Amazon AWS Certified Advanced Networking Specialty – Content Delivery Networks

1. Understanding Content Delivery Networks

Hi everyone and welcome to the Knowledge Port video series. Now, today we are going to talk about content delivery networks. So, in the last lecture we spoke about the basics of reverse proxy and how reverse proxy helps in caching. So this is a scenario that we had taken where we take the static files like pictures or JavaScript and we move it to the intent server which is NGINX. Now, whenever a traffic comes from maybe a mobile or a browser, the traffic will reach the NGINX and NGINX can serve all of the static files directly. And this is one of the advantage which helps not only in latency, but also in resource saving. Now, one more advantage over here is that this particular computer is not directly accessible to the back end server. So it helps in security point of view as well. Now, there is one issue over here is that let’s assume that there are lots of visitors.

Let’s say you have a big sale on your website and you get thousands of visitors. Now, the problem here is this is a single point, not all the thousand users will come here. And all the big things like serving the websites, DDoS protection, having a proper security suite comes over here. Now, one of the things that you can do is you can take all of this load offshore. So what will mean is many things like web application firewall, DDoS protection, various caching mechanism termination, proxies, et cetera, can be moved out even from this front end server to a content delivery network. So we put a content delivery network between the users and our front end server and whatever heavy lifting that has to be done, can be done by this content delivery network instead of our servers.

Now, one big advantage of having a CDN in between is that this CDN is actually optimized for doing the heavy lifting. So we don’t really have to spend time designing our own web application, firewall, et cetera, et cetera. So now all of these big things can be handled by the content delivery network. And along with that, if you see the static assets that we are putting on the NGINX server, that static assets can now be at the CDN level. So now a web browser makes requests to the CDN and CDN without need to contact the front end server.

It can directly serve the traffic provided it is for the static assets. So, CDN provides a lot and lot of advantage. And many of the major websites, they have CDN of some kind. Now, if you’re wondering what are the CDN types that are available, there are two major CDN which most of the small medium enterprises they generally use. One is Cloudflare. Cloudflare is an amazing CDN specifically designed for small medium organization. They also have a free plan available. So if you have a small blog, you can actually use the Cloudflare CDN for your own website. It also provides lot of things like DDUs protection, content based, Caching, et cetera. So if you see they have a free plan which is available which is of $0 per month and it offers various things like DDUs protection although it is limited CDN. Also SSL certificate if you go in more advanced plan like the Professional one. The professional one also comes up with the web application firewall.

So this is one of the CDN providers which are available. The second one is the Cloud front. So this is Amazon Cloud Front. And Cloud Front supports a lot of features. Specifically if you are hosting your contents within your AWS network so it supports dynamic content, it supports manual cache invalidation then good things that I would really target is Geotargeting, it supports cross origin resource sharing and obviously it supports Caching, it supports Web application firewall service with integration of Cloud Front. So a lot of things. AWS cloud front supports. The good thing is that this also has free tire. So if you registered yourself under the free tire, you see that Cloud Front supports up to 50 GB of data transfer which you can use in your free tile. So Cloud Front is really nice and what we will do is this is the basic about the content delivery network. In the upcoming lectures we’ll set up our own Cloud Front base CDN and explore the various features which will help us not only in Caching but also the security aspect. So I hope this has been informative for you and I’d like to see you in the next lecture.

2. Deploying CloudFront Distribution – Part 01

Hey everyone and welcome back. In today’s video we will be discussing about deploying a Cloud Front distribution. Now, in order for us to be able to deploy a CloudFront distribution, there are certain steps which are involved. Now the first step is we need to create a server or some kind of a storage location where we can store our website file or our content that CloudFront delivers. Now, one great thing about CloudFront that it can integrate with Sree. So you necessarily need not need to have some kind of an easy to instance. We can make use of a Sri bucket for that. Once you have your files in your SRE bucket, the next thing is you need to create a CloudFront distribution. Once the distribution is created, you can go ahead and load the website from CloudFront to verify if everything is working fine. And once that is done, you can go ahead and explore various features of Cloud friend. So we can understand the steps with the help of below animation here.

