Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

34
Amazon’s Content Delivery Service Amazon CloudFront Tom Witman, Global Business Development Manager AWS Edge Services Seattle, WA

Transcript of Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Page 1: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Amazon’s Content Delivery Service

Amazon CloudFront

Tom Witman, Global Business Development ManagerAWS Edge ServicesSeattle, WA

Page 2: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

CloudFront: Content Delivery Network

• Highly Scalable Distributed Caching Network• Global Infrastructure• Dynamic, Static, and Streaming Object Delivery• Highly Secure• Robust Analytics• Self Service • Priced to Minimize Cost

Page 3: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Content Delivery Applies to any Use Case

• Media and Entertainment• Gaming• eCommerce• Digital Advertising• Software Downloads• Mobile• Dynamic Websites and Applications

Page 4: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

CloudFront and the AWS Ecosystem

• Integrates with AWS Resources– Rt53 DNS – Amazon Elastic Transcoder– S3 Storage– EC2 Compute and Elastic Load Balancing – Marketplace SaaS and SI partners– Mobile Hub

• Improves Scalability of otherAmazon Resources

• Discounts on Data Transfer from Amazon S3 & EC2 to CloudFront

Page 5: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

CloudFront and the Hybrid Ecosystem

• Origins Can be Hosted on Site or in the Cloud– Custom origins for static / dynamic content– Fine grained control for custom origins, pass through headers– SSL, TLS session management between edge / origin

• Improves Scalability

Page 6: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

CloudFront Security and Compliance Features • Compliance

• PCI DSS Compliance• ISO 9001, 27001, 27017, 27018

• Security Enhancements to your infrastructure• Signed URL• Signed Cookies• Enforce HTTPS to origin• Support for TLSv1 .1 and TLSv1.2 between edge and origin• Add/Modify Request Headers Forwarded From CloudFront to Origin• Integration with AWS Certificate Manager• Integration with AWS WAF (web application firewall)• Geographic Restriction

Page 7: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

What You Look for in a CDN

• Performance: deliver content with low latency and high availability

• Reach and Functionality: provide global network of edge locations to optimally reach a wide audience

• Cost: ensure financial feasibility for scalable bit delivery

Page 8: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Common Features for Web ApplicationsVideo Streaming • RTMP (Flash) and HTTP(S) delivery• Adaptive Bitrate Streaming (HLS, HDS, Smooth, MPEG-DASH)

Security• Private Content• SSL, TLS/SNI Support• Advanced SSL (perfect forwarding, OCSP stapling, session tickets)• Geo Restriction• AWS WAF• SSL Enforcement to Origin• Customer Headers from Edge to Origin

Content Management • AWS Management Console• Full control via APIs• Programmatic Invalidation• Online Usage Reports and Charts• Industry-compliant, detailed Access Logs• GZIP Comperession

Dynamic Content Acceleration• Low Minimum Content Expiration Periods

(TTL=0)• Multiple Cache Behaviors • Multiple Origin Servers• CORS Support• Origin Connection Protocol• Viewer Connection Protocol• Zone Apex Support• Query String & Cookie Support• Put/Post HTTP Verb Support• Full VARY Support• User Agent Detection (Mobile/Desktop)• Geo Targeting• Multi-Site Hosting• Wildcard Invalidations• Persistent TCP Connections

8

Page 9: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

CloudFront Key Infrastructure Features

Video StreamingOn-demand & Live StreamingRTMP (Flash) and HTTP(S)

Adaptive Bitrate Live StreamingMicrosoft Smooth Streaming

Whole Site DeliveryStatic & Dynamic Content

Mobile Detect, CORS SupportMultiple Cache Behaviors

Multiple Origin Servers

SecurityPrivate Content (Signed URLs)

Custom SSL (Dedicated IP & SNI)Geo Restriction

HTTP to HTTPS Redirect

High Availability99.9% SLA

Automatic Origin FailoverCustom Error Pages

Serve Stale Content when Origin unavailable

High PerformanceLatency Based Routing

TCP OptimizationPersistent Connections

EDNS Client Subnet

Low TCOPay for use

Commit-Based lower pricing Price Classes

Preferential Pricing for AWS origins

Page 10: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

CloudFront Dynamic Site Performance

Dynmaic Delivery: Cloudfront Dynamic Dleivery: Origin0

200

400

600

800

1000

1200

Dynamic Site Performance (ms)*

95th Percentile75th Percentile50th Percentile25th Percentile10th PercentileMean

*Data from Cedexis, Last 5 Days, DSA Time Measure of the Ireland region

Page 11: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Performance: Industry Leading Latency and Availability

Cloud-front

CDN B CDN C CDN D CDN E97

97.5

98

98.5

99

99.5

100

99.48399.373

99.03798.848

98.056

Global Availability*

CDN E Cloudfront CDN B CDN D CDN C0

100

200

300

400

500

600Latency (Response Time)**

ms

*Data from Cedexis, Last 30 Days, Availability measured over All Cedexis Regions. **Data from Cedexis, Last 30 Days, Response Time Measure of the United States.

