Embed Size (px)
Citation preview
Best Practices for Content
Delivery using Amazon
CloudFront
Nihar Bihani, Principal Product Manager, Amazon Web Services
March 17, 2015
Agenda
Amazon CloudFront: Quick Overview
Best Practices for Whole Website Delivery
Q&A
@cloudfront
Our growing global footprint…
North America South America EMEA APAC
POPs
Cities
Countries
Continents
AWS Region CloudFront Edge Location@cloudfront
We have been busy building features…
• Second Edge
Location in
Seoul, Korea
• Smooth Streaming
Support
• SSL SNI Support
• HTTP to HTTPS Redirect
• CloudFront Usage Charts
• EDNS- Client-Subnet
Support
• Free Tier
• AWS CloudTrail Support
• Device Detection, Geo Targeting,
Host Header Forwarding, and
CORS Support
• Edge Location in
Melbourne
Dec
13Feb
14
Mar
14
Apr
14May
14
Jun
14Jul
14
Aug
14
• Advanced SSL features:
Session Tickets, OCSP
Stapling and Perfect Forward
Secrecy
Sep
14Oct
14
• Support for
Wildcard cookies
• OPTIONS caching
Jan
15
• 5 Cache Stat Reports
• Popular Objects Report
• More Timely CloudFront
Access Logs
Nov
14
Dec
14
• Price Drop
• Directory path as Origin Name
• Locations, Browsers, OS and
Top Referrers
Mar
15
• Signed Cookies
• Smart TV Detection
@cloudfront
Feb
15
Amazon CloudFront: What’s New?
http://aws.amazon.co
m/cloudfront/whats-
new/
@cloudfront
Dynamic
StaticVideo
User
Input
SSL
Amazon CloudFront: Whole Site Delivery
@cloudfront
A typical web application has…
Static Assets
Dynamic Content
Streaming Media
@cloudfront
Static Assets
@cloudfront
What are Static Assets?
Content is static: Images, JS, CSS, Fonts, Software
It can be distributed to more than one user
State of the object doesn't change for: sec, min, hours,..
Caching is a way to serve static content to more than
one user
@cloudfront
#1. Use Amazon S3 for Static Assets
Free data transfer from Amazon S3 to CloudFront
Decrease load on web server
Highly available & scalable
@cloudfront
#2. Control Access to Content on Amazon S3
Origin Access Identity (OAI)
Content can be accessed ONLY via CloudFront
Why use OAI?
• Ensures content is not leaking
• S3 URLs not being used anywhere
@cloudfront
#3. Control Access to Content on CloudFront
Amazon CloudFront Private Content(Paid subscribers, premium customers etc.)
Signed URLs or Signed Cookies
When to use?
• Signed URLs: Marketing email
• Signed Cookies: Streaming, whole site authentication
Region
Access Denied
Access Denied
@cloudfront
#4. Cache at Every Layer: Browser Caching
Set max-age or expiry date in your headers(e.g. Cache-Control: max-age=3600)
HTML5 application cache
Helps eliminate network latency
But… browser cache size is limited(e.g. IE is 8-50M, Chrome is < 80M, Firefox is 50MB, etc.)
@cloudfront
#5. Cache at Every Layer: Edge Caching
Set High TTLs for intermediary caches(e.g. Cache-Control: max-age=3600, s-maxage=86400)
Don’t forward Headers, Query Strings or CookiesNote: You do need to forward the relevant headers if you’re doing CORS
In other words, use CloudFront defaults
@cloudfront
#6. Version Your Objects
Versioning allows for easy updates and roll backs
Use file name or query string to version; no additional API calls are needed
Set High TTLs on objects that change infrequently
Each version is treated as a unique object in the browser cache
@cloudfront
Dynamic Content
@cloudfront
What is Dynamic Content?
Content unique to every request(Example: /index.php)
Content changes frequently (seconds, minutes), but NOT unique for every request(Example: weather updates, API, etc.)
Content changes based on end user request (query string, cookies, headers)(Example: mobile vs. desktop users, search keywords in query string, etc.)
@cloudfront
#7. Cache Everything Possible
CloudFront supports TTLs as low as 0 seconds, no-cache, no-store, etc.
Most content can be cached, even if it is for a few seconds
Benefits of setting a low TTL
• CloudFront supports “If-Modified-Since” and “If-None-Match” when object in the cache has expired
• CloudFront will serve stale content if origin is unavailable and object is in cache
• Helps you offload your origin load
@cloudfront
Cache Everything Possible.. Cont'd
Top 50 objects: CloudFront Popular Objects Report
Find content that can be cached for any period of time: hours, minutes or seconds
@cloudfront
#8. Use Multiple Cache Behaviors
ONLY forward required headers• Example: don’t forward cookies for /images
Avoid forwarding the User-Agent header• Instead use the Is-Mobile-Viewer, Is-Tablet-Viewer, Is-Desktop-Viewer, or Is-SmartTV-Viewer header values
Avoid forwarding ALL cookies• Instead, forward only the select cookies that you use to vary your content
@cloudfront
Streaming Media
@cloudfront
What is Streaming Media?
