HTTP requests.
  11. 11. WAF(Web Application Firewall) Match any part of the web request Host: www.example.com User-Agent: Mozilla/5.0 (Macintosh; … Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.example.com/ Connection: keep-alive AWS WAF RAW request headers CloudFront Check: Header “Referrer” Match Type: Contains Match: “example.com” Action: ALLOW Rule String match condition Good users
  12. 12. WAF(Web Application Firewall) Use transforms to stop evasion Host: www.example.com User-Agent: badbot Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.example.com/ Connection: keep-alive AWS WAF RAW request headers CloudFront Check: Header “User-Agent” Match Type: Contains Match: “badbot” Action: BLOCK Rule String match condition Scraper bot
  13. 13. WAF(Web Application Firewall) Use transforms to stop evasion Host: www.example.com User-Agent: bAdBoT Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.InTeRnEtkItTiEs.com/ Connection: keep-alive RAW request headers Check: Header “User-Agent” Transform: To lower Match Type: Contains Match: “badbot” Action: BLOCK Rule String match condition AWS WAF CloudFrontScraper bot
  14. 14. 1. Simple configuration 2. DDoS Mitigation + WAF 3. Cost Saving 4. Speed up
  15. 15. Lower traffic cost Amazon CloudFront Region Amazon S3 bucket Custom origin $$ $$ $ Free Note: Cost will vary depending on CFRC(CloudFront Reserved Capacity)
  16. 16. 1. Simple configuration 2. DDoS Mitigation + WAF 3. Cost Saving 4. Speed up
  17. 17. example.com Clients Clients Clients Clients Clients Clients
  18. 18. Two Users without CloudFront SYN SYN-ACK ACK GET /index.jsp ACK SYN-ACK GET /index.jsp 2nd User Region SYN 90ms 360ms 360ms
  19. 19. Without Keep-Alive Connections • Load on your web server increases the time to first byte TTFB(Time to First Byte)DNS Lookup Connection ContentDownload
  20. 20. SYN SYN-ACK ACK GET /index.jsp GET /index.jsp Keep Alive Connections 2nd Request
  21. 21. CloudFront Keep Alive SYN SYN-ACK ACK GET /index.jsp ACK SYN-ACK GET /index.jsp Region SYN 30ms SYN SYN-ACK ACK GET /index.jsp GET /index.jsp 60ms 2nd User 360ms 180ms
  22. 22. 5. Shield Origin contents
  23. 23. Access control: Restricting origin access §Amazon S3 §Origin Access Identify (OAI) • Prevents direct access to your Amazon S3 bucket • Ensure performance benefits to all customers §Custom origin §Block by IP address • Whitelist only the Amazon CloudFront IP Range • Protects origin from overload • Ensure performance benefits to all customers
  24. 24. Object Access Identity (OAI) • Ensure only Amazon CloudFront can access Amazon S3 bucket • We make it simple for you Amazon CloudFront Region Amazon S3 bucket Custom origin
  25. 25. Object Access Identity (OAI) • Ensure only Amazon CloudFront can access Amazon S3 bucket • We make it simple for you Amazon CloudFront Region Amazon S3 bucket Custom origin
  26. 26. Shield custom origin • Shield your custom origin • Whitelist Amazon CloudFront IP range Amazon CloudFront Region Amazon S3 bucket Custom Origin
  27. 27. Shield custom origin • Shield your custom origin • Whitelist Amazon CloudFront IP range Amazon CloudFront Region Amazon S3 bucket Custom origin
  28. 28. Shield custom origin • Subscribe to Amazon SNS notifications on changes to IP ranges • Automatically update security groups AWS Lambda Amazon CloudFront Amazon SNS Security group Web app server Web app server AWS IP ranges Update IP range SNS message

×