Module 12 - Edge Services

Question 1

What are the AWS edge services?

Answer 1

• AWS Wavelength – 5G providers would use AWS Wavelength as their edge location.
• AWS edge locations – CloudFront, AWS WAF, and AWS Shield are services used here.
• Outposts – Outposts can be on premises or on a VPN. • AWS local zones – Local zones are an extension of a VPC

Question 2

What is an edge location?

Answer 2

the nearest point to the user who is consuming the AWS service.
The server is not present in these locations. They cache copies of your content for faster delivery.

Works with AWS services like Route 53 and CloudFront.

Question 3

What does CloudFront do?

Answer 3

It’s a CDN: Content delivery network. Provides a globally-distributed network of Point-of-Presence locations (edge locations & edge cache servers) that CACHE content, such as web videos or other bulky media, more locally to consumers, thus improving access SPEED for downloading the content.

For dynamic data, many CDNs can be configured to retrieve data from the origin servers.

DDoS protection, integrates with Shield, WAF

Good for: static content the needs to be available everytwhere

Question 4

What connection does CloudFront support other than HTTP/S?

Answer 4

CloudFront supports real-time, bidirectional communication over the WebSocket protocol. This persistent connection permits clients and servers to send real-time data to one another without the overhead of repeatedly opening connections. This is especially useful for communications applications such as chat, collaboration, gaming, and financial trading.

Question 5

How do you configure CloudFront?

Answer 5

Specify an origin server for your files (S3 bucket, HTTP server a.k.a. custom origin) If S3 then the bucket is all lowercase no spaces.

Create a CloudFront streaming distribution. Tells CF which origin to use and your configs.

CF assigns a domain name to the new distribution.

CF sends your distribution’s configuration but not the content to all of its edge locations

Question 6

How can you set up CloudFront to restrict access to paid users, for example?

Answer 6

Require that your users access your private content using special CloudFront signed URLs or signed cookies.
• signed URL: access to individual files (
• signed cookies: one cookie for many files

Require that your users access your content by using CloudFront URLs, not URLs that access content directly on the origin server.

Question 7

How do I set up CloudFront for high availability?

Answer 7

Set up origin failover. Create an origin GROUP with a primary and secondary origin. If one origin is offline, it will failover to the secondary.

Question 8

What are the ways you can control when content expires in CloudFront?

Answer 8

TTL (Time To Live)
• Default
• Max TTL
(TTL can be fixed, custom set by you, or GET request to origin from CloudFront will use If-Modified-Since header)

change the object name (Header-v1.jpg becomes Header-v2.jpg)

invalidate the object. Invalidating the object is inefficient and very expensive.

Question 9

How do you off-load static content in CloudFront?

Answer 9

• Create absolute, instead of relative, URL references to your static assets.
• Store static assets in Amazon S3.
• Optimize for WORM. (Write once read many)

Question 10

What is geoblocking/geo-restriction?

Answer 10

Prevents users in specific countries from accessing content that you are distributing through a CloudFront web distribution. You can whitelist or blacklist countries.

Question 11

What kinds of geoblocking/geo-restriction are there?

Answer 11

• Use the CloudFront geo-restriction feature to restrict access to ALL the files on an edge location and to restrict access at the country level.
• Use a third-party geolocation service to restrict access to a subset of the files that are associated with a distribution or to restrict access at a finer granularity than the country level.

Question 12

It can take many network hops to access your application over the public internet, and that introduces risk and possible performance problems. What can help avoid this?

Answer 12

Global Accelerator: a networking service that improves the availability and performance of the applications you offer to your global users. Uses the AWS network. Like an HOV lane.

Provides 2 static Anycast IP addresses that act as a fixed entry point to your AWS-hosted application so you don’t have to manage IP addresses across AZs or Regions.

Also performs health checks with auto-failover.

Question 13

How does traffic go from the user to the endpoint in Global Accelerator?