So let’s assume that this is the server or this can be an S three bucket and this S three bucket or a server has some kind of a static file. So this can be an image, this can be HTML file, etc. Now what you do is you create a Cloud Front distribution, all right? Now this CloudFront distribution can communicate with the server or the SRE bucket which has the static files, or it can even have dynamic contents. Now the CloudFront distribution has edge locations which are present over here and these edge locations are something which basically caches a lot of information. Now, the first time a user visits your website and there is a cloud print distribution, then what happens is that the cloud print distribution will request from the server and it will serve the content. Now, once it serves the content, it will also save the content in the edge location. So let’s say that this user has requested for the image. So first time Cloud Front will serve the image directly and along with that it will store the image in all the edge locations all around the world.

So now next time, let’s say there is a next user who also loads the website. Now this time what happens is that the image will be served from the edge location. So again, Cloud Front will not send a request to the server for the image. Image will be sent from the edge locations itself. So this is the high level overview about the CDN. Let’s go ahead and do the first step for this video post which will go ahead and deploy the cloud run distribution. So I’m in my AWS management console. Now the first thing that we need to do is we need to have a location where we can store our images and the HTML file. Now again, you can create an easy to instance, but this is something that will avoid. For the demo, we’ll create a simple s three bucket. So I’ll go to services and I’ll select S Three. Now within here I’ll create a new bucket. I’ll call it as my demo Hyphen Cloud friend and I’ll click on create. Great.

So this is our S three bucket which is available. Next thing is we need to upload certain contents over here. So what I have done, basically I have two contents which is available. One is a simple index HTML and second is the image which I’m really fond of. So this is the image.

So we’ll be uploading both of these within our S three bucket. So from my s three I’ll click on Upload, and from here I’ll upload both of these contents. Great, so you have the index HTML and you have shift jpg. Again, you can have your own custom contents as well. So basically, if I can show you what the index HTML file is all about, I’ll just open up with a notepad. So this index HTML file is a simple file which basically contains welcome to the website and that’s about it. All right? And the image is something that we already explored. You can have your own custom contents for your demo that you can use. Great. So once your content have been uploaded, let’s quickly go to the permissions. In fact, I wanted to show you a few things. So currently AWS had released a feature so that you cannot really make things public. And this is quite a new feature. So I’ll just deselect all of them and I’ll click on Save. So this is just for our testing purpose. Let me do a confirm here. Great.

So the public access settings has been updated. So now let’s go to the properties and within the static website hosting, I’ll select the first option which basically states that use this bucket to host a website. The index document would be index HTML and I’ll click on Save. Great. So now the last thing that you need to do is you have to change the permissions. We’ll go to access control here and for public access we’ll select everyone to be able to read the objects. All right, let’s click on Save. Perfect. So everyone will be able to read the objects. And now if you see let me go to S three. Now, you see this bucket is now named as public. So this is really great feature because if I go to S three console, I’ll be able to see which buckets are public in a simple to understand way. So now within the bucket, I’ll quickly select both of these objects and I’ll make them as public.

All right, so that’s about it. In order to verify if everything is working correctly, let’s click on one of them. I’ll copy the object URL, and if you post it in the browser, you should be able to see welcome to the website over here in a similar case, we’ll take the URL for the image that we have present. Let me put it within the browser and you should be able to see the image. Great. So since we have the static website hosting available for the S Three bucket, let’s take the URL. So this is basically the URL of the S Three bucket. Now, if you paste the URL over here, you should be able to see the index HTML website. All right, so this is the S Three, which is hosting both of our website as well as our image. Now, coming back to our animation diagram, so we have our server.

In our case, it is S Three, which is hosting the image, which is hosting the index HTML file. So now, instead of user directly accessing our server, what we want is we want to create a CloudFront distribution which will handle all the request over here. So this is something that we’ll create in the upcoming video. So this is the high level overview video. I hope this video has been informative for you and I look forward to seeing you in the next video.

