AWS Webcast - Using Amazon CloudFront to Protect Your Content Delivery

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.

Using Amazon CloudFront to

Protect Your Content Delivery

Geo Restriction, Private Content, and Custom SSL Certificates

Nihar Bihani, Sr. Product Manager

Calin Nemes, Support Engineer


About Amazon CloudFront

Global availability, performance and scalability

Cost-effective and easy to use

Deliver all of your content securely


Industry Leading Availability

97

97.5

98

98.5

99

99.5

100

Cloudfront CDN C CDN D CDN A CDN B

Global Availability*

*Data from Cedexis, Last 30 Days, Availability measured over All Cedexis Regions. 12/30/13


CloudFront Top Tier Performance

*Data from Cedexis, Last 30 Days, Response Time Measure of the United States. 11/12/13

10th Percentile

95th Percentile

25th Percentile

75th Percentile


Competitive, Flexible Pricing

On-demand, pay for use

pricing

Same pricing for Static and

Dynamic Content

Preferential Origin Fetch

Pricing for AWS Origins

Commitment based private

pricing

Pri

ce p

er

GB

Data Transfer Volume

Data Transfer Economies of Scale

Public Rates Private Rates


CloudFront’s Global Presence Americas Atlanta, GA

Ashburn, VA (3)

Dallas/Fort Worth, TX (2)

Hayward, CA

Jacksonville, FL

Los Angeles, CA (2)

Miami, FL

New York, NY (3)

Newark, NJ

Palo Alto, CA

San Jose, CA

Seattle, WA

South Bend, IN

St. Louis, MO

Rio de Janeiro, Brazil

São Paulo, Brazil

Europe

Amsterdam, The

Netherlands (2)

Dublin, Ireland

Frankfurt, Germany (3)

London, England (3)

Madrid, Spain

Marseille, France

Milan, Italy

Paris, France (2)

Stockholm, Sweden

Warsaw, Poland

Asia

Chennai, India

Hong Kong, China (2)

Mumbai, India

Manila, the Philippines

Osaka, Japan

Seoul, Korea

Singapore (2)

Taipei, Taiwan

Tokyo, Japan (2)

Australia

Sydney


9 Regions 46 Edge Locations

CloudFront’s Global Customer Reach

http://aws.amazon.com/about-aws/globalinfrastructure/

Edge Location

AWS Region





Popular CloudFront Features Live and Video on Demand

RTMP (Flash) and HTTP(S) delivery

Adaptive Bitrate Streaming

Security

Private Content

Custom SSL Support

Geo Restriction

Identity and Access Management (IAM)

Content Management

AWS Management Console

Full control via APIs

Programmatic Invalidation

Industry-compliant, detailed Access Logs

Dynamic Content Acceleration

Low Minimum Content Expiration Periods (TTL=0)

Multiple Cache Behaviors

Multiple Origin Servers

Origin Connection Protocol

Viewer Connection Protocol

Zone Apex Support

Query String & Cookie Support

Put/Post HTTP Verb Support

Price Flexibility

Pay for Use

Price Classes

Reserved Capacity Private Pricing

8


Dynamic

Static Video

Deliver All of Your Content

User

Input

SSL


Simple, Yet Powerful

Architecture

Elastic Load

Balancing

Dynamic Content

Amazon EC2

Static Content

Amazon S3 Custom Origin

OR

OR

Custom Origin Amazon CloudFront

example.com


11

http://www.earthnetworks.com/Home.aspx


CloudFront Security Features

AWS Identity and Access Management (IAM)

HTTPS Delivery

Private Content

Geo-Restriction



Regulate access to CloudFront APIs

Create policies to describe user role or permissions

Create an IAM policy using the AWS Management Console

Example Scenarios: • Limit who can submit invalidation requests

• Just read access to your distribution



Example 1: Allow a group read and write access to all of resources

owned by the account

Example 2: Allow a group read and write access to all distributions

owned by the account


HTTPS Delivery


HTTPS Delivery

Configure CloudFront one of two ways: • Accept both HTTP or HTTPS connections

• Accept only HTTPS connections

HTTPS allows transfer over encrypted connection

CloudFront forwards HTTPS requests to origin.. • Over SSLv3 or TLSv1 protocols

• Supports AES128-SHA1 or RC4-MD5 ciphers

• Includes a Server Name Indication (SNI) extension


HTTPS Delivery

Two ways you can implement SSL with CloudFront:

Half Bridge SSL termination

Full Bridge SSL termination Region

CloudFront


HTTPS Delivery

Half Bridge SSL termination - HTTPS only from Viewer

to CloudFront

Use CloudFront Viewer Protocol Policy

Region

HTTP


HTTPS Delivery

Why use Half Bridge SSL Termination?

