섹션 15 AWS CloudFront

CloudFront

CDN : 컨텐츠 전송 네트워크

read performance 향상

컨텐츠가 전체적으로 분산되어 있으므로 DDOS 공격에서 보호를 받을수 있다.

CloudFront만을 통해서 웹사이트로 액세스 하게끔 하려면

CloudFront 배포를 구성해 원본 액세스 ID를 생성한후 S3 버킷이 오직 CloudFront 배포 OAI

사용자 들이 보내는 요청만을 수락하도록 업데이트

cloudFront vs S3 Cross Region Replication

cloudFront

• global edge network
• files are cahed for a TTL
• great for static content that must be available everywhere

S3 cross Region Replication

• must be setup for each region you want replication to happen
• files are uodated in near real-time
• read only
• great for dynamic content that needs to be available at low-latency

cloud front policy

{
        "Version": "2008-10-17",
        "Id": "PolicyForCloudFrontPrivateContent",
        "Statement": [
            {
                "Sid": "AllowCloudFrontServicePrincipal",
                "Effect": "Allow",
                "Principal": {
                    "Service": "cloudfront.amazonaws.com"
                },
                "Action": "s3:GetObject",
                "Resource": "arn:aws:s3:::demo-cloudfront-suhahwang-v4/*",
                "Condition": {
                    "StringEquals": {
                      "AWS:SourceArn": "arn:aws:cloudfront::091975970883:distribution/E19HHQUKUBOM8O"
                    }
                }
            }
        ]
      }

cloudFront Geo Restriction

국가 제한 가능

• allowlist : 허용 가능 국가
• blocklist : 차단 국가

use cases :

컨텐츠 저작권법으로 인한 제한

CloudFront - Pricing

edge location 마다 요금이 다르다

price classes

1. price Class All
2. price Class 200 : most regions except most expensive
3. price Class 100 : only the least expensive regions

global Accelerator

서울에 application이 있고 사용자들은 전세계에 있다.

전세계 사용자들은 많은 hops 때문에 오랜시간의 지연을 겪는다

2 Anycast IP are created for your application

the anycast IP send traffic directly to Edge Locations

works with Elastic IP, ec2 instances, ALB , NLB, public or private

• Consistent Performance
  • inteligent routing to lowest latency and fast regional failover
  • no issue with client cache
  • internal AWS network
• health checks
  • global Acceleratro performs a health check of your applications
  • helps make your application global
  • great for disaster recovery
• security
  • only 2 external IP need to be whitelisted
  • DDos protection thanks to AWS Shield

Unicast IP vs Anycast Ip

• unicast ip : one server holds one IP address
• Anycast IP : all servers hold the same IP address and the client is routed to the nearest one

AWS Global Accelerator vs CloudFront

• cloudFront
  • improves performance for both cacheable content
  • dynamic content
  • content is served at the edge
• global Accelerator
  • improves performance for a wide range of applications over TCP or UDP
  • Proxying packets at the edge to applications running in one or more AWS regions
  • good fit non-HTTP use cases, such as gameing,lot , or voice over ip
  • good for HTTP use cases that require static IP addresses
  • good for HTTP use cases taht required deterministic, fast regional failover