Page 12: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

AWS Global Infrastructure – Spring 2016AWS Regions and Availability Zones: 11 Regions, 30 Availability Zones

AWS Content Delivery Network: 54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents

North AmericaCities: 15PoPs: 21

South AmericaCities: 2PoPs: 2

Europe/Middle East/Africa

Cities: 10PoPs: 16

Asia PacificCities: 11PoPs: 15

Edge location

2016 Amazon Web Services Confidential

Page 13: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Amazon CloudFront, Amazon Route 53, and AWS WAF Locations54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents

CloudFront

Amazon Route 53

AWS WAF

2016 Amazon Web Services Confidential

Page 14: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

North AmericaCities: 15PoPs: 21

Ashburn, VA (3)Atlanta, GAChicago, IL

Dallas/Fort Worth, TX (2)Hayward, CA

Jacksonville, FLLos Angeles, CA (2)

Miami, FLNew York, NY (3)

Newark, NJPalo Alto, CASan Jose, CASeattle, WA

South Bend, INSt. Louis, MO

Amazon CloudFront, Amazon Route 53, and AWS WAF Locations54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents

South AmericaCities: 2PoPs: 2

Rio de Janeiro, Brazil

São Paulo, Brazil

Europe / Middle East / Africa

Cities: 10PoPs: 16

Amsterdam, The Netherlands (2) Dublin, Ireland

Frankfurt, Germany (3)London, England (3)

Madrid, SpainMarseille, France

Milan, ItalyParis, France (2)

Stockholm, SwedenWarsaw, Poland

Asia PacificCities: 11PoPs: 15

Chennai, IndiaHong Kong, China (2)Manila, the PhilippinesMelbourne, Australia

Mumbai, IndiaOsaka, Japan

Seoul, Korea (2)Singapore (2)

Sydney, AustraliaTaipei, Taiwan

Tokyo, Japan (2)CloudFron

tAmazon Route 53

AWS WAF

Edge location

AWS Region

2016 Amazon Web Services Confidential

Page 15: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Elastic Transcoder Region

2016 Amazon Web Services Confidential

Amazon Elastic Transcoder Regional Deployments

Six Regions

US East (Virginia)US West (N. California)US West (Oregon)EU (Ireland)Asia Pacific (Singapore)Asia Pacific (Tokyo)

Page 16: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

POST /2012-07-01/distribution HTTP/1.1 Host: cloudfront.amazonaws.com Authorization: AWS authentication string Date: time stamp Other required headers <?xml version="1.0" encoding="UTF-8"?> <DistributionConfig xmlns="http://cloudfront.amazonaws.com/doc/2012-07-01/">

Manage Your Content Your Way

API

Consolemanagement and reporting

Page 17: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

CloudFront Pricing: Competitive, Flexible Options

• On-demand, pay for use elastic pricing

• Same pricing for Static and Dynamic Content

• Usage Commitment Options• GB delivery model• No Platform Fees

Data Transfer Economies of Scale

Public Rates Private Rates

Data Transfer

Pric

e pe

r GB

Page 18: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

CloudFront Pricing: Price Classesperformance / cost optimization on demand

All54 PoPs, 38 Cities, 19 Countries

Best Coverage

North America + EuropeLowest Cost36 PoPs, 25 Cities, 10 Countries

North America + Europe + Asia Great Coverage + Optimized

Cost50 PoPs, 34 Cities, 17 Countries

Deliver Content Globally and Control Pricing to Fit Performance and Cost Objectives

Page 19: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Customer Support: Help When You Need It

• Enabled Self Service

• AWS Solution Architects and CloudFront Sales

• 24 Hour AWS Customer Service

• Dedicated Support Engineers

• Fast Response Times (<15 mins)*

* Depends on level of Support (http://aws.amazon.com/premiumsupport/)

Page 20: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

The Nitti Gritty: How It Works

General Use CasesStatic Content Dynamic ContentCustom OriginsBehaviorsError PagesInvalidations

Media and EntertainmentAsset Download and Progressive Video Playback and DownloadStreaming Media – Adaptive Bitrate Video on Demand (VoD)Streaming Media – Live DeliveryDigital Publishing

Page 21: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Dynamic

StaticVideo

Deliver All of Your Content: whole site delivery

User Input

SSL

Page 22: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Automatic Scalability

CloudFront scales with demand while reducing load on your origin

User A

User B

User C

Request A

OriginCloudFront

Page 23: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Elastic Load Balancing

Dynamic Content

Amazon EC2

Static Content

Amazon S3 Custom Origin

OR

OR

Custom OriginAmazon CloudFrontexample.com

*.jpg

*.php

Reference Architecture: OverviewStatic and Dynamic Content Delivery

Page 24: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Reference Architecture: HTTP METHODSRequests to the CloudFront edge

HEADIdentical to GET except that the server MUST NOT return a message-body in the response. Used for obtaining meta-information about the entity implied by the request without transferring the entity-body itself

POSTUsed to request the origin server to accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line.

