© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Lee Atkinson, Solutions Architect, Amazon Web ServicesChris West, DevOps Lead, Travelex Ltd.

28 June 2017

Accelerating Content, APIs and Applications with Amazon CloudFront

and Lambda@Edge

What to Expect from the Session

• Amazon CloudFront and AWS Lambda• Lambda@Edge• Customer: Travelex DevOps and Lambda@Edge• Getting started with Lambda@Edge

AWS Core Services

Compute

Storage

Database

Edge

Edge Services: A Core Infrastructure Component

Users Can Access Application

Resources Directly

Customer Application

Edge services directly accessed

include CloudFront, Route 53, AWS

WAF, AWS Shield

AWS Core ServicesEdge Services: A Core Infrastructure Component

Users Can Access Application Resources Through The Edge to Secure, Scale, and

Optimize Applications

Compute

Storage

Database

Edge

Customer Application

AND/OR

AWS Edge:Global network of Points of Presence (POPs) on the backbone of the Internet

77 Edge Locations11 Regional Edge Caches48 cities21 countries5 continents

77 Edge Locations + 11 Regional Edge Caches

Amazon CloudFront: Global Content Delivery Network• Accelerate your web applications and APIs• Cache content (images, video, scripts, CSS)• Massively scalable• Highly secure• Self service• Priced to minimize cost

Dynamic

StaticVideo

User Input

SSL/TLS

CloudFront delivers ALL types of content

Without changing your backend…

ALB / ELB

Dynamic Content

Amazon EC2

Static Content

Amazon S3 Custom Origin

OR

OR

Custom OriginAmazon CloudFront

example.com

*.jpg

*.php

AWS Lambda: Serverless Computing

AWS Lambda: Serverless computing

Run code without servers. Pay only for the compute time you consume. Be happy.

Triggered by events or called from APIs:• PUT to an Amazon S3 bucket• Updates to Amazon DynamoDB table• Call to an Amazon API Gateway endpoint• Mobile app back-end call• CloudFront requests• And many more…

Makes it easy to:• Perform real-time data processing• Build scalable back-end services• Glue and choreograph systems

Benefits of AWS Lambda

No servers to manage

Continuous scaling

Never pay for idle – no cold servers

AWS Lambda@Edge: Serverless Edge Computing

Introducing Lambda@Edge

• Lambda@Edge is an extension of AWS Lambda that allows you to run Node.js code at AWS global edge locations.

• Bring your own code to the edge and customize your content very close to your users, improving end user experience.

No servers to manage

Continuous scaling

Never pay for idle – no cold servers

Globally distributed

Accelerating content with CloudFront

CloudFront Triggers for Lambda@EdgeFunctions

CloudFront Triggers for Lambda@EdgeFunctions

Write once, run everywhere

What can Lambda@Edge Do?

• User Properties – Identify a user’s location or what device they are using to select content accordingly (eg., smaller images for mobile vs desktop, selecting page language based on location)

• Client Device properties - Delete or modify headers to match protocols required by legacy end user devices

• Legacy TVs, networked printers

Content Customization

Visitor Validation

• Handing bots• Detect search engine bots and filter this

traffic from origin servers by displaying a Captcha page

• Confirm valid sessions• View user-agent to confirm legitimacy of

request and add an access-control allow header accordingly

• Validate access token to confirm authentication status

URL Manipulation

• Ad content - Rewrite URL from request.jpg to request.html to show image with contextual information and relevant ads

• Pretty URLs – Avoid revealing your origin directory structure and introducing “ugly” complexity to URL’s

A/B Testing

• “Flip a coin” to select a version of content displayed to each user

• Set cookies to ensure that users continue to see the right versions of content

Demo Time!

Two demo functions

1. URL rewriting (Origin Request)2. Response generation (Viewer Request)

Travelex DevOpsand

Lambda@Edge

26

Travelex at a glance

FirstopenedinLondonin1976,Travelexisaworldleadingforeignexchangeexpertwithpresencein29countries,agrowingonlineandmobileforeignexchangeplatformandanetworkof1,000ATMsand1,500stores

1980

27

1990 2000 2010

1976:Firststoreopensin

SouthamptonRow,London

1982:FirstferryoutletopensontheP&Oferryserving

Rotterdam

1984:Firstoverseasbranchopensinthe

Netherlands,NorthSeaterminal,Rotterdam

1986:Firstnon-bankFXprovideratHeathrowT4

1989:FirstbranchesopenedintheUSA,inJFK

airport

1990:FirstbranchesopenedinAustralia,Brisbane(Domestic

terminal)

2016:40th anniversary

2015:Firstexclusiveforeignexchangeprovider

atHeathrowairport

2015:TravelexsoldtoDrShettyandMrSaeedBin

Butti

2014:Travelexembarksondigitaltransformation

strategy

2004:TravelexopensinChina

2003:TravelexopensinIndiaandtheMiddleEast

(inOman)

2003:TravelexpartnerswiththeNationalTheatretolaunchTravelexticket

season

2001:TravelexacquiresThomasCookFS

1999:TravelexacquiresBarclay’sFXintheUK–

startofvault

1995:AbbeyNationalbuysa33%stakeof

Travelex– takeoveroftheirFX

2017:TravelexWirelaunches

Travelex DevOps + Lambda@Edge

Thingswedo• Wireinternationalpayments• White-labelpaymentsservices• FCAe-moneylicence• Backendformobileapps• Dataengineeringstuff• Jenkins(somewhatinevitably)

DevOpsatTravelex

28

Thingsthatareimportanttous• Security• Compliance• Resilience• Global• CheaptoRun• MadewithCoolStuff

