Architecting on AWS

Module 12: Edge Services

Lab 6

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Poll question What percentage of your workloads requires
ultra-low latency to devices and users?

A. 0%

B. 1-25%

C. 26-50%

D. 51-75%

E. 76-100%

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 2
Module overview
• Business requests
• Edge fundamentals
• Amazon Route 53
• Amazon CloudFront
• DDoS protection
• AWS Outposts
• Present solutions
• Knowledge check
• Lab 6: Configure an Amazon CloudFront distribution with an Amazon S3 origin

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3
Business requests The network engineer needs to know:
• Is there a DNS solution for AWS that is both
highly available and scalable?
• What service can provide the content delivery
network that we need?
• How can we protect public-facing
applications?
• Does AWS support any services running on
Network Engineer premises to meet our latency and residency
requirements?

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 4
Edge fundamentals

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Cloud at the edge
Delivering the cloud anywhere customers need it:

AWS Regions Edge locations AWS Local Zones AWS Outposts AWS Snow Family

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 6
Edge services architecture
In this module, you learn about each AWS service involved in this example:

Amazon AWS WAF Amazon

CloudFront AWS Outposts
Route 53

Protected with AWS Shield

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 7
Amazon Route 53

“Is there a DNS solution for AWS that is both highly available and
scalable?”

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Route 53

Resolves domain names to IP addresses

Registers or transfers a domain name

Routes requests based on latency, health checks, and

other criteria

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9
Route 53 public and private DNS

Public hosted zone Private hosted zone

• Route to internet-facing resources • Route to VPC resources

• Resolve from the internet • Resolve from inside the VPC
• Global routing policies • Integrate with on-premises private zones using
forwarding rules and endpoints

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 10
Routing policies

Routing policies:
• Simple
• Failover
• Geolocation
• Geoproximity
• Latency-based
• Multivalue answer
• Weighted

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 11
Failover routing

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 12
Geolocation routing

Europe user

Route 53

US user

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 13
Geoproximity routing

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 14
Latency-based routing

137 millisecond latency

Route 53

76 millisecond latency

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 15
Multivalue answer routing

example.com 10.1.1.2
example.com Unhealthy 10.1.1.3
example.com 10.1.1.4
example.com 10.1.1.1

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 16
Weighted routing

90% weighted traffic

Existing production
environment

Route 53

New production
10 % weighted traffic environment

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 17
Amazon CloudFront

“What service can provide the content delivery network that we need?”

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Content delivery networks

AWS uses a global network of

310+ points of presence.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 19
Amazon CloudFront

Global content delivery Integrated with AWS Static or dynamic Built-in security
network WAF and AWS Shield content features

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 20
Edge caching

• Decrease
latency by
caching data at
Custom Elastic Load Amazon
edge locations origin Balancing S3
• Increase
security Origin

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 22
CloudFront caching steps

1. The request is
routed to the
optimal edge
location.
2. Non-cached content
is retrieved from the
origin.
3. Origin content is
transferred to a
CloudFront edge
location for caching.
4. Data is transferred
to the user.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 23
Configuring CloudFront

1 2

Choose your Create (Optional)

origin distribution
• S3 bucket Define cache behavior • Associate function
• ELB load balancer • Path pattern • Associate AWS WAF
• Protocol policy web access control list
• Custom origin (ACL)
• EC2 instance
• HTTP methods
• Add custom domain
• On-premises server • Signed URL
name
• Cache policy
• Time to live (TTL)
• Cache key settings

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 24
Improving performance

What AWS does: What you can do:

• TCP optimization • Choose your caching strategy
• TLS 1.3 support • Improve your cache hit ratio
• Dynamic content placement • Use Origin Shield

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 25
DDoS protection

“How can we protect public-facing applications?”

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DDoS attacks

Each of the
compromised hosts
participates in the attack,
generating a flood of
requests to overwhelm
the intended target.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 27
OSI layer attacks
DDoS attacks can be categorized by the
Open Systems Interconnection (OSI) layer they attack.

Application layer attacks

Presentation layer attacks

Host Layer

Infrastructure layer attacks

Media Layer

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 28
AWS Shield

Managed DDoS Shield Advanced

protection service that
protects your
applications on AWS

Two types of protection: Shield Standard

• AWS Shield Standard

• AWS Shield
Advanced

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 29
AWS WAF

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 31
Components of access control

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 32
Control traffic with ACL rule statements

Attack Traffic Pattern Logical

prevention filtering matching operation

• SQL injection and • Rate limiting • Regex match • AND statement

cross-site scripting • IP filtering with full
detection • String match • OR statement
Classless Inter-
• AWS Managed Rules Domain Routing
(CIDR) range support • Size constraint • NOT statement
for AWS WAF
match
• AWS Marketplace • Geo-fencing by
managed rule groups country

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 33
AWS Firewall Manager

• Centrally set
AWS Firewall Manager
up baseline
security.
• Consistently
enforce the
protections.
• Seamlessly
manage
multiple
accounts. AWS Amazon AWS AWS
WAF VPC Shield Network
security Advanced Firewall
groups

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 34
AWS Firewall Manager use cases

Large number of accounts and New applications created all Central organization-wide
resources the time visibility into threats

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 35
DDoS-resilient reference architecture

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 36
AWS Outposts

“Does AWS support any services running on premises to meet our latency
and residency requirements?”