PUTThe fundamental difference between the POST and PUT requests is reflected in the different meaning of the Request-URI.

PATCHUsed to apply partial modifications to a resource

DELETERequests that the origin server delete the resource identified by the Request-URI

OPTIONSRequest for information about the communication options available on the request/response chain identified by the Request-URI

GETRequests for content from the cache HTTP, HTTPS and RTMP

Page 25: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Reference Architecture: Determining Content SourceOverview of Rt53 Intelligent Routing Options

Customer Location

1

53

Request to www.mysite.com

Location A: Resolve to xyz.cloudfront.netLocation B: Resolve to IP address of EC2Location C: Resolve to IP address of S3Location D: Resolve to IP address of non-AWS end point

3

Examine geo source, weights, latency, health checks

Elastic CloudCompute S3CloudFront Non-AWS End Point

1

2

3

44 Return IP Address based on precedent criteria

2

5 If request sent to CloudFront, then CloudFront determines best PoP to send requestor to based on the CDN rules

5

Page 26: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Reference Architecture: Overview – Media/EntertainmentStreaming in Front of Your Origin

• Deliver Static and Dynamic Content

• Offload origin traffic to CloudFront CDN

• Serve LIVE Event Traffic to Large Crowds

• Serve VOD Media to any device

• Alter content based on User Agent

• Secure connections via SSL• Authenticate via signed URLs• Supports 3rd Party DRM

Static ContentServed from S3

*.jpg, *.m3u8, *.ts, *.css

Dynamic or Static ContentServed from ELB and/or EC2

*.php, *.js, *m3u8, *.ts

Page 27: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

CloudFront

Reference Architecture: CloudFront Origin SelectionOrigin Selection Based on Intelligent Behavior Rules

Customer Locationwww.mysite.com

Path Pattern Matching/*.jpg; /*.php etc.

GET http://mysite.com/images/1.jpg to ORIGIN AGET http://mysite.com/index.php to ORIGIN B

GET http://mysite.com/web/home.css to ORIGIN CGET http://mysite.com/* (DEFAULT) to ORIGIN D

Origin A: origin.mysite.com

Origin B: origin2.mysite.com

Origin C: origin3.mysite.com

Origin D: origin4.mysite.com

Path Pattern Matching

/*.php

/images/*.jpg

/web/*.css

/*.* (DEFAULT)

Page 28: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Reference Architecture: HTTP Headers for Dynamic ContentVARY content served based on HTTP HeadersContent delivered to a request may vary depending on the request headers that were passed in the GET request. The header is used as a cache key and passed onto origin for the appropriate content. Common headers supported are listed:

Header Use of HeaderAccept  Determine which content types are acceptable for the responseAccept-Charset  Determine which Character sets that are acceptableAccept-Datetime  Determine which version in time is acceptableAccept-Language  Determine the list of acceptable human languages for responseAuthorization  Used for credentials for HTTP authenticationCloudFront-Forward-Proto  HTTP protocol detected to vary content based on session security (SSL vs. Non SSL)CloudFront-Is-Desktop-Viewer  CloudFront user agent (UA) detected and set to desktop based on mappingCloudFront-Is-Mobile-Viewer  CloudFront user agent (UA) detected and set to mobile based on mappingCloudFront-Is-Tablet-Viewer CloudFront user agent (UA) detected and set to tablet based on mappingCloudFront-Viewer-Country CloudFront geo detected country codeHost domain name and TCP port of the serverOrigin used for CORS, sets allowed domain for origin to honor and share assetsReferrer sends URL/URI to origin to log referrers

*Note: custom headers are also supported, not just those listed here

Page 29: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Reference Architecture: CloudFront HTTP Headers ExamplesVARY content served and cached based on Headers in the GET request

1) Vary response based on User Agent. Example: Desktop, Mobile, Tablet

2) Vary response based on Language. Example: user would prefer Danish but will accept British English and other types of English. (Accept-Language: da, en-gb;q=0.8, en;q=0.7 )

3) Vary response based on Protocol. Example: CloudFront-Forward-Proto detected and customer sent different content based on connection type.

