CDN and WAF on AWS 101
An introduction to Amazon CloudFront (Content Delivery Network), AWS WAF (Web Application Firewall), and related services.
Content delivery networks (CDN) and web application firewalls (WAF) are excellent for improving performance and security of your web-based applications. There are great offerings such as Imperva FlexProtect and Cloudflare. Alternatively, choosing AWS services including Amazon CloudFront and AWS WAF can be considerably cheaper, simpler to manage, and better integrated with your applications running on AWS. For example, ASP decreased costs by around 90% by switching to these AWS services.
Having helped multiple customers adopt these AWS services, it was time to write an introduction for people looking at CDN and WAF on AWS.
Serving all your traffic directly from web-servers means you’d have to handle all the spikes in load, deal with denial of service attacks, and defend against all security vulnerabilities such as SQL injection.
You can buy a CDN and WAF offering, directing user traffic to this service which then forwards requests to your application endpoint. This will cache results and will block a lot of malicious traffic. There are excellent offerings such as Imperva FlexProtect, Cloudflare, Akamai and Fortinet to name but a few. However, these are expensive.
AWS Services Overview
A common solution is to use Amazon CloudFront as the CDN for HTTP caching, AWS WAF for the web application firewall, AWS Shield for DDoS protection, S3 for storing the static web content, an Application Load Balancer in front of an auto-scaling group of web-servers for dynamic content, AWS Certificate Manager for SSL/TLS certificates, and Route 53 for DNS.
This blog looks at the main services. That’s a lot to cover, so please pick and choose the sections most relevant for you!
Amazon CloudFront is a content delivery network (CDN). It provides HTTP caching at edge locations close to your users, improving performance for users and reducing the load on your web-servers.
Even if the response is not cached, performance is often improved (particularly for distant users) because requests are sent over the AWS global network backbone. This allows efficient transmission between edge locations and other AWS regions.
To use CloudFront, you create a CloudFront distribution that points at your “origin” (i.e. the authoritative source of your website, be that on web-servers or in S3). You configure your caching rules (e.g. time-to-live, and which query parameters and headers to consider when caching), and then configure DNS for your website to point at your CloudFront distribution.
As well as accelerating static and dynamic web-content, CloudFront can be used for other use-cases including:
- Streaming video traffic: for broadcasting a live steam or for video on demand (VOD).
- Customising the site’s behaviour at the edge by using Lambda@Edge to execute code, transforming the HTTP request and response. For example, resizing images could be done at the edge, or personalising the content based on the user’s country.
- Improving security by encrypting specific fields at the edge. When the request is forwarded and then processed by your application, the app decrypts the fields when needed - this ensures only the parts of the app that need the data can read it.
Pricing is a pay-per-use model. Pricing depends on the region and some other nuances, but the basics are:
- $0.085 per GB of data transferred out to the users
- $0.02 per GB of data sent to the origin
- $0.01 per 10,000 HTTPS requests processed by CloudFront.
If you commit to a minimum usage, AWS discounted pricing can massively reduce those list prices.
AWS Global Accelerator
AWS Global Accelerator is an alternative to CloudFront - it improves performance and availability of your applications, but without the caching!
The Global Accelerator provides two static anycast IPv4 addresses, which route traffic to your application. It supports any TCP or UDP traffic, and routes this efficiently over the AWS global network backbone.
The endpoints behind it can be any of Application Load Balancers (ALB), Network Load Balancers (NLB), EC2 instances, and Elastic IP addresses.
Use cases include:
- TCP/UDP traffic.
By supporting more than just HTTP(s), it can be used for a wide range of applications including in finance, media and gaming.
Route traffic to your application running in the closest region, or based on compliance rules.
- Resilience and disaster recovery.
Route traffic based on automatic health checks - if one of your application endpoints is affected by an outage, Global Accelerator will automatically route traffic to an alternative endpoint.
- Static IPs.
Some use-cases need stable IP addresses. For example, IOT devices that do not support DNS lookup, or an enterprise customer who must whitelist access to your service’s IPs, or when using a DNS domain apex outside of AWS.
Reduced end-user latency by routing efficiently over the AWS global network backbone.
- Single internet-facing access point.
By routing all user traffic through the Global Accelerator, it can reduce the risk of DDoS attacks and improve security by allowing the endpoints to be more locked down.
Pricing is a combination of fixed-cost-per-hour and a pay-per-use model (again pricing varies slightly between regions):
- $0.025 per hour per Global Accelerator.
- Data transfer costs of $0.015 per GB transferred over the AWS network. This is described as the “DT-Premium fee” where you are charged only for the “dominant data transfer direction” (i.e. for the larger of the egress or ingress going through that Global Accelerator).
- Normal data transfer costs for your endpoints still apply (e.g. normal egress and data processing costs when using an Application Load Balancer).
AWS WAF (Web Application Firewall)
AWS WAF (web application firewall) lets you define rules to allow or deny HTTP traffic to your application. This helps to to block threats like SQL injection or cross-site scripting attacks.
The AWS managed rules is a great starting point to block common threats. You can also configure your own rules, such as for rate limiting or block traffic based on a regex pattern.
You can attach a WAF access control list (ACL) to either CloudFront or to an application load balancer. We recommend attaching it to your load balancer, in case someone manages to bypass CloudFront to communicate directly with your load balancer. (Aside: if you do want to prevent direct communication with your load balancer, you may want to combine a couple of techniques: security groups to restrict access to only [anyone’s] CloudFront, and a custom [secret] header added by CloudFront and checked by the WAF.)
