accelerating content with amazon cloudfront and...
TRANSCRIPT
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lee Atkinson, Solutions Architect, Amazon Web ServicesChris West, DevOps Lead, Travelex Ltd.
28 June 2017
Accelerating Content, APIs and Applications with Amazon CloudFront
and Lambda@Edge
What to Expect from the Session
• Amazon CloudFront and AWS Lambda• Lambda@Edge• Customer: Travelex DevOps and Lambda@Edge• Getting started with Lambda@Edge
AWS Core Services
Compute
Storage
Database
Edge
Edge Services: A Core Infrastructure Component
Users Can Access Application
Resources Directly
Customer Application
Edge services directly accessed
include CloudFront, Route 53, AWS
WAF, AWS Shield
AWS Core ServicesEdge Services: A Core Infrastructure Component
Users Can Access Application Resources Through The Edge to Secure, Scale, and
Optimize Applications
Compute
Storage
Database
Edge
Customer Application
AND/OR
AWS Edge:Global network of Points of Presence (POPs) on the backbone of the Internet
77 Edge Locations11 Regional Edge Caches48 cities21 countries5 continents
77 Edge Locations + 11 Regional Edge Caches
Amazon CloudFront: Global Content Delivery Network• Accelerate your web applications and APIs• Cache content (images, video, scripts, CSS)• Massively scalable• Highly secure• Self service• Priced to minimize cost
Dynamic
StaticVideo
User Input
SSL/TLS
CloudFront delivers ALL types of content
Without changing your backend…
ALB / ELB
Dynamic Content
Amazon EC2
Static Content
Amazon S3 Custom Origin
OR
OR
Custom OriginAmazon CloudFront
example.com
*.jpg
*.php
AWS Lambda: Serverless Computing
AWS Lambda: Serverless computing
Run code without servers. Pay only for the compute time you consume. Be happy.
Triggered by events or called from APIs:• PUT to an Amazon S3 bucket• Updates to Amazon DynamoDB table• Call to an Amazon API Gateway endpoint• Mobile app back-end call• CloudFront requests• And many more…
Makes it easy to:• Perform real-time data processing• Build scalable back-end services• Glue and choreograph systems
Benefits of AWS Lambda
No servers to manage
Continuous scaling
Never pay for idle – no cold servers
AWS Lambda@Edge: Serverless Edge Computing
Introducing Lambda@Edge
• Lambda@Edge is an extension of AWS Lambda that allows you to run Node.js code at AWS global edge locations.
• Bring your own code to the edge and customize your content very close to your users, improving end user experience.
No servers to manage
Continuous scaling
Never pay for idle – no cold servers
Globally distributed
Accelerating content with CloudFront
CloudFront Triggers for Lambda@EdgeFunctions
CloudFront Triggers for Lambda@EdgeFunctions
Write once, run everywhere
What can Lambda@Edge Do?
• User Properties – Identify a user’s location or what device they are using to select content accordingly (eg., smaller images for mobile vs desktop, selecting page language based on location)
• Client Device properties - Delete or modify headers to match protocols required by legacy end user devices
• Legacy TVs, networked printers
Content Customization
Visitor Validation
• Handing bots• Detect search engine bots and filter this
traffic from origin servers by displaying a Captcha page
• Confirm valid sessions• View user-agent to confirm legitimacy of
request and add an access-control allow header accordingly
• Validate access token to confirm authentication status
URL Manipulation
• Ad content - Rewrite URL from request.jpg to request.html to show image with contextual information and relevant ads
• Pretty URLs – Avoid revealing your origin directory structure and introducing “ugly” complexity to URL’s
A/B Testing
• “Flip a coin” to select a version of content displayed to each user
• Set cookies to ensure that users continue to see the right versions of content
Demo Time!
Two demo functions
1. URL rewriting (Origin Request)2. Response generation (Viewer Request)
Travelex DevOpsand
Lambda@Edge
26
Travelex at a glance
FirstopenedinLondonin1976,Travelexisaworldleadingforeignexchangeexpertwithpresencein29countries,agrowingonlineandmobileforeignexchangeplatformandanetworkof1,000ATMsand1,500stores
1980
27
1990 2000 2010
1976:Firststoreopensin
SouthamptonRow,London
1982:FirstferryoutletopensontheP&Oferryserving
Rotterdam
1984:Firstoverseasbranchopensinthe
Netherlands,NorthSeaterminal,Rotterdam
1986:Firstnon-bankFXprovideratHeathrowT4
1989:FirstbranchesopenedintheUSA,inJFK
airport
1990:FirstbranchesopenedinAustralia,Brisbane(Domestic
terminal)
2016:40th anniversary
2015:Firstexclusiveforeignexchangeprovider
atHeathrowairport
2015:TravelexsoldtoDrShettyandMrSaeedBin
Butti
2014:Travelexembarksondigitaltransformation
strategy
2004:TravelexopensinChina
2003:TravelexopensinIndiaandtheMiddleEast
(inOman)
2003:TravelexpartnerswiththeNationalTheatretolaunchTravelexticket
season
2001:TravelexacquiresThomasCookFS
1999:TravelexacquiresBarclay’sFXintheUK–
startofvault
1995:AbbeyNationalbuysa33%stakeof
Travelex– takeoveroftheirFX
2017:TravelexWirelaunches
Travelex DevOps + Lambda@Edge
Thingswedo• Wireinternationalpayments• White-labelpaymentsservices• FCAe-moneylicence• Backendformobileapps• Dataengineeringstuff• Jenkins(somewhatinevitably)
DevOpsatTravelex
28
Thingsthatareimportanttous• Security• Compliance• Resilience• Global• CheaptoRun• MadewithCoolStuff
Travelex DevOps + Lambda@Edge
Securityconsiderations🔒 Encryptionin-flightusingSSL/TLS🔒 Hostingenvironmenthardeningandsecuritycontrols🔒 Client-sidesecurity(e.g.XSS,click-jacking,CSRF,...)🔒 DoS andDDoS
(...anddon’tforgetcomplianceconsiderations)✅ Logsandaudittrail✅ Accesscontrol✅ +about300controlpoints,dependingonyourregimeofchoice
Let’sbuildasimple,secureweb-site
29
Travelex DevOps + Lambda@Edge
Asimple,secureweb-site;on-prem(orEC2)
30
• HAfirewalls• HAloadbalancer+WAF• HA,hardenedweb-servers• PKIforSSL/TLScertificates• Hostmonitoring• ...andaseconddeployment
somewherebecauseit’sslowinAus
+sysadmins;networkadmins;infosec
Travelex DevOps + Lambda@Edge
Canwedobetter?