Mobile User (CloudFront-Is-Mobile-Viewer)

Desktop User (CloudFront-Is-Desktop-Viewer)

Language Preference (Accept-Language)

1 1

2

3

CloudFront-Forward-Proto: SSL , non-SSL

Page 30: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Reference Architecture: CloudFront Signed URL (Authentication)Protecting Content from Unauthorized Access

Customer Location

http://mysite.com/asset.mp4?&Expires=1357034400 5&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA-j19DzZr vDh6hQ73lDx~-ar3UocvvRQVw6EkC~GdpGQyyOSKQim-TxAnW7d8F5Kkai9HVx0FIu-jcQb0UEmatEXAMPLE3ReXySpLSMj0yCd3ZAB4UcBCAqEijkytL6f3fVYNGQI6&Key-Pair-Id=APKA9ONS7QCOWEXAMPLE

1) Request for Content first goes to an authentication server to validate user and generate a signed URL.

2) A signed URL is sent back as a 302 redirect from the auth server

3) Request to CloudFront made with signed URL, authentication with policy statement, and verification of content freshness (hasn’t expired)

4) CloudFront authenticates policy statement for signed URL, sets cache key, and sends content to requestor

EC2 Auth Server

Send content to requestor via cache edge

www.mysite.com/asset.mp4

EC2 Auth Server

Authenticate URL, Policy Statement, and Expiration

CloudFront Logic

CloudFront Edge Cache

Page 31: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

Reference Architecture: CloudFront Routing RulesLatency Based PoP Selection, Geo-Restriction, Price Classes

1) Request routed based on latency. Example: Customer in Rio routed to least latent node: Rio De Janeiro PoP location

2) Request denied based on geo restriction. Example: Customer in restricted country, access denied and custom error page sent back.

3) Request routed based on Price Class. Example: Price Classes set up to restrict content delivery to nodes in N.America and Europe for cost savings.

Send content to requestor via cache edge

Rio De Janeiro CloudFront Edge Cache

Content blocked due to geo rules

CloudFront Edge Cache Denies

Request

X

Rio De Janeiro Customer Location

Restricted Customer Location

Custom Error Page Sent for a 403

Miami CloudFront Edge CacheRio De Janeiro Customer Location

Content served from Price Class enabled node

Page 32: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

CNAME = xyz.cloudfront.net

CloudFront

53

Load Balance

Non-AWS End PointCustom Origin or Alternative CDN

Reference Architecture: Load BalancingLoad Balance between your CDN providers using Rt53

Customer Locationwww.mysite.com

Weighted Round Robin RoutingCNAME = xyz.cloudfront.net, weight = 0-255CNAME = xyz.somecdn.com, weight = 0-255

CNAME = xyz.somecdn.com

Latency Based RoutingCNAME = xyz.cloudfront.net, latency metricCNAME = xyz.somecdn.com, latency metric

Fail Over RoutingCNAME = xyz.cloudfront.net, PRIMARY

CNAME = xyz.somecdn.com, SECONDARY

Geolocation RoutingCNAME = xyz.cloudfront.net, LOCATION 1…LOCATION XCNAME = xyz.somecdn.com, LOCATION 2…LOCATION Y

Page 33: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

origin.mysite.com

CloudFront

53

Load Balance

Non-AWS End PointCustom Origin or Alternative CDN

Reference Architecture: Load Balancing Cache FillsLoad Balance between your ORIGINs to fill the CloudFront Caches

Customer Locationwww.mysite.com

Weighted Round Robin RoutingCNAME = xyz.cloudfront.net, weight = 0-255CNAME = xyz.somecdn.com, weight = 0-255

Latency Based RoutingCNAME = origin.mysite.com, latency metricCNAME = origin.mysite.com, latency metric

Fail Over RoutingCNAME = origin.mysite.com, PRIMARY

CNAME = origin.mysite.com, SECONDARY

Geolocation RoutingCNAME = origin.mysite.com, LOCATION 1…LOCATION XCNAME = origin.mysite.com, LOCATION 2…LOCATION Y

EC2S3 ELB

EC2S3 ELB

us-east

us-west

origin.mysite.com

origin.mysite.com

origin.mysite.com

Page 34: Introduction to Amazon CloudFront - Pop-up Loft Tel Aviv

CNAME = xyz.cloudfront.net CloudFront

EC2S3 ELB53

Load Balance via DNS

Non-AWS End PointCustom Origin or Alternative CDN

Reference Architecture: Intelligent RoutingUsing CloudFront with Rt53: In front of the CDN and the Origins

Customer Location

www.mysite.com

53

For Cache Fills: Rt53 Load Balances between origins based on weighted round robin or based on geo determination

CloudFront selects the optimal edge location to serve content from based on Latency, Price Class

CloudFront POP LocationsCustomer

Requests/Receives content from optimal

CloudFront PoP

Request made for content, DNS resolved to a CloudFront CNAME and customer request

sent to CloudFront1

4 2

3