AWS WAF pricing is a combination of fixed-cost-per-hour and a pay-per-use model:
- $5.00 per month (pro-rated hourly) per WAF ACL (Access Control List)
- $1.00 per month (pro-rated hourly) per rule (a managed rule group luckily counts as just one rule for pricing purposes)
- $0.60 per 1 million requests
For a further comparison of AWS WAF and alternatives, see this Gartner comparison. The overall scores (out of 5, as at the time of writing) are summarised in the table below:
AWS offers astonishingly good distributed denial of service (DDoS) protection. For example AWS thwarted one of the largest ever DDoS attacks in February 2020 when it handled an attack rate of 2.3Tbps.
AWS Shield Standard offers basic DDoS protection. For no additional costs, it defends against the most common network and transport layer DDoS attacks when you use services like Application Load Balancer (ALB), CloudFront, and Route 53 (for DNS).
AWS Shield Advanced gives even more protection, but it’s not cheap costing more than $3000 per month. Benefits include:
- Handle much larger attacks (e.g. by promoting your network ACL to the AWS border, to block multiple terrabytes of traffic).
- 24x7 support from the AWS DDoS Response Team (DRT), including proactive help.
- Define custom health-checks to improve responsiveness and accuracy in attack detection and mitigation.
- Improved visibility to attacks with access to real-time metrics and reports.
- Some cost protection against spikes caused by DDoS attacks.
AWS Shield Standard is free. The pricing for AWS Shield Advanced is:
- $3,000 per month (minimum commit of 1 year) to cover your entire AWS Organization.
- A data transfer out fee per GB, depending on the service being protected - e.g. $0.025 per GB for CloudFront, or $0.05 per GB from an Application Load Balancer.
AWS Certificate Manager
To manage SSL/TLS certificates on the load balancer, you can use the AWS Certificate Manager service. Advantages include:
- Simplified operations:
- Certificate is fully managed, including auto-renewal.
- Improved reliability:
- Certificate auto-renewal removes a surprisingly common cause of outages: expired certificates!
- Decreased load on the web-servers:
- It removes the cost of the SSL handshake from the web-server, but this benefit is negligible: it’s not that expensive.
AWS Certificate Manager is a free service for public certificates. It also has an option for a private certificate authority to create and deploy private certificates programmatically, which is a chargeable service.
Application Load Balancer
Using a load balancer is an important prerequisite for some of the services we’ve just talked about. For thoroughness, let’s cover the advantages of putting an AWS Application Load Balancer in front of your web-servers:
- Security improvements:
- Application Load Balancer forwards only valid HTTP requests. This protects you against attacks such as TCP SYN Flood.
- The VM can be much more locked down as it only needs to be reachable from load balancers (no direct access); we can combine this with the use of Systems Manager Session Manager to entirely remove the public IP address from the VM.
- Highly available cluster:
- The load balancer can forward requests to multiple web servers, which can be provisioned across multiple AZs. This removes the single point of failure.
- The load balancer can handle health checks to forward requests only to healthy web servers.
- This enables lots of benefits, including better upgrade processes where we provision new VMs rather than reconfiguring the existing production VMs (part of the “pets vs cattle” argument).
- Simplified operations:
- The Application Load Balancer is highly-available, auto-scaling, fault-tolerant and fully managed by AWS.
- Putting the site into maintenance mode is simpler: it can be done at the load-balancer level, allowing the VM to be taken entirely offline.
- SSL Termination can be done at the load balancer, and http (port 80) from the ALB to the web servers (if infosec don’t require end-to-end encryption). This reduces the responsibilities (and thus the configuration) of web-servers.
- Decreased load on the web-servers:
- By using HTTP keep alive, the same connection can be reused from the load balancer to the web-servers.
If your web-servers run on VMs, you can use an auto-scaling group. This allows you to replace failed servers and to automatically scale up and down based on load or based on time of day. The load balancer will be automatically updated as VMs are added/removed.
AWS Pricing Summary
The services described above have a mixture of pricing models based on load and pricing per hour of using that service.
Importantly, the pricing model lets the costs flex based on load. This is a big differentiator compared to some 3rd party services where you have to pay based on your maximum predicted load (e.g. paying a five-figure sum per month to handle the expected peak load of 200mbps).
AWS pricing is often nuanced and complicated to explain or predicate, with the price depending on your specific use-case. However, the pay-as-you-go model means you can monitor costs over time and adjust your configuration accordingly.
AWS also offers big discounts for large-scale users. For example, if your CloudFront usage is consistently near or over 10TB per month then it’s worth considering AWS discounted pricing. With this model, you commit to a certain minimum usage per month and get very large cost reductions in exchange.
These AWS services offer a powerful combination to deliver a cost-effective, secure, highly scalable and managed solution. If you’re using a 3rd party CDN or WAF, it’s worth thinking about moving to these AWS services. If these are not part of your architecture, it may be worth adding them.
An AWS Advanced Consulting Partner like Cloudsoft would be happy to help you better understand, evaluate and adopt the services described here. Ask Cloudsoft for a free consultation to get started or to discuss your existing AWS usage.
About the Author
Aled Sage is VP Engineering at Cloudsoft, helping customers migrate to and improve their usage of cloud. For migrations, we help customers to prepare for and execute the migration - both the organisational change and the technical work required to make cloud adoption a success. For those already in the cloud, we offer a range of services: Well-Architected reviews to help with continual improvement, assistance with cloud cost optimisation and controls through FinOps and cost analysis, 24/7 support for your applications, and modernisation (including Windows-based applications).