Embed Size (px)
Citation preview
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Alex Dunlap
GM, Amazon CloudFront
Jarrod Guthrie
Sr. Product Manager, Amazon CloudFront
Calin Nemes
Sr. Support Engineer, Amazon CloudFront
Matthew Baldwin
Sr. Software Development Engineer, Amazon CloudFront
October 2015
Using Amazon CloudFront to Improve
Performance, Availability and Cacheability
STG206
What to expect from the session
• Best practices for setting up your origin
• Gaining visibility into your distribution
• How to improve cacheability
• How to test your configuration
Best practices for setting up
your origin
Following origin best practices can give you…
Easier debugging
Better performance
Higher availability
Five best practices
1. Use Amazon Route 53 health checks and DNS failover
2. Configure multiple origins
3. Secure your origin
4. Log request IDs
5. Set origin response headers
Failover
Only return answers for resources
that are healthy and reachable
from the outside world, so that
your end users are routed away
from a failed or unhealthy part of
your application
Health Checks
Automated requests sent over
the Internet to your application
to verify that your application is
reachable, available, and
functional
+
Amazon Route 53 health checks and
DNS failover
Use Route 53 to improve availability & performance
Use Route 53 to improve availability & performance
Use Route 53 to improve availability & performance
Use Route 53 to improve availability & performance
Use Route 53 to improve availability & performance
eu-west-1
Configure multiple origins
Elastic Load
Balancing
Dynamic content
Amazon EC2
Static content
Amazon S3
*
(default)
/error/*
/assets/*
Amazon CloudFront
example.com
Access control: Restricting origin access
Amazon S3
Origin Access Identify (OAI)• Prevents direct access to your Amazon
S3 bucket
• Ensure performance benefits to all
customers
Custom origin
Block by IP address• Whitelist only the Amazon CloudFront
IP Range
• Protects origin from overload
• Ensure performance benefits to all
customers
Object Access Identity (OAI)
• Ensure only Amazon CloudFront
can access Amazon S3 bucket
• We make it simple for you
Amazon CloudFront
Region
Amazon S3
bucket
Custom origin
Object Access Identity (OAI)
• Ensure only Amazon CloudFront
can access Amazon S3 bucket
• We make it simple for you
Amazon CloudFront
Region
Amazon S3
bucket
Custom origin
Shield custom origin
• Shield your custom origin
• Whitelist Amazon CloudFront IP rangeAmazon CloudFront
Region
Amazon S3
bucket
Custom Origin
Shield custom origin
• Shield your custom origin
• Whitelist Amazon CloudFront IP rangeAmazon CloudFront
Region
Amazon S3
bucket
Custom origin
Shield custom origin
• Subscribe to Amazon SNS notifications on changes to
IP ranges
• Automatically update security groups
AWS Lambda
Amazon CloudFront
Amazon SNS
Security group
Web app
server
Web app
server
AWS IP ranges
Update IP rangeSNS message
Log Amazon CloudFront request IDs at origin
Nginx:
log_format main '$remote_addr - $remote_user [$time_local] "$request" ‘ '$status $body_bytes_sent "$http_referer" ‘ '"$http_user_agent" http_x_forwarded_for" "$http_x_amz_cf_id"';
Apache:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-Amz-Cf-Id}i\"" combined
Set origin response headers
*Strict-Transport-Security: max-age=15552000;
*X-Frame-Options: SAMEORIGIN
*X-XSS-Protection: 1; mode=block Options
*Cache-Control: max-age=300; public
Demo
Key takeaways
• Use Amazon Route53’s health checks and DNS failover
• Improve security by setting headers at your origin
• Enable logging
• Serve your static assets on Amazon S3
• Serve error pages from Amazon S3
Gaining visibility into your distribution
Visibility into your distribution
Four different ways to get visibility:
• AWS CloudTrail – for monitoring distribution config changes
• Near real-time metrics – Provided by Amazon CloudFront
• Amazon CloudFront reports – for analytics
