Accelerating Content, APIs and Applications with Amazon CloudFront and Lambda@Edge Lee Atkinson, Solutions Architect, Amazon Web Services Chris West, DevOps Lead, Travelex Ltd. 28 June 2017 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to Expect from the Session Amazon CloudFront and AWS Lambda Lambda@Edge Customer: Travelex DevOps and Lambda@Edge Getting started with Lambda@Edge
AWS Core Services Edge Services: A Core Infrastructure Component Compute Database Customer Application Users Can Access Application Resources Directly Storage Edge Edge services directly accessed include CloudFront, Route 53, AWS WAF, AWS Shield
AWS Core Services Edge Services: A Core Infrastructure Component Compute Database AND/OR Customer Application Storage Edge Users Can Access Application Resources Through The Edge to Secure, Scale, and Optimize Applications
AWS Edge: Global network of Points of Presence (POPs) on the backbone of the Internet
77 Edge Locations + 11 Regional Edge Caches 77 Edge Locations 11 Regional Edge Caches 48 cities 21 countries 5 continents
Amazon CloudFront: Global Content Delivery Network Accelerate your web applications and APIs Cache content (images, video, scripts, CSS) Massively scalable Highly secure Self service Priced to minimize cost
CloudFront delivers ALL types of content SSL/TLS User Input Dynamic Static Video
Without changing your backend Dynamic Content OR Amazon CloudFront example.com *.php ALB / ELB Amazon EC2 Custom Origin *.jpg Static Content OR Amazon S3 Custom Origin
AWS Lambda: Serverless Computing
AWS Lambda: Serverless computing Run code without servers. Pay only for the compute time you consume. Be happy. Triggered by events or called from APIs: PUT to an Amazon S3 bucket Updates to Amazon DynamoDB table Call to an Amazon API Gateway endpoint Mobile app back-end call CloudFront requests And many more Makes it easy to: Perform real-time data processing Build scalable back-end services Glue and choreograph systems
Benefits of AWS Lambda No servers to manage Continuous scaling Never pay for idle no cold servers
AWS Lambda@Edge: Serverless Edge Computing
Introducing Lambda@Edge Lambda@Edge is an extension of AWS Lambda that allows you to run Node.js code at AWS global edge locations. Bring your own code to the edge and customize your content very close to your users, improving end user experience. No servers to manage Continuous scaling Never pay for idle no cold servers Globally distributed
Accelerating content with CloudFront
CloudFront Triggers for Lambda@Edge Functions
CloudFront Triggers for Lambda@Edge Functions
Write once, run everywhere
What can Lambda@Edge Do?
Content Customization User Properties Identify a user s location or what device they are using to select content accordingly (eg., smaller images for mobile vs desktop, selecting page language based on location) Client Device properties - Delete or modify headers to match protocols required by legacy end user devices Legacy TVs, networked printers
Visitor Validation Handing bots Detect search engine bots and filter this traffic from origin servers by displaying a Captcha page Confirm valid sessions View user-agent to confirm legitimacy of request and add an access-control allow header accordingly Validate access token to confirm authentication status
URL Manipulation Ad content - Rewrite URL from request.jpg to request.html to show image with contextual information and relevant ads Pretty URLs Avoid revealing your origin directory structure and introducing ugly complexity to URL s
A/B Testing Flip a coin to select a version of content displayed to each user Set cookies to ensure that users continue to see the right versions of content
Demo Time!
