2021/11/21 JAWS PANKRATION 2021 ~Up till Down~
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.7:20 am on Nov 21Using cdk-remote-stack and AWS Edge NetworkingServices for cross-regional applications
View Slide
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Yoshinori FujiwaraAmazon Web Services Japan, OsakaSnr. Solutions ArchitectCountry: JapanUserGroup: JAWS-UG OkayamaAWS Samurai 2012My Favorite AWS Services:- Amazon CloudFront- AWS CDK- AWS Support
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.AWS Asia Pacific (Osaka) Region,Open to all on March 2021, is thesecond AWS Region in Japan.
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.You can build a cross-regionalapplication with Osaka Regionas the primary region!
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Table• AWS Edge Networking Services• Cross-regional application use case• Cross-regional application considerations• Why use cdk-remote-stack?
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.AWS Edge Networking Services
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.AWS Edge Networking ServicesAWS edge networking services transmit your user-facing data securely and withimproved latency worldwide at AWS’ global edge locations.AWS ShieldAmazonRoute 53AmazonCloudFrontAWS WAFAmazonEC2AmazonVPCAmazonRDSAmazon SimpleStorage Service(S3)AWSGlobalAcceleratorEdge Locations AWS Region
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Amazon CloudFrontClient AmazonCloudFront1. Request HTTP2. Request HTTP3. Getting contents5. Getting contents4. Cached contents6. Request HTTP7. Getting contents• Reduce latency by delivering data through 275+ globally dispersed points of presence (PoPs) withautomated network mapping and intelligent routing.• Improved origin fetches and dynamic content acceleration.• Offers programmable and secure edge CDN computing capabilities through CloudFront Functionsand AWS Lambda@Edge.Origin Server(AWS Region)Client DistancefromImproved responseCloser Farload reductionAcceleratedFast, highly secure and programmable content delivery network (CDN)As of 11/21/2021
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Cross-regional applicationuse case
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Origin GroupExample of cross-regional applicationUsersTokyo Region (Secondary Origin)Edge LocationsAmazonCloudWatchSyntheticsOsaka Region (Primary Origin)
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.• You create an origin group with twoorigins: a primary and a secondary.• You can choose any combination of thefollowing status codes: 403, 404, 500,502, 503, or 504. When CloudFrontreceives a response with one of thestatus codes that you specify, it failsover to the secondary origin.• Origin failover is also possible forLambda@Edge functions and customerror pages.Optimizing high availability with CloudFront originfailover with CloudFront Origin group
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.AWS Cloud Development Kit (CDK)Your languageJust classes and methodsAutoCompleteInline documentationSane defaultsReusable classesDEV PREVIEW
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Paradigm ShiftAWSCloudFormationCDK AppSource CodeStackATemplate ATemplate BAWSCloudFormationStackBParameterizedTemplateStack1Stack2CloudFormationParameters andintrinsic functionsCDKTyped OO language:loops, conditions,inheritence, etc
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Origin GroupCreating a cross-regional stack using AWS CDKUsersEdge LocationsTokyo Region (Secondary Origin)AmazonCloudWatchSyntheticsOsaka Region (Primary Origin)OsakaOriginStackap-northeast-3CloudFrontStackus-east-1SyntheticsStackus-west-2TokyoOriginStackap-northeast-1ParameterStackap-northeast-3
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.CloudFront related resources must be created inUS East (N. Virginia) Region, us-east-1• AWS WAFv2 WebACL: For CLOUDFRONT, you must create yourWAFv2 resources in the US East (N. Virginia) Region, us-east-1.• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html#aws-resource-wafv2-webacl-properties• Lambda@Edge: The Lambda function must be in the US East(N. Virginia) Region, us-east-1.• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/edge-functions-restrictions.html#lambda-at-edge-function-restrictions
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Cross-regional applicationconsiderations
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Origin GroupAdd dependencies between stacksUsersEdge LocationsTokyo Region (Secondary Origin)AmazonCloudWatchSyntheticsOsaka Region (Primary Origin)OsakaOriginStackap-northeast-3CloudFrontStackus-east-1SyntheticsStackus-west-2TokyoOriginStackap-northeast-1ParameterStackap-northeast-3 12234
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.stack.addDependency(stack)// Osaka Parameter resourcesconst parameterStack = new ParameterStack(app, 'ParameterStack', {env: {region: parameterRegion},appName: appName,parameterPath: parameterPath,});// Osaka Origin resourcesconst osakaOriginStack = new OriginStack(app, 'OsakaOriginStack', {env: {region: 'ap-northeast-3'},appName: appName,parameterRegion: parameterRegion,parameterPath: parameterPath,hostedZoneId: process.env.CDK_HOSTED_ZONE_ID ?? "",hostedZoneName: process.env.CDK_HOSTED_ZONE_NAME ?? "",cpu: 512,memory: 1024});osakaOriginStack.addDependency(parameterStack);https://docs.aws.amazon.com/cdk/latest/guide/stacks.html#stack_api