Travelex DevOps + Lambda@Edge

Securityconsiderations🔒 Encryptionin-flightusingSSL/TLS🔒 Hostingenvironmenthardeningandsecuritycontrols🔒 Client-sidesecurity(e.g.XSS,click-jacking,CSRF,...)🔒 DoS andDDoS

(...anddon’tforgetcomplianceconsiderations)✅ Logsandaudittrail✅ Accesscontrol✅ +about300controlpoints,dependingonyourregimeofchoice

Let’sbuildasimple,secureweb-site

29

Travelex DevOps + Lambda@Edge

Asimple,secureweb-site;on-prem(orEC2)

30

• HAfirewalls• HAloadbalancer+WAF• HA,hardenedweb-servers• PKIforSSL/TLScertificates• Hostmonitoring• ...andaseconddeployment

somewherebecauseit’sslowinAus

+sysadmins;networkadmins;infosec

Travelex DevOps + Lambda@Edge

Canwedobetter?

31

(yep)

Travelex DevOps + Lambda@Edge

• AmazonCloudFront• AWSLambda@Edge• AWSShield• AWSWAF• AmazonS3• AmazonCertificateManager(ACM)• AWSCloudFormation

+aDevOpsengineer

Asimple,secureweb-site;theAWS way

32

Travelex DevOps + Lambda@Edge

• Focustimeonbuildingandmaintainingtheweb-site;nottheinfrastructureunderit

• Slashtheeffortrequiredtosupporttheinfrastructure:makeitAmazon’sresponsibility!

Whyisthisbetter?

33

VMBuild S3+CloudFront

WebSite InfrastructureBuild SecurityHardening Maintenance

Travelex DevOps + Lambda@Edge

• Runbeforepassingtheresponsebacktotheclient

• AddHTTPheaderstosecuretheresponse

• ProvisionusingCloudFormation(versionedandauditable)

• Note:contentsecuritypolicyandkeypinsareparameterised inthetemplate,sowecanuseitagain

Lambda@Edge

34Fullcodehere:https://github.com/travelex/lambda-edge-demo

Travelex DevOps + Lambda@Edge

• Strict-Transport-Security:stopsSSLdowngradeandman-in-the-middle• Public-Key-Pinning:stopsSSL/TLSman-in-the-middle• Content-Security-Policy:limitsXSS(andaggravatesyourfront-endteam)• X-Frame-Options:blocksclick-jacking• X-Xss-Protection:blocksreflectiveXSS(sometimes)• X-Content-Type-Options:stopsclientssecond-guessingthetypeof

contentreturnedbytheserver• Referrer-Policy:stopstheclientfromleakingwebhistorytothird-parties• Expect-CT:ensuresthattheSSL/TLScertificatehasbeenobtained

legitimately(sortof)

SecureHTTPheaders,thedirtydetails

35

Travelex DevOps + Lambda@Edge

Securityconsiderations🔒 Encryptionin-flightusingSSL/TLS🔒 Hostingenvironmenthardeningandsecuritycontrols🔒 Client-sidesecurity(e.g.XSS,click-jacking,CSRF,...)🔒 DoS andDDoS

(...anddon’tforgetcomplianceconsiderations)✅ Logsandaudittrail✅ Accesscontrol✅ +about300controlpoints,dependingonyourregimeofchoice

Let’sbuildasimple,secureweb-site

36See:https://observatory.mozilla.org/ andhttps://www.ssllabs.com/

Travelex DevOps + Lambda@Edge

✅ CloudFormation =>auditablestateofallinfrastructurecomponents;includingfirewallsandaccesscontrols

✅ git =>robustaudittrailofwhochangedwhat,whenandwhy;canbereconciledwithchangemanagementprocesses

✅ CloudFormation+git flow =>auditablereleasemanagement✅ awspec +CI/CDlogs =>automated(!)testevidence✅ CloudTrail =>secureaudittrail✅ CloudFormation+IAM=>don’tletpeoplechangethings,onlycode✅ CloudFormation+Ansible* =>repeatablebuildsformultiplesites✅ (seealso:AWSArtifact)

Complianceusinginfrastructure-as-code

37*...forus,anyway

Lambda@Edge: Getting Started

Lambda@Edge Service Limits

Items Lambda@Edge LambdaTimeouts 50 ms 300 seconds

Function “Power Level” 128 MB 128 MB – 1.5 GB

Function DeploymentPackage Size

1MB 50MB

• Runtime: Node.js 4.3• Triggered by CloudFront Events• Access: No network connections, AWS Region access, disk

access, or VPC

Lambda@Edge Pricing

Just as with Lambda today, Lambda@Edge is priced on two dimensions• $0.60 / million function executions • $0.00000625125 per second of execution duration (128 MB per function)

For example - 10 million executions, 50ms each time• Total charges = Compute charges (10M * 0.05sec * $0.00000625125 =

$3.13) + Request charges (10M * $0.6/M = $6.00) = $3.13 + $6.00 = $9.13 per month

Recap – Using Lambda@Edge

Familiar programming model• Standard Node.js

Write once, run everywhere• Automatically deployed to the AWS network

of 77 edge locations• Requests are routed to the locations closest

to your end users across the world

Benefits:

Features:- Header centric use cases (add, drop or modify headers)- URL rewrites- Response generation

Bring your own code• Self service through the

Lambda console

Stay Tuned!

Please visit the AWS Lambda website (https://aws.amazon.com/lambda/) for upcoming news about the general availability of Lambda@Edge on our “What’s New” page

Thank you!

Remember to complete your evaluations!