• Amazon CloudWatch Logs – for custom monitoring
Monitor distribution config changes
• Monitor changes to distribution configuration using
AWS CloudTrail
• Get alarms when:
• Distribution is disabled
• Trusted signers are disabled
• Custom TLS certificate changes
Amazon CloudFront near real-time metrics
• Provided in near real-time
• Via Amazon CloudWatch
• Alarm on 6 metrics:
• Requests
• Bytes downloaded
• Bytes uploaded
• 4XX error rate
• 5XX error rate
• Total error rate
Amazon CloudFront reports to identify trends
• Cache hit/miss
• Incomplete downloads
• Top countries
• Mobile users
• Popular objects
Generate custom metrics
• Amazon CloudFront access logs
• Delivered via Amazon Kinesis to Amazon S3 buckets
• Typically within an hour of an event happening
Edge locationAmazon
S3
Edge location
Edge location
Generate custom metrics
• Upload logs to Amazon CloudWatch using AWS Lambda
Amazon
CloudFront
Amazon
S3
AWS
LambdaAmazon
CloudWatchAlarm
Keywords e.g. Bots Granular Response Code e.g. 4XX Request to certain URLs TLS versions
Demo
Key takeaways
• Enable AWS CloudTrail
• Monitor your Amazon CloudFront reports
• Create alarms
• Subscribe to Amazon CloudFront access logs
• Push logs to Amazon CloudWatch
How to improve cacheability
Improving cacheability of your objects
• Versioning website assets
• Cache headers
• Shared distribution
• Forwarded values
• Path prefix invalidations
Versioning website assets
<link
href="//assets.example.com/assets/v1/css/jumbotron-narrow.css“rel="stylesheet">
<link
href="//assets.example.com/assets/v2/css/jumbotron-narrow.css“rel="stylesheet">
<link
href="//assets.example.com/assets/css/jumbotron-narrow.css?<md5sum>“rel="stylesheet">
Cache-Control & expires
< Cache-Control: max-age=300
< Cache-Control: max-age=30, s-maxage=3000
< Expires: Thu, 18 Sep 2025 21:34:50 GMT
Min TTL Default TTL Max TTL
Set min, max and default TTL on Amazon CloudFront
Cache-Control & expires
*.css, *.js or Images
Cache-Control: public; max-age=31536000
index.html
Cache-Control: no-cache=Set-Cookie; max-age=30
Live streaming
/*.m3u8 => Cache-Control: public; max-age=2
Shared distributions
• Shared assets across multiple properties
Static content
Amazon S3
Amazon CloudFront
assets.example.com
www.example.com
www.example.org
Forwarded values
• Check forwarded headers
• Query string forwarding
• Cookie forwarding
• Trusted Advisor checks
Invalidations
• Last resort
• Only applies to Amazon CloudFront cache, not browsers or
intermediary caches
Demo
Key takeaways
• Use versioning
• Use multiple cache behaviors
• Forward only required headers
• Use invalidations as last resort
How to test your configuration
Test your configuration
• Test in development mode
• Ensure content is cached correctly
• Performance testing
• Load testing
• Test SSL configuration
Turn on development mode
• Set maximum TTL to 0
• Without need to constantly invalidate!
• Forwarding all headers changes behavior
• Whitelist your IP using AWS WAF so only
accessible from corporate network
• Signed cookies
Ensure content is cached correctly
Check cache/hit miss ratio of distribution on reports
Developer console on Chrome or Firefox
• Age header
• X-Cache
• Cache-Control headers
• HSTS headers
Performance testing
Backbone testing Last mile testing Real user testing
Load testing
Traditional load testing
• Use one client
• From a single region
• Hits single IP
DNS load balancing
Simulate real user environment
Ideal load testing
• Clients from multiple locations
• Independent DNS requests
• Distribute across IPs
DNS load balancing
Simulate real user environment
SSL labs
• Verify your SSL config
Demo
Key takeaways
• Switch off caching during development mode
• Use RUM for performance testing
• If you load test - test from multiple locations
Thank you!
Remember to complete
your evaluations!
Related Sessions
SEC323: Securing Web Applications with AWS WAF
Friday, Oct 9 at 9:00 AM – 10:00 AM
Lando 4301B
