Using cdk-remote-stack and AWS Edge Networking Services for cross-regional applications

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
7:20 am on Nov 21
Using cdk-remote-stack and AWS Edge Networking
Services for cross-regional applications

View Slide

Yoshinori Fujiwara
Amazon Web Services Japan, Osaka
Snr. Solutions Architect
Country: Japan
UserGroup: JAWS-UG Okayama
AWS Samurai 2012
My Favorite AWS Services:
- Amazon CloudFront
- AWS CDK
- AWS Support

View Slide

AWS Asia Pacific (Osaka) Region,
Open to all on March 2021, is the
second AWS Region in Japan.

View Slide

You can build a cross-regional
application with Osaka Region
as the primary region!

View Slide

Table
• AWS Edge Networking Services
• Cross-regional application use case
• Cross-regional application considerations
• Why use cdk-remote-stack?

View Slide

AWS Edge Networking Services

View Slide

AWS Edge Networking Services
AWS edge networking services transmit your user-facing data securely and with
improved latency worldwide at AWS’ global edge locations.
AWS Shield
Amazon
Route 53
Amazon
CloudFront
AWS WAF
Amazon
EC2
Amazon
VPC
Amazon
RDS
Amazon Simple
Storage Service
(S3)
AWS
Global
Accelerator
Edge Locations AWS Region

View Slide

Amazon CloudFront
Client Amazon
CloudFront
1. Request HTTP
2. Request HTTP
3. Getting contents
5. Getting contents
4. Cached contents
6. Request HTTP
7. Getting contents
• Reduce latency by delivering data through 275+ globally dispersed points of presence (PoPs) with
automated network mapping and intelligent routing.
• Improved origin fetches and dynamic content acceleration.
• Offers programmable and secure edge CDN computing capabilities through CloudFront Functions
and AWS Lambda@Edge.
Origin Server
(AWS Region)
Client Distance
from
Improved response
Closer Far
load reduction
Accelerated
Fast, highly secure and programmable content delivery network (CDN)
As of 11/21/2021

View Slide

Cross-regional application
use case

View Slide

Origin Group
Example of cross-regional application
Users
Tokyo Region (Secondary Origin)
Edge Locations
Amazon
CloudWatch
Synthetics
Osaka Region (Primary Origin)

View Slide

• You create an origin group with two
origins: a primary and a secondary.
• You can choose any combination of the
following status codes: 403, 404, 500,
502, 503, or 504. When CloudFront
receives a response with one of the
status codes that you specify, it fails
over to the secondary origin.
• Origin failover is also possible for
Lambda@Edge functions and custom
error pages.
Optimizing high availability with CloudFront origin
failover with CloudFront Origin group

View Slide

AWS Cloud Development Kit (CDK)
Your language
Just classes and methods
AutoComplete
Inline documentation
Sane defaults
Reusable classes
DEV PREVIEW

View Slide

Paradigm Shift
AWS
CloudFormation
CDK App
Source Code
Stack
A
Template A
Template B
AWS
CloudFormation
Stack
B
Parameterized
Template
Stack
1
Stack
2
CloudFormation
Parameters and
intrinsic functions
CDK
Typed OO language:
loops, conditions,
inheritence, etc

View Slide

Origin Group
Creating a cross-regional stack using AWS CDK
Users
Edge Locations
Amazon
CloudWatch
Synthetics
OsakaOriginStack
ap-northeast-3
CloudFrontStack
us-east-1
SyntheticsStack
us-west-2
TokyoOriginStack
ap-northeast-1
ParameterStack
ap-northeast-3

View Slide

CloudFront related resources must be created in
US East (N. Virginia) Region, us-east-1
• AWS WAFv2 WebACL: For CLOUDFRONT, you must create your
WAFv2 resources in the US East (N. Virginia) Region, us-east-1.
• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-
resource-wafv2-webacl.html#aws-resource-wafv2-webacl-properties
• Lambda@Edge: The Lambda function must be in the US East
(N. Virginia) Region, us-east-1.
• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/edge-
functions-restrictions.html#lambda-at-edge-function-restrictions

View Slide

Cross-regional application
considerations

View Slide

Origin Group
Add dependencies between stacks
Users
Edge Locations
Amazon
CloudWatch
Synthetics
OsakaOriginStack
ap-northeast-3
CloudFrontStack
us-east-1
SyntheticsStack
us-west-2
TokyoOriginStack
ap-northeast-1
ParameterStack
ap-northeast-3 1
2
2
3
4

View Slide

stack.addDependency(stack)
// Osaka Parameter resources
const parameterStack = new ParameterStack(app, 'ParameterStack', {
env: {region: parameterRegion},
appName: appName,
parameterPath: parameterPath,
});
// Osaka Origin resources
const osakaOriginStack = new OriginStack(app, 'OsakaOriginStack', {
env: {region: 'ap-northeast-3'},
appName: appName,
parameterRegion: parameterRegion,
parameterPath: parameterPath,
hostedZoneId: process.env.CDK_HOSTED_ZONE_ID ?? "",
hostedZoneName: process.env.CDK_HOSTED_ZONE_NAME ?? "",
cpu: 512,
memory: 1024
});
osakaOriginStack.addDependency(parameterStack);
https://docs.aws.amazon.com/cdk/latest/guide/stacks.html#stack_api

