© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 7:20 am on Nov 21 Using cdk-remote-stack and AWS Edge Networking Services for cross-regional applications

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Yoshinori Fujiwara Amazon Web Services Japan, Osaka Snr. Solutions Architect Country: Japan UserGroup: JAWS-UG Okayama AWS Samurai 2012 My Favorite AWS Services: - Amazon CloudFront - AWS CDK - AWS Support

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Asia Pacific (Osaka) Region, Open to all on March 2021, is the second AWS Region in Japan.

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. You can build a cross-regional application with Osaka Region as the primary region!

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Table • AWS Edge Networking Services • Cross-regional application use case • Cross-regional application considerations • Why use cdk-remote-stack?

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Edge Networking Services

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Edge Networking Services AWS edge networking services transmit your user-facing data securely and with improved latency worldwide at AWS’ global edge locations. AWS Shield Amazon Route 53 Amazon CloudFront AWS WAF Amazon EC2 Amazon VPC Amazon RDS Amazon Simple Storage Service (S3) AWS Global Accelerator Edge Locations AWS Region

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudFront Client Amazon CloudFront 1. Request HTTP 2. Request HTTP 3. Getting contents 5. Getting contents 4. Cached contents 6. Request HTTP 7. Getting contents • Reduce latency by delivering data through 275+ globally dispersed points of presence (PoPs) with automated network mapping and intelligent routing. • Improved origin fetches and dynamic content acceleration. • Offers programmable and secure edge CDN computing capabilities through CloudFront Functions and AWS Lambda@Edge. Origin Server (AWS Region) Client Distance from Improved response Closer Far load reduction Accelerated Fast, highly secure and programmable content delivery network (CDN) As of 11/21/2021

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross-regional application use case

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Origin Group Example of cross-regional application Users Tokyo Region (Secondary Origin) Edge Locations Amazon CloudWatch Synthetics Osaka Region (Primary Origin)

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • You create an origin group with two origins: a primary and a secondary. • You can choose any combination of the following status codes: 403, 404, 500, 502, 503, or 504. When CloudFront receives a response with one of the status codes that you specify, it fails over to the secondary origin. • Origin failover is also possible for Lambda@Edge functions and custom error pages. Optimizing high availability with CloudFront origin failover with CloudFront Origin group

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Cloud Development Kit (CDK) Your language Just classes and methods AutoComplete Inline documentation Sane defaults Reusable classes DEV PREVIEW

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Paradigm Shift AWS CloudFormation CDK App Source Code Stack A Template A Template B AWS CloudFormation Stack B Parameterized Template Stack 1 Stack 2 CloudFormation Parameters and intrinsic functions CDK Typed OO language: loops, conditions, inheritence, etc

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Origin Group Creating a cross-regional stack using AWS CDK Users Edge Locations Tokyo Region (Secondary Origin) Amazon CloudWatch Synthetics Osaka Region (Primary Origin) OsakaOriginStack ap-northeast-3 CloudFrontStack us-east-1 SyntheticsStack us-west-2 TokyoOriginStack ap-northeast-1 ParameterStack ap-northeast-3

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudFront related resources must be created in US East (N. Virginia) Region, us-east-1 • AWS WAFv2 WebACL: For CLOUDFRONT, you must create your WAFv2 resources in the US East (N. Virginia) Region, us-east-1. • https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws- resource-wafv2-webacl.html#aws-resource-wafv2-webacl-properties • Lambda@Edge: The Lambda function must be in the US East (N. Virginia) Region, us-east-1. • https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/edge- functions-restrictions.html#lambda-at-edge-function-restrictions

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross-regional application considerations

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Origin Group Add dependencies between stacks Users Edge Locations Tokyo Region (Secondary Origin) Amazon CloudWatch Synthetics Osaka Region (Primary Origin) OsakaOriginStack ap-northeast-3 CloudFrontStack us-east-1 SyntheticsStack us-west-2 TokyoOriginStack ap-northeast-1 ParameterStack ap-northeast-3 1 2 2 3 4

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. stack.addDependency(stack) // Osaka Parameter resources const parameterStack = new ParameterStack(app, 'ParameterStack', { env: {region: parameterRegion}, appName: appName, parameterPath: parameterPath, }); // Osaka Origin resources const osakaOriginStack = new OriginStack(app, 'OsakaOriginStack', { env: {region: 'ap-northeast-3'}, appName: appName, parameterRegion: parameterRegion, parameterPath: parameterPath, hostedZoneId: process.env.CDK_HOSTED_ZONE_ID ?? "", hostedZoneName: process.env.CDK_HOSTED_ZONE_NAME ?? "", cpu: 512, memory: 1024 }); osakaOriginStack.addDependency(parameterStack); https://docs.aws.amazon.com/cdk/latest/guide/stacks.html#stack_api

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Origin Group Sharing ALB Domain Name Users Edge Locations Tokyo Region (Secondary Origin) Amazon CloudWatch Synthetics Osaka Region (Primary Origin) OsakaOriginStack ap-northeast-3 CloudFrontStack us-east-1 TokyoOriginStack ap-northeast-1

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Origin Group Sharing CloudFront Distribution Domain Name Users Edge Locations Tokyo Region (Secondary Origin) Amazon CloudWatch Synthetics Osaka Region (Primary Origin) CloudFrontStack us-east-1 SyntheticsStack us-west-2

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Origin Group Sharing x-pre-shared-key using AWS Systems Manager Parameter Store Users Edge Locations Tokyo Region (Secondary Origin) Amazon CloudWatch Synthetics Osaka Region (Primary Origin) OsakaOriginStack ap-northeast-3 CloudFrontStack us-east-1 TokyoOriginStack ap-northeast-1 ParameterStack ap-northeast-3

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Adding custom headers to origin requests • Configure your origin to accept requests which contains custom headers only. • ALB's custom rules also supports HTTP headers check capabilities. • Configure CloudFront to add custom headers which origin expects. • Then, you will be able to block malicious requests which try to bypass CloudFront to access origin directly (prevents inappropriate route access). Controlling access to content CloudFront Edge Custom origin server Client Header restriction Client Direct access Adding custom headers 403

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why use cdk-remote-stack? https://github.com/pahud/cdk-remote-stack

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Accessing resources in a different stack using CDK You can access resources in a different stack, as long as they are in the same account and AWS Region. https://docs.aws.amazon.com/ja_jp/cdk/latest/guide/resources.html#resource_stack const prod = { account: '123456789012', region: 'us-east-1' }; const stack1 = new StackThatProvidesABucket(app, 'Stack1' , { env: prod }); // stack2 will take a property { bucket: IBucket } const stack2 = new StackThatExpectsABucket(app, 'Stack2', { bucket: stack1.bucket, env: prod });

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CDK cross-regional cross- stack reference is not easy with the native AWS CDK construct library. https://github.com/pahud/cdk-remote-stack

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. cdk-remote-stack cdk-remote-stack aims to simplify the cross-regional cross-stack reference to help you easily build cross-regional multi-stack AWS CDK apps. This construct library provides two major constructs: • RemoteOutputs - cross regional stack outputs reference. • RemoteParameters - cross regional/account SSM parameters reference. https://github.com/pahud/cdk-remote-stack

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. RemoteOutputs uging cdk-remote-stack OsakaOriginStack in ap-northeast-3 CloudFrontStack in us-east-1 // Output ApplicationLoadBalancer DNS Name new cdk.CfnOutput(this, "AlbDomainName", { value: domainName }); // RemoteOutputs const primaryOriginStackOutputs = new RemoteOutputs(this, 'PrimaryOriginStackOutputs', { stack: props.primaryOriginStack, alwaysUpdate: false }); const primaryAlbDomainName = primaryOriginStackOutputs.get('AlbDomainName'); Example of referencing OsakaOriginStack's ALB Domain Name from N.Virginia's CloudFrontStack

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. RemoteParameters using cdk-remote-stack • Stacks from single account and different regions • Stacks from different accounts and different regions • dedicated account for a centralized parameter store https://github.com/pahud/cdk-remote-stack

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. RemoteParameters using cdk-remote-stack ParameterStack in ap-northeast-3 CloudFrontStack in us-east-1 // set SSM Parameter new ssm.StringParameter(this, 'SSMCFSecretKey', { parameterName: `${props.parameterPath}/${cFCustomHeaderKeyName}`, stringValue: secretManagerCFSecretKey.secretValueFromJson(cFCustomHeaderKeyName).toString(), }); Example of referencing Osaka’s ParameterStack from N.Virginia's CloudFrontStack // RemoteParameters const parameters = new RemoteParameters(this, 'Parameters', { path: props.parameterPath, region: props.parameterRegion }); const cFCustomHeaderKeyName = 'x-pre-shared-key'; const cFCustomHeaderKeyValue = parameters.get(`${props.parameterPath}/${cFCustomHeaderKeyName}`);

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Key Takeaways

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Key Takeaways • RemoteOutputs and RemoteParameter in cdk-remote-stack make it simple to build cross-regional applications using AWS Edge Networking Services such as CloudFront. • You can build a cross-regional application with Osaka Region as the primary region!

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. THANK YOU!