Live Streaming (e.g. a concert)
On Demand Streaming (e.g. a recent movie)
Audio Streaming (e.g. podcasts or music)
Typically involves delivering the manifest file, media files,
and player
@cloudfront
#9. Set The Right TTLs
Manifest File• Set Low TTL (e.g. 2 seconds)
Media Files• High TTLs (e.g. 60 seconds)
Media Player• Static: Store in Amazon S3 and distribute via CloudFront
• Set High TTL (e.g. 24 hours)
@cloudfront
#10. Use HTTP Based Streaming Protocols
Use CloudFront Web distributions to deliver multi-bitrate streaming
Use CloudFront with media servers running on Amazon EC2 for live streaming (for high-availability and flexibility)
Use Fragmented streaming formats such as Smooth Streaming (native support in CloudFront), HLS, etc.
Don’t forward any headers, cookies, query strings
Use Signed Cookies instead of Signed URLs
@cloudfront
Availability Best Practices
@cloudfront
#11. Use Monitoring, Alarming & Notifications
Near Real-Time Monitoring & Alarming via
CloudWatch
Six Metrics Available
• Requests, Bytes Downloaded, Bytes Uploaded, 4xx Error
Rate, 5xx Error Rate, Total Error Rate
• No additional cost for Monitoring
• Set Alarms and Notifications
@cloudfront
#12. Always Configure Custom Error Pages
Custom error pages help
improve customer experience
Deliver error pages from
Amazon S3
Set low error caching minimum
TTL (e.g. 15 seconds)
@cloudfront
#13. Design for Failure
What happens if the origin fails to respond to
CloudFront?
Region
CloudFront
@cloudfront
Design for Failure …Cont’d
With Amazon Route 53 you can health check your origin
Region
Route53
Health
Check
Health
Check
@cloudfront
Design for Failure …Cont’d
Failures can be detected by Route 53 health checks
Region
Route53
Health
Check
Health
CheckCloudFront
@cloudfront
Design for Failure …Cont’d
The traffic shifts to the healthy instances or load-
balancers instead
Region
Route53
Health
Check
Health
Check
CloudFront
@cloudfront
#14. More Caching = Higher Availability
Cache everything possible!
If your origin server is unavailable and you don’t have a backup origin server, or you don’t configure custom error pages…
CloudFront will automatically serve the stale object (if object is in cache), for the duration of error caching minimum TTL
@cloudfront
Security Best Practices
@cloudfront
#15. Use End-to-End HTTPS
CloudFront supports HTTPS between browser
and edge, as well as between edge and origin
Set match-viewer for your Origin protocol
policy
Configure HTTP to HTTPS redirect for each
cache behavior
@cloudfront
BROWSER EDGE ORIGIN
Full-Bridge
#16. Use AWS IAM and AWS CloudTrail
Create IAM users to regulate access to the Amazon
CloudFront APIs (or console)
Use AWS CloudTrail to record CloudFront API calls
history for security analysis, resource change tracking,
and compliance auditing
No additional CloudFront cost for using these services
@cloudfront
Performance & Cost Best Practices
@cloudfront
#17. Multiple Options to Optimize SSL Costs
Use the *.cloudfront.net SSL certificate
Two options for Custom SSL: SNI vs.
Dedicated IP
Use CloudFront Reports to identify
Browser/OS Version
Seamlessly switch between SSL Options
@cloudfront
Optimizing SSL Costs …Cont’d
SSL certificate pricing is per IAM certificate ID
You may associate a single SSL certificate with multiple distributions under the same AWS account
If you have multiple second level domains that you serve over SSL, use a single UCC certificate with all domains listed
For multiple third level domains served over SSL, use a wildcard certificate
@cloudfront
#18. Use Price Classes to Optimize Delivery Costs
Price Class
• Price Class All – Use All Edge Locations
• Price Class 200 – Use Edge Locations in US, EU, Asia & Japan
• Price Class 100 – Use Edge Locations in US and EU ONLY
Use the more appropriate Price Class where applicable
• If your end users are primarily in the US & EU
• Use the viewer location report to determine viewer geo distribution
• Switching between Price Classes is seamless
@cloudfront
#19. Domain Sharding
Most browsers open a limited number of parallel connections to the same domain
Shard assets over multiple domains; however it’s a balancing act
Use multiple CNAME aliases to serve content from a CloudFront distribution
Use CloudFront Wildcard CNAMEs & Use Wildcard SSL Certificate
@cloudfront
#20. Use Route 53 ALIAS Records
Use Amazon Route 53 to route queries to your CloudFront
distribution
Why use Route 53 ALIAS records?
• DNS queries to ALIAS records are free of charge
• Unlike CNAMEs, you can create an ALIAS record for your zone apex
• Using an ALIAS record results in less DNS lookups when resolving
your CNAME to your CloudFront distribution
@cloudfront
Analytics Best Practices
@cloudfront
#21. Use Reports to Personalize Your Content
Geo-targeting to personalize content for your end users
How can you do that?
• Viewer reports shows top countries
• Use CloudFront to detect & forward end users’
country code
@cloudfront
#22. Turn-On Amazon CloudFront Access Logs
No additional cost for Amazon CloudFront’s logging functionality
Run additional analytics for deep dive into your usage
Request IDs included in the logs can help when working with AWS to debug an issue
Cookies & query strings may be logged even if you choose not to forward these to the origin
@cloudfront
Join our Monthly Office Hour series
Register Here: http://aws.amazon.com/cloudfront/webinars/
Topic Date & Time Link
March CloudFront Office Hours (Streaming) 3/26/2015 10AM PT Register
April CloudFront Office Hours (Topic TBD) 4/15/2015 10AM PT Register
May CloudFront Office Hours (Topic TBD) 5/20/2015 10AM PT Register
June CloudFront Office Hours (Topic TBD) 6/17/2015 10AM PT Register
Q & A
@cloudfront
