Slide 1

Slide 1 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 7:20 am on Nov 21 Using cdk-remote-stack and AWS Edge Networking Services for cross-regional applications

Slide 2

Slide 2 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Yoshinori Fujiwara Amazon Web Services Japan, Osaka Snr. Solutions Architect Country: Japan UserGroup: JAWS-UG Okayama AWS Samurai 2012 My Favorite AWS Services: - Amazon CloudFront - AWS CDK - AWS Support

Slide 3

Slide 3 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Asia Pacific (Osaka) Region, Open to all on March 2021, is the second AWS Region in Japan.

Slide 4

Slide 4 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. You can build a cross-regional application with Osaka Region as the primary region!

Slide 5

Slide 5 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Table • AWS Edge Networking Services • Cross-regional application use case • Cross-regional application considerations • Why use cdk-remote-stack?

Slide 6

Slide 6 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Edge Networking Services

Slide 7

Slide 7 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Edge Networking Services AWS edge networking services transmit your user-facing data securely and with improved latency worldwide at AWS’ global edge locations. AWS Shield Amazon Route 53 Amazon CloudFront AWS WAF Amazon EC2 Amazon VPC Amazon RDS Amazon Simple Storage Service (S3) AWS Global Accelerator Edge Locations AWS Region

Slide 8

Slide 8 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudFront Client Amazon CloudFront 1. Request HTTP 2. Request HTTP 3. Getting contents 5. Getting contents 4. Cached contents 6. Request HTTP 7. Getting contents • Reduce latency by delivering data through 275+ globally dispersed points of presence (PoPs) with automated network mapping and intelligent routing. • Improved origin fetches and dynamic content acceleration. • Offers programmable and secure edge CDN computing capabilities through CloudFront Functions and AWS Lambda@Edge. Origin Server (AWS Region) Client Distance from Improved response Closer Far load reduction Accelerated Fast, highly secure and programmable content delivery network (CDN) As of 11/21/2021

Slide 9

Slide 9 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross-regional application use case

Slide 10

Slide 10 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Origin Group Example of cross-regional application Users Tokyo Region (Secondary Origin) Edge Locations Amazon CloudWatch Synthetics Osaka Region (Primary Origin)

Slide 11

Slide 11 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • You create an origin group with two origins: a primary and a secondary. • You can choose any combination of the following status codes: 403, 404, 500, 502, 503, or 504. When CloudFront receives a response with one of the status codes that you specify, it fails over to the secondary origin. • Origin failover is also possible for Lambda@Edge functions and custom error pages. Optimizing high availability with CloudFront origin failover with CloudFront Origin group

Slide 12

Slide 12 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Cloud Development Kit (CDK) Your language Just classes and methods AutoComplete Inline documentation Sane defaults Reusable classes DEV PREVIEW

Slide 13

Slide 13 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Paradigm Shift AWS CloudFormation CDK App Source Code Stack A Template A Template B AWS CloudFormation Stack B Parameterized Template Stack 1 Stack 2 CloudFormation Parameters and intrinsic functions CDK Typed OO language: loops, conditions, inheritence, etc

Slide 14

Slide 14 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Origin Group Creating a cross-regional stack using AWS CDK Users Edge Locations Tokyo Region (Secondary Origin) Amazon CloudWatch Synthetics Osaka Region (Primary Origin) OsakaOriginStack ap-northeast-3 CloudFrontStack us-east-1 SyntheticsStack us-west-2 TokyoOriginStack ap-northeast-1 ParameterStack ap-northeast-3

Slide 15

Slide 15 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudFront related resources must be created in US East (N. Virginia) Region, us-east-1 • AWS WAFv2 WebACL: For CLOUDFRONT, you must create your WAFv2 resources in the US East (N. Virginia) Region, us-east-1. • https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws- resource-wafv2-webacl.html#aws-resource-wafv2-webacl-properties • Lambda@Edge: The Lambda function must be in the US East (N. Virginia) Region, us-east-1. • https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/edge- functions-restrictions.html#lambda-at-edge-function-restrictions

Slide 16

Slide 16 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross-regional application considerations

Slide 17

Slide 17 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Origin Group Add dependencies between stacks Users Edge Locations Tokyo Region (Secondary Origin) Amazon CloudWatch Synthetics Osaka Region (Primary Origin) OsakaOriginStack ap-northeast-3 CloudFrontStack us-east-1 SyntheticsStack us-west-2 TokyoOriginStack ap-northeast-1 ParameterStack ap-northeast-3 1 2 2 3 4

Slide 18

Slide 18 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. stack.addDependency(stack) // Osaka Parameter resources const parameterStack = new ParameterStack(app, 'ParameterStack', { env: {region: parameterRegion}, appName: appName, parameterPath: parameterPath, }); // Osaka Origin resources const osakaOriginStack = new OriginStack(app, 'OsakaOriginStack', { env: {region: 'ap-northeast-3'}, appName: appName, parameterRegion: parameterRegion, parameterPath: parameterPath, hostedZoneId: process.env.CDK_HOSTED_ZONE_ID ?? "", hostedZoneName: process.env.CDK_HOSTED_ZONE_NAME ?? "", cpu: 512, memory: 1024 }); osakaOriginStack.addDependency(parameterStack); https://docs.aws.amazon.com/cdk/latest/guide/stacks.html#stack_api