31
(yep)
Travelex DevOps + Lambda@Edge
• AmazonCloudFront• AWSLambda@Edge• AWSShield• AWSWAF• AmazonS3• AmazonCertificateManager(ACM)• AWSCloudFormation
+aDevOpsengineer
Asimple,secureweb-site;theAWS way
32
Travelex DevOps + Lambda@Edge
• Focustimeonbuildingandmaintainingtheweb-site;nottheinfrastructureunderit
• Slashtheeffortrequiredtosupporttheinfrastructure:makeitAmazon’sresponsibility!
Whyisthisbetter?
33
VMBuild S3+CloudFront
WebSite InfrastructureBuild SecurityHardening Maintenance
Travelex DevOps + Lambda@Edge
• Runbeforepassingtheresponsebacktotheclient
• AddHTTPheaderstosecuretheresponse
• ProvisionusingCloudFormation(versionedandauditable)
• Note:contentsecuritypolicyandkeypinsareparameterised inthetemplate,sowecanuseitagain
Lambda@Edge
34Fullcodehere:https://github.com/travelex/lambda-edge-demo
Travelex DevOps + Lambda@Edge
• Strict-Transport-Security:stopsSSLdowngradeandman-in-the-middle• Public-Key-Pinning:stopsSSL/TLSman-in-the-middle• Content-Security-Policy:limitsXSS(andaggravatesyourfront-endteam)• X-Frame-Options:blocksclick-jacking• X-Xss-Protection:blocksreflectiveXSS(sometimes)• X-Content-Type-Options:stopsclientssecond-guessingthetypeof
contentreturnedbytheserver• Referrer-Policy:stopstheclientfromleakingwebhistorytothird-parties• Expect-CT:ensuresthattheSSL/TLScertificatehasbeenobtained
legitimately(sortof)
SecureHTTPheaders,thedirtydetails
35
Travelex DevOps + Lambda@Edge
Securityconsiderations🔒 Encryptionin-flightusingSSL/TLS🔒 Hostingenvironmenthardeningandsecuritycontrols🔒 Client-sidesecurity(e.g.XSS,click-jacking,CSRF,...)🔒 DoS andDDoS
(...anddon’tforgetcomplianceconsiderations)✅ Logsandaudittrail✅ Accesscontrol✅ +about300controlpoints,dependingonyourregimeofchoice
Let’sbuildasimple,secureweb-site
36See:https://observatory.mozilla.org/ andhttps://www.ssllabs.com/
Travelex DevOps + Lambda@Edge
✅ CloudFormation =>auditablestateofallinfrastructurecomponents;includingfirewallsandaccesscontrols
✅ git =>robustaudittrailofwhochangedwhat,whenandwhy;canbereconciledwithchangemanagementprocesses
✅ CloudFormation+git flow =>auditablereleasemanagement✅ awspec +CI/CDlogs =>automated(!)testevidence✅ CloudTrail =>secureaudittrail✅ CloudFormation+IAM=>don’tletpeoplechangethings,onlycode✅ CloudFormation+Ansible* =>repeatablebuildsformultiplesites✅ (seealso:AWSArtifact)
Complianceusinginfrastructure-as-code
37*...forus,anyway
Lambda@Edge: Getting Started
Lambda@Edge Service Limits
Items Lambda@Edge LambdaTimeouts 50 ms 300 seconds
Function “Power Level” 128 MB 128 MB – 1.5 GB
Function DeploymentPackage Size
1MB 50MB
• Runtime: Node.js 4.3• Triggered by CloudFront Events• Access: No network connections, AWS Region access, disk
access, or VPC
Lambda@Edge Pricing
Just as with Lambda today, Lambda@Edge is priced on two dimensions• $0.60 / million function executions • $0.00000625125 per second of execution duration (128 MB per function)
For example - 10 million executions, 50ms each time• Total charges = Compute charges (10M * 0.05sec * $0.00000625125 =
$3.13) + Request charges (10M * $0.6/M = $6.00) = $3.13 + $6.00 = $9.13 per month
Recap – Using Lambda@Edge
Familiar programming model• Standard Node.js
Write once, run everywhere• Automatically deployed to the AWS network
of 77 edge locations• Requests are routed to the locations closest
to your end users across the world
Benefits:
Features:- Header centric use cases (add, drop or modify headers)- URL rewrites- Response generation
Bring your own code• Self service through the
Lambda console
Stay Tuned!
Please visit the AWS Lambda website (https://aws.amazon.com/lambda/) for upcoming news about the general availability of Lambda@Edge on our “What’s New” page
Thank you!
Remember to complete your evaluations!