Answer 13

traffic is routed to the optimal AWS endpoint based on:
• user’s location
• the health of the endpoint
• endpoint weights that you configure.

Traffic travels over the well-monitored, congestion-free, redundant AWS global network to the endpoint. By maximizing the time that traffic is on the AWS network, Global Accelerator ensures traffic is always routed over the optimum network path.

Supports TCP and UDP.

Question 14

What are 2 caveats for using Global Accelerator?

Answer 14

• Direct Connect does not advertise IP address prefixes for Global Accelerator over a public virtual interface.
• Global Accelerator does not support processing IP packet fragments or reassembly.

Question 15

CloudFront vs. Global Accelerator

Answer 15

CloudFront vs. Global Accelerator
• Layer 7 HTTP or HTTPS vs. Layer 4 TCP or UDP proxy
• HTTP or HTTPS vs. Any protocol running over TCP or UD
• Content caching vs no caching
• DNS-based routing vs. Anycast routing
• Dynamic IP addresses vs. Two global static IP addresses, with ability to BYOIP address ranges
• Native origin failover based on HTTP error codes or timeouts, or Route 53 DNS VS Built-in origin failover with no dependency on DNS TTLs
• Hosting: S3 buckets, HTTP servers, AWS Elemental MediaStore, or other servers vs. Network Load Balancers, Application Load Balancers, EC2 instances, and Elastic IPs

Question 16

What are some Infrastructure layer attacks (at layer 3 or 4)?

Answer 16

synchronized (SYN) floods
User Datagram Protocol (UDP) packet floods

both are types of DDoS

Question 17

What is an application layer attack?

Answer 17

Layer 7, attacks the application itself. E.g. HTTP flood, DNS query floods.

Question 18

What service protects against infrastructure layer attacks?

Answer 18

Shield Standard: always-on network flow monitoring. Detects malicious traffic.

Question 19

How does CloudWatch integrate with WAF?

Answer 19

CloudWatch collects and processes raw data from AWS WAF and AWS Shield Advanced into readable, near real-time metrics. These statistics are recorded for a period of two weeks.

You can activate logging to get detailed information about traffic that is analyzed by your web ACL. AWS WAF delivers logs to your storage destination through the HTTPS endpoint of Kinesis Data Firehose. (Do NOT choose Kinesis Data Streams as your source.)

Question 20

How does CloudWatch integrate with WAF?

Answer 20

CloudWatch collects and processes raw data from AWS WAF and AWS Shield Advanced into readable, near real-time metrics. These statistics are recorded for a period of two weeks.

You can activate logging to get detailed information about traffic that is analyzed by your web ACL. AWS WAF delivers logs to your storage destination through the HTTPS endpoint of Kinesis Data Firehose.

Question 21

What is an IP set in AWS WAF?

Answer 21

a collection of IP addresses and IP address ranges that you want to use together in a rule statement. IP sets are AWS resources.

Question 22

How do ACL rule statements work?

Answer 22

Rule statements are the part of a rule that tell WAF HOW to look at a request.

Pattern matching? (Regex, size, string)
Logical operation? (AND/OR/NOT)
Traffic filtering? (Geofencing, IP filter, rate-limiting)
Attack prevention? (SQLi or XXS detection)

Question 23

What kind of complexity can ACL rule statements handle?

Answer 23

They can reference rule groups. You won’t see them on the console, but you can manage them by editing the JSON.

Rules can be nested e.g. control the rate of requests from a specific country.

Question 24

What can I use to manage WAF, VPC security groups, and shield protections all at once?

Answer 24

AWS Firewall Manager. This service automatically applies the rules and protections across your accounts and resources, even as you add new resources.

Question 25

What do you need to use AWS Firewall Manager?

Answer 25

1) activate AWS Organizations with full feature
2) use AWS Config
3) have an assigned user as the Firewall Manager administrator

Question 26

When is AWS Firewall Manager a good idea?