View Slide

Origin Group
Sharing ALB Domain Name
Users
Edge Locations
Amazon
CloudWatch
Synthetics
OsakaOriginStack
ap-northeast-3
CloudFrontStack
us-east-1
TokyoOriginStack
ap-northeast-1

View Slide

Origin Group
Sharing CloudFront Distribution Domain Name
Users
Edge Locations
Amazon
CloudWatch
Synthetics
CloudFrontStack
us-east-1
SyntheticsStack
us-west-2

View Slide

Origin Group
Sharing x-pre-shared-key using AWS Systems Manager
Parameter Store
Users
Edge Locations
Amazon
CloudWatch
Synthetics
OsakaOriginStack
ap-northeast-3
CloudFrontStack
us-east-1
TokyoOriginStack
ap-northeast-1
ParameterStack
ap-northeast-3

View Slide

Adding custom headers to origin requests
• Configure your origin to accept requests which contains custom
headers only.
• ALB's custom rules also supports HTTP headers check capabilities.
• Configure CloudFront to add custom headers which origin expects.
• Then, you will be able to block malicious requests which try to bypass
CloudFront to access origin directly (prevents inappropriate route
access).
Controlling access to content
CloudFront Edge
Custom origin server
Client
Header
restriction
Client
Direct
access
Adding custom headers
403

View Slide

Why use cdk-remote-stack?
https://github.com/pahud/cdk-remote-stack

View Slide

Accessing resources in a different stack using CDK
You can access resources in a different stack, as long as they are in the
same account and AWS Region.
https://docs.aws.amazon.com/ja_jp/cdk/latest/guide/resources.html#resource_stack
const prod = { account: '123456789012', region: 'us-east-1' };
const stack1 = new StackThatProvidesABucket(app, 'Stack1' , { env: prod });
// stack2 will take a property { bucket: IBucket }
const stack2 = new StackThatExpectsABucket(app, 'Stack2', {
bucket: stack1.bucket,
env: prod
});

View Slide

AWS CDK cross-regional cross-
stack reference is not easy with
the native AWS CDK construct
library.

View Slide

cdk-remote-stack
cdk-remote-stack aims to simplify the cross-regional cross-stack
reference to help you easily build cross-regional multi-stack AWS CDK
apps.
This construct library provides two major constructs:
• RemoteOutputs - cross regional stack outputs reference.
• RemoteParameters - cross regional/account SSM parameters
reference.

View Slide

RemoteOutputs uging cdk-remote-stack
OsakaOriginStack in ap-northeast-3
CloudFrontStack in us-east-1
// Output ApplicationLoadBalancer DNS Name
new cdk.CfnOutput(this, "AlbDomainName", {
value: domainName
});
// RemoteOutputs
const primaryOriginStackOutputs = new RemoteOutputs(this, 'PrimaryOriginStackOutputs', {
stack: props.primaryOriginStack,
alwaysUpdate: false
});
const primaryAlbDomainName = primaryOriginStackOutputs.get('AlbDomainName');
Example of referencing OsakaOriginStack's ALB Domain Name from
N.Virginia's CloudFrontStack

View Slide

RemoteParameters using cdk-remote-stack
• Stacks from single
account and different
regions
• Stacks from different
accounts and different
regions
• dedicated account for a
centralized parameter
store

View Slide

RemoteParameters using cdk-remote-stack
ParameterStack in ap-northeast-3
CloudFrontStack in us-east-1
// set SSM Parameter
new ssm.StringParameter(this, 'SSMCFSecretKey', {
parameterName: `${props.parameterPath}/${cFCustomHeaderKeyName}`,
stringValue:
secretManagerCFSecretKey.secretValueFromJson(cFCustomHeaderKeyName).toString(),
});
Example of referencing Osaka’s ParameterStack from N.Virginia's CloudFrontStack
// RemoteParameters
const parameters = new RemoteParameters(this, 'Parameters', {
path: props.parameterPath,
region: props.parameterRegion
});
const cFCustomHeaderKeyName = 'x-pre-shared-key';
const cFCustomHeaderKeyValue =
parameters.get(`${props.parameterPath}/${cFCustomHeaderKeyName}`);

View Slide

Key Takeaways

View Slide

Key Takeaways
• RemoteOutputs and RemoteParameter in cdk-remote-stack make
it simple to build cross-regional applications using AWS Edge
Networking Services such as CloudFront.
• You can build a cross-regional application with Osaka Region as the
primary region!

View Slide

THANK YOU!

View Slide

Using cdk-remote-stack and AWS Edge Networking Services for cross-regional applications

Using cdk-remote-stack and AWS Edge Networking Services for cross-regional applications

@twingo_b

More Decks by @twingo_b

Other Decks in Technology

Featured

Transcript