Two demo functions 1. URL rewriting (Origin Request) 2. Response generation (Viewer Request)
Travelex DevOps and Lambda@Edge 26
Travelex at a glance First opened in London in 1976, Travelex is a world leading foreign exchange expert with presence in 29 countries, a growing online and mobile foreign exchange platform and a network of 1,000 ATMs and 1,500 stores 1980 1990 2000 2010 1976: First store opens in Southampton Row, London 1982: First ferry outlet opens on the P&O ferry serving Rotterdam 1990: First branches opened in Australia, Brisbane (Domestic terminal) 2001: Travelex acquires Thomas Cook FS 2014: Travelex embarks on digital transformation strategy 1984: First overseas branch opens in the Netherlands, North Sea terminal, Rotterdam 1995: Abbey National buys a 33% stake of Travelex takeover of their FX 2003: Travelex partners with the National Theatre to launch Travelex ticket season 2015: Travelex sold to Dr Shetty and Mr Saeed Bin Butti 1986: First non-bank FX provider at Heathrow T4 1999: Travelex acquires Barclay s FX in the UK start of vault 2003: Travelex opens in India and the Middle East (in Oman) 2015: First exclusive foreign exchange provider at Heathrow airport 1989: First branches opened in the USA, in JFK airport 2004: Travelex opens in China 2016: 40 th anniversary 2017: Travelex Wire launches 27
Travelex DevOps + Lambda@Edge DevOps at Travelex Things we do Wire international payments White-label payments services FCA e-money licence Backend for mobile apps Data engineering stuff Jenkins (somewhat inevitably) Things that are important to us Security Compliance Resilience Global Cheap to Run Made with Cool Stuff 28
Travelex DevOps + Lambda@Edge Let s build a simple, secure web-site Security considerations Encryption in-flight using SSL/TLS Hosting environment hardening and security controls Client-side security (e.g. XSS, click-jacking, CSRF,...) DoS and DDoS (... and don t forget compliance considerations) Logs and audit trail Access control + about 300 control points, depending on your regime of choice 29
Travelex DevOps + Lambda@Edge A simple, secure web-site; on-prem (or EC2) HA firewalls HA load balancer + WAF HA, hardened web-servers PKI for SSL/TLS certificates Host monitoring... and a second deployment somewhere because it s slow in Aus + sysadmins; network admins; infosec 30
Travelex DevOps + Lambda@Edge Can we do better? (yep) 31
Travelex DevOps + Lambda@Edge A simple, secure web-site; the AWS way Amazon CloudFront AWS Lambda@Edge AWS Shield AWS WAF Amazon S3 Amazon Certificate Manager (ACM) AWS CloudFormation + a DevOps engineer 32
Travelex DevOps + Lambda@Edge Why is this better? Focus time on building and maintaining the web-site; not the infrastructure under it Slash the effort required to support the infrastructure: make it Amazon s responsibility! VM Build S3+CloudFront Web Site Infrastructure Build Security Hardening Maintenance 33
Travelex DevOps + Lambda@Edge Lambda@Edge Run before passing the response back to the client Add HTTP headers to secure the response Provision using CloudFormation (versioned and auditable) Note: content security policy and key pins are parameterised in the template, so we can use it again Full code here: https://github.com/travelex/lambda-edge-demo 34
Travelex DevOps + Lambda@Edge Secure HTTP headers, the dirty details Strict-Transport-Security: stops SSL downgrade and man-in-the-middle Public-Key-Pinning: stops SSL/TLS man-in-the-middle Content-Security-Policy: limits XSS (and aggravates your front-end team) X-Frame-Options: blocks click-jacking X-Xss-Protection: blocks reflective XSS (sometimes) X-Content-Type-Options: stops clients second-guessing the type of content returned by the server Referrer-Policy: stops the client from leaking web history to third-parties Expect-CT: ensures that the SSL/TLS certificate has been obtained legitimately (sort of) 35
Travelex DevOps + Lambda@Edge Let s build a simple, secure web-site Security considerations Encryption in-flight using SSL/TLS Hosting environment hardening and security controls Client-side security (e.g. XSS, click-jacking, CSRF,...) DoS and DDoS (... and don t forget compliance considerations) Logs and audit trail Access control + about 300 control points, depending on your regime of choice See: https://observatory.mozilla.org/ and https://www.ssllabs.com/ 36
Travelex DevOps + Lambda@Edge Compliance using infrastructure-as-code CloudFormation => auditable state of all infrastructure components; including firewalls and access controls git => robust audit trail of who changed what, when and why; can be reconciled with change management processes CloudFormation + git flow => auditable release management awspec + CI/CD logs => automated (!) test evidence CloudTrail => secure audit trail CloudFormation + IAM => don t let people change things, only code CloudFormation + Ansible* => repeatable builds for multiple sites (see also: AWS Artifact) *... for us, anyway 37
Lambda@Edge: Getting Started
Lambda@Edge Service Limits Runtime: Node.js 4.3 Triggered by CloudFront Events Access: No network connections, AWS Region access, disk access, or VPC Items Lambda@Edge Lambda Timeouts 50 ms 300 seconds Function Power Level 128 MB 128 MB 1.5 GB Function Deployment Package Size 1MB 50MB
Lambda@Edge Pricing Just as with Lambda today, Lambda@Edge is priced on two dimensions $0.60 / million function executions $0.00000625125 per second of execution duration (128 MB per function) For example - 10 million executions, 50ms each time Total charges = Compute charges (10M * 0.05sec * $0.00000625125 = $3.13) + Request charges (10M * $0.6/M = $6.00) = $3.13 + $6.00 = $9.13 per month
Recap Using Lambda@Edge Benefits: Features: - Header centric use cases (add, drop or modify headers) - URL rewrites - Response generation Bring your own code Self service through the Lambda console Familiar programming model Standard Node.js Write once, run everywhere Automatically deployed to the AWS network of 77 edge locations Requests are routed to the locations closest to your end users across the world
Stay Tuned! Please visit the AWS Lambda website (https://aws.amazon.com/lambda/) for upcoming news about the general availability of Lambda@Edge on our What s New page
Thank you!
Remember to complete your evaluations!