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
37
AWS Outposts family

Host AWS services Meet data residency Choose from a full

on premises in your requirements or create AWS Outposts rack or
office or resources that provide a 1U or 2U-sized
data center. low latency. Outposts server.

(U = rack unit)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 38
Outposts rack and Outposts servers

Outposts rack* Outposts servers

• Scale up to 96 42U–standard racks • Place in your own rack
• Pool compute and storage capacity • Choose from:
between multiple Outposts racks • 1U Graviton-based processor
• Get more service options
• 2U Intel Xeon Scalable processor
*Outposts rack requires an AWS Enterprise Support plan

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 39
Outposts extend your VPC

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 40
AWS resources on Outposts

Compute and Networking Database Containers

storage
AWS service availability
differs between Outposts
racks and Outposts 1U
Amazon EC2 Amazon VPC Amazon Amazon Elastic
and 2U servers. Relational Container
Database Service (Amazon
Service ECS)
For more information (Amazon RDS)
about service Amazon EBS Application
availability, review the Load Balancer
AWS Outposts User Amazon Elastic
Guide. Kubernetes
Amazon Service (Amazon
Amazon S3 ElastiCache EKS)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 41
Review

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Present Consider how you would answer the
solutions following:
• Is there a DNS solution for AWS that is both
highly available and scalable?
• What service can provide the content delivery
network that we need?
• How can we protect public-facing
applications?
Network Engineer • Does AWS support any services running on
premises to meet our latency and residency
requirements?
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 43
Module review

In this module you learned about:

Edge fundamentals DDoS protection
Route 53 AWS Outposts
Amazon CloudFront

Next, you will review:

Knowledge check

Lab introduction

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 44
Knowledge check

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Knowledge check question 1

What are the potential benefits of implementing a CloudFront distribution? (Select TWO.)

A Increased application security

B Two global static IP addresses

C Automatic redundancy for all application content

D Reduced latency for access to application content

E On-premises data caching

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 46
 Knowledge check question 1 and answer

What are the potential benefits of implementing a CloudFront distribution? (Select TWO.)

A
correct Increased application security

B Two global static IP addresses

C Automatic redundancy for all application content

D
correct Reduced latency for access to application content

E On-premises data caching

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 47
Knowledge check question 2

Which of the following services offer DDoS protection? (Select TWO.)

A AWS Outposts

B Amazon EC2

C Network Load Balancer

D AWS Shield

E AWS WAF

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 48
 Knowledge check question 2 and answer

Which of the following services offer DDoS protection? (Select TWO.)

A AWS Outposts

B Amazon EC2

C Network Load Balancer

D
correct AWS Shield

E
correct AWS WAF

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 49
Knowledge check question 3
A network engineer wants to route 80 percent of web traffic to the ap-southeast-2 Region. The remaining 20
percent of traffic will be directed to the eu-west-1 Region. Which Route 53 routing policy is the best choice for this
use case?

A Simple routing

B Weighted routing

C Geoproximity routing

D Geolocation routing

E Multivalue answer routing

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 50
 Knowledge check question 3 and answer
A network engineer wants to route 80 percent of web traffic to the ap-southeast-2 Region. The remaining 20
percent of traffic will be directed to the eu-west-1 Region. Which Route 53 routing policy is the best choice for this
use case?

A Simple routing

B
Weighted routing
correct

C Geoproximity routing

D Geolocation routing

E Multivalue answer routing

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 51
Knowledge check question 4

What is a benefit of choosing Outposts servers when compared to an Outposts rack?

A More AWS services are available on Outposts servers

B Pool compute and storage capacity between multiple Outposts servers

C A smaller-sized device can be placed in your own rack

D You don’t need to host your Outposts servers in a data center

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 52
 Knowledge check question 4 and answer

What is a benefit of choosing Outposts servers when compared to an Outposts rack?

A More AWS services are available on Outposts servers

B Pool compute and storage capacity between multiple Outposts servers

C
A smaller-sized device can be placed in your own rack
correct

D You don’t need to host your Outposts servers in a data center

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 53
Lab 6:
Configure an Amazon CloudFront distribution
with an Amazon S3 origin

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lab 6 diagram

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 55
Lab tasks

Task 1: Explore an existing CloudFront distribution.

Task 2: Create an Amazon S3 bucket.

Task 3: Configure the Amazon S3 LabBucket for public access.

Task 4: Upload an object into the bucket and test the public access.

Task 5: Add the bucket as an additional origin to the distribution.

Task 6: Secure the bucket with a CloudFront origin access identity.

Task 7: Test direct access to the file in the bucket using the S3 URL.

Task 8: Test access to the object in the bucket using the CloudFront distribution.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 56
End of Module 12

Corrections, feedback, or other questions?

Contact us at https://support.aws.amazon.com/#/contacts/aws-training.
All trademarks are the property of their owners.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.