3. Deploying CloudFront Distribution – Part 02

Hey everyone, and welcome to the second part of our video series on deploying Cloud Front. In today’s video, we will be creating the second step, which is creating the Cloud Front distribution. Now, I’m in my AWS management console. Let’s go to the Cloud Front service. Now, I already have a Cloud Front distribution which is available. So this was basically used for a different demo that we had. So let’s go ahead and create a new distribution over here. So there are two types of distribution. One is Web, and second is RTMP. For our demo, we’ll be using the web distribution.

So here we have to specify the origin domain name. So the origin domain name is basically from where will Cloud Front get the data from? So in our case, the origin is basically a s three bucket. So if you just click over here, it will basically show you the list of s three buckets which are available within your account. If you remember, our bucket name was my demo hyphen Cloud Front. So once you have selected the origin domain name, let’s go a bit down. Now, within the price classes, if you see it says use all the edge location. Now, this is important because let’s say that you have customers coming from all across the world. In that case, you can basically make use of all the edge location.

So what that basically means is that CloudFront will go ahead and start to store the cash in all the edge locations across the world. Now, in that case, if a customer is coming from, say, US region, he might be served from the nearest edge location all the files. So in case if your customers are not from the US, you know that your customers are only from Asia and maybe from Africa, then there is no need to store your data in all the edge locations. So for such case, you can select one of them. So you have used only US, Canada and Europe. You have used US, Canada, Europe, Asia and Africa. So depending upon the customers location that your website gets, you can select one of them. All right? So let me just select the second option here. Now, the next thing is basically you can specify the default route object over here. So let’s specify index HTML. So anytime a user visits the website, the index HTML should be returned. So once you have done that, you can go ahead and create a distribution. All right? So this is the distribution here.

So if you just let me just sort it out. So the distribution origin here, you see it is my demo Hype and CloudFront SC Amazonas. com. So currently, the status is in progress. It takes a little amount of time for that CloudFront distribution to get created. I’ll pause the video for some time, and once the status is deployed, we’ll resume the video. All right? So it has been close to around ten to 15 minutes. And our CloudFront distributions status is now deployed. So what you need to do is you have to take this domain name over here. All right, we’ll copy the domain name which is associated with the Cloud Front distribution, and we’ll put it within the browser.

And here you see it returned us with the welcome to the Website page. So this is how you can create the Cloud Front distribution and associate it with the s three bucket. So before we conclude this video, I wanted to show you a few more things. So within this diagram, we were discussing that first time a user, when he visits the Cloud Front distribution, the request would be sent to the origin and the image or whatever file which is present. It would be served back. Now, along with that, Cloud Front distribution will also store the static contents within the edge locations over here. Now, the second time, whenever the user visits the same website, the content will be served from the edge location. All right? So let’s quickly look into how exactly that might look like.

Now, let me do one thing. I’ll copy the Cloud Front domain and let’s do a curl. And this time we’ll do a shift jpg. So this is an image file. So now what we can do in an easier way is we can make use of I. So I basically will print the headers. Now, if you look into the X cache header, it basically states Hit from Cloud Front. That basically means that this specific image file has been served from the Cloud Front edge location. So this is the basics on how we can go ahead and deploy deploy the Cloud Front distribution. We also look into how when multiple requests are being made, the contents are served from the edge location instead of sending the request to the origin and fetching the same content multiple amount of time. So with this, we’ll conclude this video. I hope this video has been informative for you and I look forward to see you in the next video.

4. Understanding Origin Access Identity in CloudFront

Hey everyone and welcome back. In today’s video, we will be discussing about the origin access identity. Now generally, whenever you have a Cloud Front distribution, so let’s assume that this is the Cloud Front distribution here and here you have the origin. So this origin has certain contents, it can be certain files, images, songs, videos, etc. Now, once you have designed the Cloud CloudFront distribution, what happens is that user will visit the Cloud Front distribution and from here the contents will be served. Along with that, Cloud Front will also ensure that all the contents that can be cached is pushed towards the edge location so that the load over the server does not increase. Now this is the cachability part. Second important part is that you can have various security mechanisms in the Cloud Front level. So you can have a web application firewall at the Cloud Front level. So it blocks all the malicious web application attacks, et cetera.