Answer 26

1) You have a lot of resources and/or accounts to manage
2) You create a lot of new applications
3) You want a single place to monitor and respond to threats across the organization

Question 27

How can I handle latency issues when some applications have to be on-prem? (E.g. workloads on factory floors, patient diagnosis)

Answer 27

Use outposts, a way to extend the AWS Cloud to an on-premises data center. Basically your own rack.

Question 28

What can you run on outposts?

Answer 28

EC2, S3, EBS
VPC
RDS
ECS/EKS
EMR (Elastic MapReduce aka big data)

Question 29

What are 2 benefits of implementing a CloudFront distribution?

Answer 29

Increased security

reduced latency

Question 30

What can CloudFront sit in front of?

Answer 30

S3:
• ❗️enhanced security with Origin Access Identity (OAI) which is an IAM role for the CloudFront origin
• CloudFront as ingress, i.e. upload to S3 from edge

HTTP endpoint
• e.g. ALB, EC2, S3 website, anything with endpoint

Question 31

How does security work with CloudFront in front of an ALB or EC2?

Answer 31

Endpoint must be public.

Edge location IPs must be in the security group of the ALB or EC2.

Question 32

How can I modify CloudFront to make it cheaper?

Answer 32

Costs vary depending on edge location.

You can reduce the # of locations to save money.
• Price Class All: all regions, best performance $$$
• Price Class 200: most regions except most expensive, $$
• Price Class 100: only the cheapest regions, $

Question 33

What other security can I add to user data using CloudFront besides HTTPS?

Answer 33

Field Level Encryption

Encrypted at edge location close to user. You can specify a field, e.g. credit card #. Encrypted with public key, decrypted at the app with the private key.

Question 34

What are Unicast and Anycast IPs?

Answer 34

Unicast: one server holds one IP

Anycast: all servers have the same IP; the client is routed to the closest one. This is how Global Accelerator works.

Question 35

Compare CloudFront and Global Accelerator.

Answer 35

Both use AWS network and edge locations
Both integrate with Shield, DDoS protection.

CF:
• improves performance for cacheable content
• content is served from the edge locations

GA:
• improves performance for lots of apps over TCP/UDP
• all requests are still going to the app
• good for HTTP when you need static IP
• good for when you need fast regional failover
• good for non-HTTP like VOIP, gaming (UDP), IOT(MQTT)

Question 36

You have paid content that is stored in an S3 bucket. You want to distribute that content globally, so you have set up a CloudFront Distribution and configured the S3 bucket to only exchange data with your CloudFront Distribution. Which CloudFront feature allows you to securely distribute this paid content?

Answer 36

CloudFront Signed URLs are commonly used to distribute paid content through dynamically generated signed URLs.

Question 37

A website is hosted on a set of EC2 instances fronted by an Application Load Balancer. You have created a CloudFront Distribution and set up its origin to point to your ALB. What should you use to provide access to hundreds of private files served by your CloudFront distribution?

Answer 37

Signed Cookies are useful when you want to access multiple files.

Question 38

You are creating an application that is going to expose an HTTP REST API. There is a need to provide request routing rules at the HTTP level. Due to security requirements, your application can only be exposed through the use of two static IP addresses. How can you create a solution that validates these requirements?

Answer 38

AWS Global Accelerator will provide us with the two static IP addresses and the ALB will provide us with the HTTP routing rules.

Question 39

What is edge computing? What can you use to accomplish this?

Answer 39

Process data while it is being collected at an edge location, i.e. without an internet connection.

Snowball edge (compute or storage optimized)
Snowcone. 2 CPUs, 4gb memory, wired or wifi

• All can run EC2, Lambda (using IoT GreenGrass)

You can preprocess the data, do machine learning on site, transcode media streams.

Question 40

What is OpsHub?

Answer 40

A GUI for your snow devices so you don’t have to use CLI. It’s software you install on your laptop.