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Origin GroupSharing ALB Domain NameUsersEdge LocationsTokyo Region (Secondary Origin)AmazonCloudWatchSyntheticsOsaka Region (Primary Origin)OsakaOriginStackap-northeast-3CloudFrontStackus-east-1TokyoOriginStackap-northeast-1
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Origin GroupSharing CloudFront Distribution Domain NameUsersEdge LocationsTokyo Region (Secondary Origin)AmazonCloudWatchSyntheticsOsaka Region (Primary Origin)CloudFrontStackus-east-1SyntheticsStackus-west-2
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Origin GroupSharing x-pre-shared-key using AWS Systems ManagerParameter StoreUsersEdge LocationsTokyo Region (Secondary Origin)AmazonCloudWatchSyntheticsOsaka Region (Primary Origin)OsakaOriginStackap-northeast-3CloudFrontStackus-east-1TokyoOriginStackap-northeast-1ParameterStackap-northeast-3
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Adding custom headers to origin requests• Configure your origin to accept requests which contains customheaders only.• ALB's custom rules also supports HTTP headers check capabilities.• Configure CloudFront to add custom headers which origin expects.• Then, you will be able to block malicious requests which try to bypassCloudFront to access origin directly (prevents inappropriate routeaccess).Controlling access to contentCloudFront EdgeCustom origin serverClientHeaderrestrictionClientDirectaccessAdding custom headers403
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Why use cdk-remote-stack?https://github.com/pahud/cdk-remote-stack
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Accessing resources in a different stack using CDKYou can access resources in a different stack, as long as they are in thesame account and AWS Region.https://docs.aws.amazon.com/ja_jp/cdk/latest/guide/resources.html#resource_stackconst prod = { account: '123456789012', region: 'us-east-1' };const stack1 = new StackThatProvidesABucket(app, 'Stack1' , { env: prod });// stack2 will take a property { bucket: IBucket }const stack2 = new StackThatExpectsABucket(app, 'Stack2', {bucket: stack1.bucket,env: prod});
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.AWS CDK cross-regional cross-stack reference is not easy withthe native AWS CDK constructlibrary.https://github.com/pahud/cdk-remote-stack
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.cdk-remote-stackcdk-remote-stack aims to simplify the cross-regional cross-stackreference to help you easily build cross-regional multi-stack AWS CDKapps.This construct library provides two major constructs:• RemoteOutputs - cross regional stack outputs reference.• RemoteParameters - cross regional/account SSM parametersreference.https://github.com/pahud/cdk-remote-stack
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.RemoteOutputs uging cdk-remote-stackOsakaOriginStack in ap-northeast-3CloudFrontStack in us-east-1// Output ApplicationLoadBalancer DNS Namenew cdk.CfnOutput(this, "AlbDomainName", {value: domainName});// RemoteOutputsconst primaryOriginStackOutputs = new RemoteOutputs(this, 'PrimaryOriginStackOutputs', {stack: props.primaryOriginStack,alwaysUpdate: false});const primaryAlbDomainName = primaryOriginStackOutputs.get('AlbDomainName');Example of referencing OsakaOriginStack's ALB Domain Name fromN.Virginia's CloudFrontStack
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.RemoteParameters using cdk-remote-stack• Stacks from singleaccount and differentregions• Stacks from differentaccounts and differentregions• dedicated account for acentralized parameterstorehttps://github.com/pahud/cdk-remote-stack
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.RemoteParameters using cdk-remote-stackParameterStack in ap-northeast-3CloudFrontStack in us-east-1// set SSM Parameternew ssm.StringParameter(this, 'SSMCFSecretKey', {parameterName: `${props.parameterPath}/${cFCustomHeaderKeyName}`,stringValue:secretManagerCFSecretKey.secretValueFromJson(cFCustomHeaderKeyName).toString(),});Example of referencing Osaka’s ParameterStack from N.Virginia's CloudFrontStack// RemoteParametersconst parameters = new RemoteParameters(this, 'Parameters', {path: props.parameterPath,region: props.parameterRegion});const cFCustomHeaderKeyName = 'x-pre-shared-key';const cFCustomHeaderKeyValue =parameters.get(`${props.parameterPath}/${cFCustomHeaderKeyName}`);
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Key Takeaways
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.Key Takeaways• RemoteOutputs and RemoteParameter in cdk-remote-stack makeit simple to build cross-regional applications using AWS EdgeNetworking Services such as CloudFront.• You can build a cross-regional application with Osaka Region as theprimary region!
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.THANK YOU!