Accelerating Content, APIs and Applications with Amazon CloudFront and

Similar documents
Deep Dive on Microservices and ECS

Advanced Techniques for DDoS Mitigation and Web Application Defense

Security Aspekts on Services for Serverless Architectures. Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

Serverless Architecture Hochskalierbare Anwendungen ohne Server. Sascha Möllering, Solutions Architect

How to go serverless with AWS Lambda

ARCHITECTING WEB APPLICATIONS FOR THE CLOUD: DESIGN PRINCIPLES AND PRACTICAL GUIDANCE FOR AWS

About Intellipaat. About the Course. Why Take This Course?

AWS 101. Patrick Pierson, IonChannel

Microservices without the Servers: AWS Lambda in Action

Getting Started with AWS Security

At Course Completion Prepares you as per certification requirements for AWS Developer Associate.

Zombie Apocalypse Workshop


Containers or Serverless? Mike Gillespie Solutions Architect, AWS Solutions Architecture

Elastic Load Balancing

Getting started with AWS security

AWS Solution Architect Associate

Serverless Computing. Redefining the Cloud. Roger S. Barga, Ph.D. General Manager Amazon Web Services

INTRODUCING CISCO SECURITY FOR AWS

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

OptiSol FinTech Platforms

Additional Security Services on AWS

SAA-C01. AWS Solutions Architect Associate. Exam Summary Syllabus Questions

Microservices on AWS. Matthias Jung, Solutions Architect AWS

BERLIN. 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

AWS Well Architected Framework

AWS Reference Design Document

Getting started with AWS security

AWS Lambda: Event-driven Code in the Cloud

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

AWS Certified Solutions Architect - Associate 2018 (SAA-001)

Securing Microservices Containerized Security in AWS

Microservices Architekturen aufbauen, aber wie?

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

Introduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS

Network Security & Access Control in AWS

Enroll Now to Take online Course Contact: Demo video By Chandra sir

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

NGF0502 AWS Student Slides

Minfy MS Workloads Use Case

TestkingPass. Reliable test dumps & stable pass king & valid test questions

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Security & Compliance in the AWS Cloud. Amazon Web Services

Minfy MS Workloads Use Case

Amazon Web Services 101 April 17 th, 2014 Joel Williams Solutions Architect. Amazon.com, Inc. and its affiliates. All rights reserved.

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Puppet on the AWS Cloud

AWS Agility + Splunk Visibility = Cloud Success. Splunk App for AWS Demo. Laura Ripans, AWS Alliance Manager

Mapping traditional security technologies to AWS Dave Walker Specialised Solutions Architect Security and Compliance Amazon Web Services UK Ltd

Title: Planning AWS Platform Security Assessment?

Develop and test your Mobile App faster on AWS

We are ready to serve Latest IT Trends, Are you ready to learn? New Batches Info

Cloud Computing. Amazon Web Services (AWS)

Training on Amazon AWS Cloud Computing. Course Content

VMware Cloud on AWS The Next Generation Hybrid Cloud Architecture

Amazon AppStream 2.0: SOLIDWORKS Deployment Guide

AWS Web Application Firewall. Darren Weiner Cloud Architect/Engineer

Cloud Computing /AWS Course Content

DevOps on AWS Deep Dive on Continuous Delivery and the AWS Developer Tools

Crypto-Options on AWS. Bertram Dorn Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services Germany GmbH

Amazon Web Services Training. Training Topics:

Video on Demand on AWS

Deep Dive on AWS CodeStar

Building a Self-Defending Border. Shane Baldacchino, Solutions Architect, AWS Marcus Santos, Solutions Architect, AWS

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

HPE Digital Learner AWS Certified SysOps Administrator (Intermediate) Content Pack

Energy Management with AWS

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

AWS Mobile Hub. Build, Test, and Monitor Your Mobile Apps. Daniel Geske, Solutions Architect 31 May 2017

AWS Solutions Architect Associate (SAA-C01) Sample Exam Questions

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

Deploy. A step-by-step guide to successfully deploying your new app with the FileMaker Platform

High School Technology Services myhsts.org Certification Courses

EBOOK: VMware Cloud on AWS: Optimized for the Next-Generation Hybrid Cloud

Netflix OSS Spinnaker on the AWS Cloud

What to expect from the session Technical recap VMware Cloud on AWS {Sample} Integration use case Services introduction & solution designs Solution su

AWS Administration. Suggested Pre-requisites Basic IT Knowledge

Amazon Web Services. Block 402, 4 th Floor, Saptagiri Towers, Above Pantaloons, Begumpet Main Road, Hyderabad Telangana India

Certificate of Registration

Magento Commerce Architecture and Security Model Last updated: Aug 2017

IoT Device Simulator

Security on AWS(overview) Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

Elastic Load Balance. User Guide. Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

AWS Lambda. 1.1 What is AWS Lambda?