Better Performance By Leveraging HTTP Connections To Origin

HTTP

CloudFront


HTTPS Delivery

Full Bridge SSL Termination - HTTPS from Viewer to

CloudFront and from CloudFront to Origin.

Use CloudFront Origin Protocol Policy

Region

HTTPS


HTTPS Delivery

CloudFront provides two options for delivery over SSL

Using Default CloudFront SSL Domain Name

• e.g. d123.cloudfront.net

Using a Custom SSL Domain Name

• e.g. www.mysite.com


HTTPS Delivery

Using a Custom SSL Domain Name

You bring your own custom SSL certificate

No restrictions on the type of certificate: EV certificates, Wildcard certificates, SAN certificate, etc.

You get a dedicated set of IP addresses at each of our edge locations worldwide

Use your own domain name in the URLs for objects delivered via CloudFront (https://www.example.com/image.jpg)

Benefits:

High Performance – use of all edge locations

High Security – your own certificate (vs. shared cert)

High Availability – full browser support

https://www.example.com/image.jpg

https://www.example.com/image.jpg


HTTPS Delivery

Getting started with using your own SSL certificate on CloudFront:

1. You upload your own SSL certificate to AWS IAM.

2. Request access to this feature by submitting this form: http://aws.amazon.com/cloudfront/custom-ssl-domains/

3. Once approved by AWS, you can associate your SSL certificate to one or more CloudFront distributions.

4. Start using your own domain name (e.g. mysite.com) in your HTTPS URLs delivered via CloudFront.

http://aws.amazon.com/cloudfront/custom-ssl-domains/






Serving Private Content


Private Content

Deliver your content ONLY to authorized viewers

Two ways to control end user access:

• Origin Access Identity (OAI) to restrict direct access to objects in

Amazon S3.

• Signed URLs to restrict access to objects at the CloudFront

edge.


Private Content

Origin Access Identify (OAI)

• Ensure customers don’t have direct access to your Amazon S3

origin bucket.

• Ensure performance benefits to all customers.

• Protects origin from overload.

Region

Access Denied


Private Content

Signed URLs prevent unauthorized access to objects at the CloudFront edge.

Programmatically create access control policies to define how your content can be accessed.

For example, allow access… • only until certain date or time

• only to users who have paid a fee

• only from certain IP addresses

Region

Access Denied


Private Content

Here is an example of a policy statement for signed URLs

More Information: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html

(Find sample code to create URL signature in Perl, PHP, C# and .NET, Java)

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html


Geo-Restriction


Geo-Restriction

Restrict access to your content based on the location

(country) of your users.

Configure a whitelist or a blacklist.

CloudFront returns an HTTP status code of 403

(forbidden) to the user.


Geo-Restriction

Scenarios:

Online video publishers can distribute videos only in the country where they have distribution rights.

• e.g. use a whitelist of geo-locations

Software distributors can prevent download of their software in countries with licensing regulations.

• e.g. use a blacklist of geo-locations


Configuring Custom Error Responses

Show a user friendly message in case of an Error.

Configure a custom page and a custom response code

for each error.

An error could be:

• Object not found

• Unauthorized user access

• ..or any other 4xx or 5xx HTTP error


Custom Error Responses

Performance considerations:

• Set “Error Caching Minimum TTL” to cache the error response.

• CloudFront responds with error page for the duration of the TTL.

• Setting the TTL too low would increase origin load.


Demo


Questions

http://aws.amazon.com/cloudfront

@cloudfront

AWS Webcast - Using Amazon CloudFront to Protect Your Content Delivery

Technology

Transcript of AWS Webcast - Using Amazon CloudFront to Protect Your Content Delivery