Now what an attacker can do over here is that instead of visiting the Cloud Front because let’s say you have a valve, now AWS can integrate with Cloud Front. It cannot integrate with the server or cannot integrate it directly with the S three bucket. So now, attacker first tries to send certain malicious packets. Now he realizes that something is blocking that malicious packet. There might be some kind of a firewall. So now what he does is instead of going to the root of Cloud Front, he directly accesses the server or he directly accesses the S three bucket. So in this way, he can completely bypass all the mechanisms which is there within the Cloud Front distribution. So with the help of origin access identity, what we do is we tell the S three bucket to only accept the connections which are coming from the Cloud Front distribution.

It should not accept any direct connections which are being established. So let’s do one thing. Let’s look into how exactly we can achieve this. Now. I went by s three console. So this is the S three bucket where there are two files. And along with that, we also have the Cloud Front distributions which are present over here. Now, if I directly open up this specific file from SRE bucket, let’s try it out. So if I do a curl on index HTML so this time we are directly loading it from the SA bucket. You see, it basically gets us the content of welcome to the website.

Now this is similar to what we were discussing where attacker is directly loading the page over here. Even though there is a Cloud Friend distribution, he’s bypassing that. So in order for us to ensure that the origin only accepts the connection from Cloud Friend, we need to have the origin access identity to be enabled. So let’s go back to the Cloud Front distribution. I’ll open up the distribution here. Let’s click on Origin and origin groups. So this is our origin over here, let’s click on Edit here. Now here, this is the origin domain. Now, if you see, there is an option of Restrict Bucket Access.

Now, when you do a Restrict Bucket Access, let’s actually open this Help menu. It basically says that if you want to require that a user always access your S Three content using the Cloud front URL and not the S Three URL, click yes. And this is very important. So let’s click on Restrict the Bucket Access and within the Origin Access identity over here, you can go ahead and create a new identity. Now, there also one more option. Call as grant read permission on the bucket. So you need to select yes, update the bucket policy. We’ll look into what exactly this does.

I’ll go ahead and I’ll edit this. All right, so now let’s go back to the CloudFront distribution. So currently the status is in progress. So let’s quickly wait for a moment for the progress to be deployed. So it has been close to around five minutes, and our CloudFront distribution status is now deployed. So now, if you go to the S Three bucket, let me go to the S Three console. So this is our bucket currently. Now, if you look into the Bucket Policy, let’s go to the Permission. And if you look into the Bucket Policy, CloudFront has added a new Bucket policy. So what this Bucket policy does is that it basically tells that there is this principle. So this is the CloudFront distribution, and this CloudFront distribution will be able to perform a Get object operation on all the files within this specific bucket. So this is the policy that it has added. Now, since this bucket is currently public from the CLI, even if you directly make a request to the SV bucket, you see, it will still load.

So what we need to do is we need to change the permission and we have to make this bucket as private. So from the public access, I’ll remove the Read bucket permission and I’ll click on save. Once done, we’ll do one more thing. Let’s go to the Public access settings. I’ll click on Edit and we’ll just restore things to the default settings, which was there when a bucket is created. All right? So once you have done this, you can go ahead and click on Save. I’ll click on confirm. Now, once you have done that, basically this permission will block the public ACLs over the bucket and its associated objects. So now, within the CLI, if you try to load the index HTML from the S Three bucket directly, you see it is basically giving you the access denied.

Now, the only way in which external person will be able to access the contents in the S Three bucket would be through the Cloud front distribution. So let’s try it out. I’ll copy the distribution domain name. Let’s do a curl. And now you see, you are able to see the welcome to the website page. So I hope with this demo you understood on what the origin access identity is all about. So now what we have done is we restricted the SD bucket in such a way that only CloudFront distribution will be able to access it and no external user will be able to directly connect to the data within the bucket. So this is the highlevel overview about the origin access identity. I hope this video has been informative for you and I look forward to seeing you in the next video.

• Category: Uncategorized