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Amazon Web Services (AWS) Training Course Content

Course Outline. Module 1: Microsoft Azure for AWS Experts Course Overview

Splunk & AWS. Gain real-time insights from your data at scale. Ray Zhu Product Manager, AWS Elias Haddad Product Manager, Splunk

AWS Course Syllabus. Linux Fundamentals. Installation and Initialization:

Microsoft Azure for AWS Experts

Exam : Implementing Microsoft Azure Infrastructure Solutions

API s in a hybrid world. Date 28 September 2017

Deploying and Using ArcGIS Enterprise in the Cloud. Bill Major

Reactive Microservices Architecture on AWS

Scaling on AWS. From 1 to 10 Million Users. Matthias Jung, Solutions Architect

Overview. AWS networking services including: VPC Extend your network into a virtual private cloud. EIP Elastic IP

Monitoring Serverless Architectures in AWS

Mid-Atlantic CIO Forum

Transcription:

Accelerating Content, APIs and Applications with Amazon CloudFront and Lambda@Edge Lee Atkinson, Solutions Architect, Amazon Web Services Chris West, DevOps Lead, Travelex Ltd. 28 June 2017 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

What to Expect from the Session Amazon CloudFront and AWS Lambda Lambda@Edge Customer: Travelex DevOps and Lambda@Edge Getting started with Lambda@Edge

AWS Core Services Edge Services: A Core Infrastructure Component Compute Database Customer Application Users Can Access Application Resources Directly Storage Edge Edge services directly accessed include CloudFront, Route 53, AWS WAF, AWS Shield

AWS Core Services Edge Services: A Core Infrastructure Component Compute Database AND/OR Customer Application Storage Edge Users Can Access Application Resources Through The Edge to Secure, Scale, and Optimize Applications

AWS Edge: Global network of Points of Presence (POPs) on the backbone of the Internet

77 Edge Locations + 11 Regional Edge Caches 77 Edge Locations 11 Regional Edge Caches 48 cities 21 countries 5 continents

Amazon CloudFront: Global Content Delivery Network Accelerate your web applications and APIs Cache content (images, video, scripts, CSS) Massively scalable Highly secure Self service Priced to minimize cost

CloudFront delivers ALL types of content SSL/TLS User Input Dynamic Static Video

Without changing your backend Dynamic Content OR Amazon CloudFront example.com *.php ALB / ELB Amazon EC2 Custom Origin *.jpg Static Content OR Amazon S3 Custom Origin

AWS Lambda: Serverless Computing

AWS Lambda: Serverless computing Run code without servers. Pay only for the compute time you consume. Be happy. Triggered by events or called from APIs: PUT to an Amazon S3 bucket Updates to Amazon DynamoDB table Call to an Amazon API Gateway endpoint Mobile app back-end call CloudFront requests And many more Makes it easy to: Perform real-time data processing Build scalable back-end services Glue and choreograph systems

Benefits of AWS Lambda No servers to manage Continuous scaling Never pay for idle no cold servers

AWS Lambda@Edge: Serverless Edge Computing

Introducing Lambda@Edge Lambda@Edge is an extension of AWS Lambda that allows you to run Node.js code at AWS global edge locations. Bring your own code to the edge and customize your content very close to your users, improving end user experience. No servers to manage Continuous scaling Never pay for idle no cold servers Globally distributed

Accelerating content with CloudFront

CloudFront Triggers for Lambda@Edge Functions

CloudFront Triggers for Lambda@Edge Functions

Write once, run everywhere

What can Lambda@Edge Do?

Content Customization User Properties Identify a user s location or what device they are using to select content accordingly (eg., smaller images for mobile vs desktop, selecting page language based on location) Client Device properties - Delete or modify headers to match protocols required by legacy end user devices Legacy TVs, networked printers

Visitor Validation Handing bots Detect search engine bots and filter this traffic from origin servers by displaying a Captcha page Confirm valid sessions View user-agent to confirm legitimacy of request and add an access-control allow header accordingly Validate access token to confirm authentication status

URL Manipulation Ad content - Rewrite URL from request.jpg to request.html to show image with contextual information and relevant ads Pretty URLs Avoid revealing your origin directory structure and introducing ugly complexity to URL s

A/B Testing Flip a coin to select a version of content displayed to each user Set cookies to ensure that users continue to see the right versions of content

Demo Time!

Two demo functions 1. URL rewriting (Origin Request) 2. Response generation (Viewer Request)

Travelex DevOps and Lambda@Edge 26

Travelex at a glance First opened in London in 1976, Travelex is a world leading foreign exchange expert with presence in 29 countries, a growing online and mobile foreign exchange platform and a network of 1,000 ATMs and 1,500 stores 1980 1990 2000 2010 1976: First store opens in Southampton Row, London 1982: First ferry outlet opens on the P&O ferry serving Rotterdam 1990: First branches opened in Australia, Brisbane (Domestic terminal) 2001: Travelex acquires Thomas Cook FS 2014: Travelex embarks on digital transformation strategy 1984: First overseas branch opens in the Netherlands, North Sea terminal, Rotterdam 1995: Abbey National buys a 33% stake of Travelex takeover of their FX 2003: Travelex partners with the National Theatre to launch Travelex ticket season 2015: Travelex sold to Dr Shetty and Mr Saeed Bin Butti 1986: First non-bank FX provider at Heathrow T4 1999: Travelex acquires Barclay s FX in the UK start of vault 2003: Travelex opens in India and the Middle East (in Oman) 2015: First exclusive foreign exchange provider at Heathrow airport 1989: First branches opened in the USA, in JFK airport 2004: Travelex opens in China 2016: 40 th anniversary 2017: Travelex Wire launches 27

