Content delivery networks (CDN) and web application firewalls (WAF) are excellent for improving performance and security of your web-based applications. There are great offerings such as Imperva FlexProtect and Cloudflare. Alternatively, choosing AWS services including Amazon CloudFront and AWS WAF can be considerably cheaper, simpler to manage, and better integrated with your applications running on AWS. For example, ASP decreased costs by around 90% by switching to these AWS services.
Having helped multiple customers adopt these AWS services, it was time to write an introduction for people looking at CDN and WAF on AWS.
Serving all your traffic directly from web-servers means you’d have to handle all the spikes in load, deal with denial of service attacks, and defend against all security vulnerabilities such as SQL injection.
You can buy a CDN and WAF offering, directing user traffic to this service which then forwards requests to your application endpoint. This will cache results and will block a lot of malicious traffic. There are excellent offerings such as Imperva FlexProtect, Cloudflare, Akamai and Fortinet to name but a few. However, these are expensive.
A common solution is to use Amazon CloudFront as the CDN for HTTP caching, AWS WAF for the web application firewall, AWS Shield for DDoS protection, S3 for storing the static web content, an Application Load Balancer in front of an auto-scaling group of web-servers for dynamic content, AWS Certificate Manager for SSL/TLS certificates, and Route 53 for DNS.
This blog looks at the main services. That’s a lot to cover, so please pick and choose the sections most relevant for you!
Amazon CloudFront is a content delivery network (CDN). It provides HTTP caching at edge locations close to your users, improving performance for users and reducing the load on your web-servers.
Even if the response is not cached, performance is often improved (particularly for distant users) because requests are sent over the AWS global network backbone. This allows efficient transmission between edge locations and other AWS regions.
To use CloudFront, you create a CloudFront distribution that points at your “origin” (i.e. the authoritative source of your website, be that on web-servers or in S3). You configure your caching rules (e.g. time-to-live, and which query parameters and headers to consider when caching), and then configure DNS for your website to point at your CloudFront distribution.
As well as accelerating static and dynamic web-content, CloudFront can be used for other use-cases including:
Pricing is a pay-per-use model. Pricing depends on the region and some other nuances, but the basics are:
If you commit to a minimum usage, AWS discounted pricing can massively reduce those list prices.
AWS Global Accelerator is an alternative to CloudFront – it improves performance and availability of your applications, but without the caching!
The Global Accelerator provides two static anycast IPv4 addresses, which route traffic to your application. It supports any TCP or UDP traffic, and routes this efficiently over the AWS global network backbone.
The endpoints behind it can be any of Application Load Balancers (ALB), Network Load Balancers (NLB), EC2 instances, and Elastic IP addresses.
Use cases include:
Pricing is a combination of fixed-cost-per-hour and a pay-per-use model (again pricing varies slightly between regions):
AWS WAF (web application firewall) lets you define rules to allow or deny HTTP traffic to your application. This helps to to block threats like SQL injection or cross-site scripting attacks.
The AWS managed rules is a great starting point to block common threats. You can also configure your own rules, such as for rate limiting or block traffic based on a regex pattern.
You can attach a WAF access control list (ACL) to either CloudFront or to an application load balancer. We recommend attaching it to your load balancer, in case someone manages to bypass CloudFront to communicate directly with your load balancer. (Aside: If you do want to prevent direct communication with your load balancer, you may want to combine a couple of techniques: security groups to restrict access to only [anyone’s] CloudFront, and a custom [secret] header added by CloudFront and checked by the WAF.)
AWS WAF pricing is a combination of fixed-cost-per-hour and a pay-per-use model:
For a further comparison of AWS WAF and alternatives, see this Gartner comparison. The overall scores (out of 5, as at the time of writing) are summarised in the table below:
AWS offers astonishingly good distributed denial of service (DDoS) protection. For example AWS thwarted one of the largest ever DDoS attacks in February 2020 when it handled an attack rate of 2.3Tbps.
AWS Shield Standard offers basic DDoS protection. For no additional costs, it defends against the most common network and transport layer DDoS attacks when you use services like Application Load Balancer (ALB), CloudFront, and Route 53 (for DNS).
AWS Shield Advanced gives even more protection, but it’s not cheap costing more than $3000 per month. Benefits include:
AWS Shield Standard is free. The pricing for AWS Shield Advanced is:
To manage SSL/TLS certificates on the load balancer, you can use the AWS Certificate Manager service. Advantages include:
AWS Certificate Manager is a free service for public certificates. It also has an option for a private certificate authority to create and deploy private certificates programmatically, which is a chargeable service.
Using a load balancer is an important prerequisite for some of the services we’ve just talked about. For thoroughness, let’s cover the advantages of putting an AWS Application Load Balancer in front of your web-servers:
If your web-servers run on VMs, you can use an auto-scaling group. This allows you to replace failed servers and to automatically scale up and down based on load or based on time of day. The load balancer will be automatically updated as VMs are added/removed.
The services described above have a mixture of pricing models based on load and pricing per hour of using that service.
Importantly, the pricing model lets the costs flex based on load. This is a big differentiator compared to some 3rd party services where you have to pay based on your maximum predicted load (e.g. paying a five-figure sum per month to handle the expected peak load of 200mbps).
AWS pricing is often nuanced and complicated to explain or predicate, with the price depending on your specific use-case. However, the pay-as-you-go model means you can monitor costs over time and adjust your configuration accordingly.
AWS also offers big discounts for large-scale users. For example, if your CloudFront usage is consistently near or over 10TB per month then it’s worth considering AWS discounted pricing. With this model, you commit to a certain minimum usage per month and get very large cost reductions in exchange.
These AWS services offer a powerful combination to deliver a cost-effective, secure, highly scalable and managed solution. If you’re using a 3rd party CDN or WAF, it’s worth thinking about moving to these AWS services. If these are not part of your architecture, it may be worth adding them.
An AWS Advanced Consulting Partner like Cloudsoft would be happy to help you better understand, evaluate and adopt the services described here. Ask Cloudsoft for a free consultation to get started or to discuss your existing AWS usage.
Aled Sage is VP Engineering at Cloudsoft, helping customers migrate to and improve their usage of cloud. For migrations, we help customers to prepare for and execute the migration – both the organisational change and the technical work required to make cloud adoption a success. For those already in the cloud, we offer a range of services: Well-Architected reviews to help with continual improvement, assistance with cloud cost optimisation and controls through FinOps and cost analysis, 24/7 support for your applications, and modernisation (including Windows-based applications).