Slide 19

Slide 19 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Origin Group Sharing ALB Domain Name Users Edge Locations Tokyo Region (Secondary Origin) Amazon CloudWatch Synthetics Osaka Region (Primary Origin) OsakaOriginStack ap-northeast-3 CloudFrontStack us-east-1 TokyoOriginStack ap-northeast-1

Slide 20

Slide 20 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Origin Group Sharing CloudFront Distribution Domain Name Users Edge Locations Tokyo Region (Secondary Origin) Amazon CloudWatch Synthetics Osaka Region (Primary Origin) CloudFrontStack us-east-1 SyntheticsStack us-west-2

Slide 21

Slide 21 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Origin Group Sharing x-pre-shared-key using AWS Systems Manager Parameter Store Users Edge Locations Tokyo Region (Secondary Origin) Amazon CloudWatch Synthetics Osaka Region (Primary Origin) OsakaOriginStack ap-northeast-3 CloudFrontStack us-east-1 TokyoOriginStack ap-northeast-1 ParameterStack ap-northeast-3

Slide 22

Slide 22 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Adding custom headers to origin requests • Configure your origin to accept requests which contains custom headers only. • ALB's custom rules also supports HTTP headers check capabilities. • Configure CloudFront to add custom headers which origin expects. • Then, you will be able to block malicious requests which try to bypass CloudFront to access origin directly (prevents inappropriate route access). Controlling access to content CloudFront Edge Custom origin server Client Header restriction Client Direct access Adding custom headers 403

Slide 23

Slide 23 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why use cdk-remote-stack? https://github.com/pahud/cdk-remote-stack

Slide 24

Slide 24 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Accessing resources in a different stack using CDK You can access resources in a different stack, as long as they are in the same account and AWS Region. https://docs.aws.amazon.com/ja_jp/cdk/latest/guide/resources.html#resource_stack const prod = { account: '123456789012', region: 'us-east-1' }; const stack1 = new StackThatProvidesABucket(app, 'Stack1' , { env: prod }); // stack2 will take a property { bucket: IBucket } const stack2 = new StackThatExpectsABucket(app, 'Stack2', { bucket: stack1.bucket, env: prod });

Slide 25

Slide 25 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CDK cross-regional cross- stack reference is not easy with the native AWS CDK construct library. https://github.com/pahud/cdk-remote-stack

Slide 26

Slide 26 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. cdk-remote-stack cdk-remote-stack aims to simplify the cross-regional cross-stack reference to help you easily build cross-regional multi-stack AWS CDK apps. This construct library provides two major constructs: • RemoteOutputs - cross regional stack outputs reference. • RemoteParameters - cross regional/account SSM parameters reference. https://github.com/pahud/cdk-remote-stack

Slide 27

Slide 27 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. RemoteOutputs uging cdk-remote-stack OsakaOriginStack in ap-northeast-3 CloudFrontStack in us-east-1 // Output ApplicationLoadBalancer DNS Name new cdk.CfnOutput(this, "AlbDomainName", { value: domainName }); // RemoteOutputs const primaryOriginStackOutputs = new RemoteOutputs(this, 'PrimaryOriginStackOutputs', { stack: props.primaryOriginStack, alwaysUpdate: false }); const primaryAlbDomainName = primaryOriginStackOutputs.get('AlbDomainName'); Example of referencing OsakaOriginStack's ALB Domain Name from N.Virginia's CloudFrontStack

Slide 28

Slide 28 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. RemoteParameters using cdk-remote-stack • Stacks from single account and different regions • Stacks from different accounts and different regions • dedicated account for a centralized parameter store https://github.com/pahud/cdk-remote-stack

Slide 29

Slide 29 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. RemoteParameters using cdk-remote-stack ParameterStack in ap-northeast-3 CloudFrontStack in us-east-1 // set SSM Parameter new ssm.StringParameter(this, 'SSMCFSecretKey', { parameterName: `${props.parameterPath}/${cFCustomHeaderKeyName}`, stringValue: secretManagerCFSecretKey.secretValueFromJson(cFCustomHeaderKeyName).toString(), }); Example of referencing Osaka’s ParameterStack from N.Virginia's CloudFrontStack // RemoteParameters const parameters = new RemoteParameters(this, 'Parameters', { path: props.parameterPath, region: props.parameterRegion }); const cFCustomHeaderKeyName = 'x-pre-shared-key'; const cFCustomHeaderKeyValue = parameters.get(`${props.parameterPath}/${cFCustomHeaderKeyName}`);

Slide 30

Slide 30 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Key Takeaways

Slide 31

Slide 31 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Key Takeaways • RemoteOutputs and RemoteParameter in cdk-remote-stack make it simple to build cross-regional applications using AWS Edge Networking Services such as CloudFront. • You can build a cross-regional application with Osaka Region as the primary region!

Slide 32

Slide 32 text

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. THANK YOU!