Travelex DevOps + Lambda@Edge DevOps at Travelex Things we do Wire international payments White-label payments services FCA e-money licence Backend for mobile apps Data engineering stuff Jenkins (somewhat inevitably) Things that are important to us Security Compliance Resilience Global Cheap to Run Made with Cool Stuff 28

Travelex DevOps + Lambda@Edge Let s build a simple, secure web-site Security considerations Encryption in-flight using SSL/TLS Hosting environment hardening and security controls Client-side security (e.g. XSS, click-jacking, CSRF,...) DoS and DDoS (... and don t forget compliance considerations) Logs and audit trail Access control + about 300 control points, depending on your regime of choice 29

Travelex DevOps + Lambda@Edge A simple, secure web-site; on-prem (or EC2) HA firewalls HA load balancer + WAF HA, hardened web-servers PKI for SSL/TLS certificates Host monitoring... and a second deployment somewhere because it s slow in Aus + sysadmins; network admins; infosec 30

Travelex DevOps + Lambda@Edge Can we do better? (yep) 31

Travelex DevOps + Lambda@Edge A simple, secure web-site; the AWS way Amazon CloudFront AWS Lambda@Edge AWS Shield AWS WAF Amazon S3 Amazon Certificate Manager (ACM) AWS CloudFormation + a DevOps engineer 32

Travelex DevOps + Lambda@Edge Why is this better? Focus time on building and maintaining the web-site; not the infrastructure under it Slash the effort required to support the infrastructure: make it Amazon s responsibility! VM Build S3+CloudFront Web Site Infrastructure Build Security Hardening Maintenance 33

Travelex DevOps + Lambda@Edge Lambda@Edge Run before passing the response back to the client Add HTTP headers to secure the response Provision using CloudFormation (versioned and auditable) Note: content security policy and key pins are parameterised in the template, so we can use it again Full code here: https://github.com/travelex/lambda-edge-demo 34

Travelex DevOps + Lambda@Edge Secure HTTP headers, the dirty details Strict-Transport-Security: stops SSL downgrade and man-in-the-middle Public-Key-Pinning: stops SSL/TLS man-in-the-middle Content-Security-Policy: limits XSS (and aggravates your front-end team) X-Frame-Options: blocks click-jacking X-Xss-Protection: blocks reflective XSS (sometimes) X-Content-Type-Options: stops clients second-guessing the type of content returned by the server Referrer-Policy: stops the client from leaking web history to third-parties Expect-CT: ensures that the SSL/TLS certificate has been obtained legitimately (sort of) 35

Travelex DevOps + Lambda@Edge Let s build a simple, secure web-site Security considerations Encryption in-flight using SSL/TLS Hosting environment hardening and security controls Client-side security (e.g. XSS, click-jacking, CSRF,...) DoS and DDoS (... and don t forget compliance considerations) Logs and audit trail Access control + about 300 control points, depending on your regime of choice See: https://observatory.mozilla.org/ and https://www.ssllabs.com/ 36

Travelex DevOps + Lambda@Edge Compliance using infrastructure-as-code CloudFormation => auditable state of all infrastructure components; including firewalls and access controls git => robust audit trail of who changed what, when and why; can be reconciled with change management processes CloudFormation + git flow => auditable release management awspec + CI/CD logs => automated (!) test evidence CloudTrail => secure audit trail CloudFormation + IAM => don t let people change things, only code CloudFormation + Ansible* => repeatable builds for multiple sites (see also: AWS Artifact) *... for us, anyway 37

Lambda@Edge: Getting Started

Lambda@Edge Service Limits Runtime: Node.js 4.3 Triggered by CloudFront Events Access: No network connections, AWS Region access, disk access, or VPC Items Lambda@Edge Lambda Timeouts 50 ms 300 seconds Function Power Level 128 MB 128 MB 1.5 GB Function Deployment Package Size 1MB 50MB

Lambda@Edge Pricing Just as with Lambda today, Lambda@Edge is priced on two dimensions $0.60 / million function executions $0.00000625125 per second of execution duration (128 MB per function) For example - 10 million executions, 50ms each time Total charges = Compute charges (10M * 0.05sec * $0.00000625125 = $3.13) + Request charges (10M * $0.6/M = $6.00) = $3.13 + $6.00 = $9.13 per month

Recap Using Lambda@Edge Benefits: Features: - Header centric use cases (add, drop or modify headers) - URL rewrites - Response generation Bring your own code Self service through the Lambda console Familiar programming model Standard Node.js Write once, run everywhere Automatically deployed to the AWS network of 77 edge locations Requests are routed to the locations closest to your end users across the world

Stay Tuned! Please visit the AWS Lambda website (https://aws.amazon.com/lambda/) for upcoming news about the general availability of Lambda@Edge on our What s New page

Thank you!

Remember to complete your evaluations!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback