$30 off During Our Annual Pro Sale. View Details »

Using cdk-remote-stack and AWS Edge Networking Services for cross-regional applications

@twingo_b
November 21, 2021

Using cdk-remote-stack and AWS Edge Networking Services for cross-regional applications

2021/11/21 JAWS PANKRATION 2021 ~Up till Down~

@twingo_b

November 21, 2021
Tweet

More Decks by @twingo_b

Other Decks in Technology

Transcript

  1. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    7:20 am on Nov 21
    Using cdk-remote-stack and AWS Edge Networking
    Services for cross-regional applications

    View Slide

  2. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Yoshinori Fujiwara
    Amazon Web Services Japan, Osaka
    Snr. Solutions Architect
    Country: Japan
    UserGroup: JAWS-UG Okayama
    AWS Samurai 2012
    My Favorite AWS Services:
    - Amazon CloudFront
    - AWS CDK
    - AWS Support

    View Slide

  3. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    AWS Asia Pacific (Osaka) Region,
    Open to all on March 2021, is the
    second AWS Region in Japan.

    View Slide

  4. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    You can build a cross-regional
    application with Osaka Region
    as the primary region!

    View Slide

  5. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Table
    • AWS Edge Networking Services
    • Cross-regional application use case
    • Cross-regional application considerations
    • Why use cdk-remote-stack?

    View Slide

  6. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    AWS Edge Networking Services

    View Slide

  7. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    AWS Edge Networking Services
    AWS edge networking services transmit your user-facing data securely and with
    improved latency worldwide at AWS’ global edge locations.
    AWS Shield
    Amazon
    Route 53
    Amazon
    CloudFront
    AWS WAF
    Amazon
    EC2
    Amazon
    VPC
    Amazon
    RDS
    Amazon Simple
    Storage Service
    (S3)
    AWS
    Global
    Accelerator
    Edge Locations AWS Region

    View Slide

  8. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Amazon CloudFront
    Client Amazon
    CloudFront
    1. Request HTTP
    2. Request HTTP
    3. Getting contents
    5. Getting contents
    4. Cached contents
    6. Request HTTP
    7. Getting contents
    • Reduce latency by delivering data through 275+ globally dispersed points of presence (PoPs) with
    automated network mapping and intelligent routing.
    • Improved origin fetches and dynamic content acceleration.
    • Offers programmable and secure edge CDN computing capabilities through CloudFront Functions
    and AWS Lambda@Edge.
    Origin Server
    (AWS Region)
    Client Distance
    from
    Improved response
    Closer Far
    load reduction
    Accelerated
    Fast, highly secure and programmable content delivery network (CDN)
    As of 11/21/2021

    View Slide

  9. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Cross-regional application
    use case

    View Slide

  10. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Origin Group
    Example of cross-regional application
    Users
    Tokyo Region (Secondary Origin)
    Edge Locations
    Amazon
    CloudWatch
    Synthetics
    Osaka Region (Primary Origin)

    View Slide

  11. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    • You create an origin group with two
    origins: a primary and a secondary.
    • You can choose any combination of the
    following status codes: 403, 404, 500,
    502, 503, or 504. When CloudFront
    receives a response with one of the
    status codes that you specify, it fails
    over to the secondary origin.
    • Origin failover is also possible for
    Lambda@Edge functions and custom
    error pages.
    Optimizing high availability with CloudFront origin
    failover with CloudFront Origin group

    View Slide

  12. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    AWS Cloud Development Kit (CDK)
    Your language
    Just classes and methods
    AutoComplete
    Inline documentation
    Sane defaults
    Reusable classes
    DEV PREVIEW

    View Slide

  13. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Paradigm Shift
    AWS
    CloudFormation
    CDK App
    Source Code
    Stack
    A
    Template A
    Template B
    AWS
    CloudFormation
    Stack
    B
    Parameterized
    Template
    Stack
    1
    Stack
    2
    CloudFormation
    Parameters and
    intrinsic functions
    CDK
    Typed OO language:
    loops, conditions,
    inheritence, etc

    View Slide

  14. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Origin Group
    Creating a cross-regional stack using AWS CDK
    Users
    Edge Locations
    Tokyo Region (Secondary Origin)
    Amazon
    CloudWatch
    Synthetics
    Osaka Region (Primary Origin)
    OsakaOriginStack
    ap-northeast-3
    CloudFrontStack
    us-east-1
    SyntheticsStack
    us-west-2
    TokyoOriginStack
    ap-northeast-1
    ParameterStack
    ap-northeast-3

    View Slide

  15. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    CloudFront related resources must be created in
    US East (N. Virginia) Region, us-east-1
    • AWS WAFv2 WebACL: For CLOUDFRONT, you must create your
    WAFv2 resources in the US East (N. Virginia) Region, us-east-1.
    • https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-
    resource-wafv2-webacl.html#aws-resource-wafv2-webacl-properties
    • Lambda@Edge: The Lambda function must be in the US East
    (N. Virginia) Region, us-east-1.
    • https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/edge-
    functions-restrictions.html#lambda-at-edge-function-restrictions

    View Slide

  16. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Cross-regional application
    considerations

    View Slide

  17. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Origin Group
    Add dependencies between stacks
    Users
    Edge Locations
    Tokyo Region (Secondary Origin)
    Amazon
    CloudWatch
    Synthetics
    Osaka Region (Primary Origin)
    OsakaOriginStack
    ap-northeast-3
    CloudFrontStack
    us-east-1
    SyntheticsStack
    us-west-2
    TokyoOriginStack
    ap-northeast-1
    ParameterStack
    ap-northeast-3 1
    2
    2
    3
    4

    View Slide

  18. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    stack.addDependency(stack)
    // Osaka Parameter resources
    const parameterStack = new ParameterStack(app, 'ParameterStack', {
    env: {region: parameterRegion},
    appName: appName,
    parameterPath: parameterPath,
    });
    // Osaka Origin resources
    const osakaOriginStack = new OriginStack(app, 'OsakaOriginStack', {
    env: {region: 'ap-northeast-3'},
    appName: appName,
    parameterRegion: parameterRegion,
    parameterPath: parameterPath,
    hostedZoneId: process.env.CDK_HOSTED_ZONE_ID ?? "",
    hostedZoneName: process.env.CDK_HOSTED_ZONE_NAME ?? "",
    cpu: 512,
    memory: 1024
    });
    osakaOriginStack.addDependency(parameterStack);
    https://docs.aws.amazon.com/cdk/latest/guide/stacks.html#stack_api

    View Slide

  19. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Origin Group
    Sharing ALB Domain Name
    Users
    Edge Locations
    Tokyo Region (Secondary Origin)
    Amazon
    CloudWatch
    Synthetics
    Osaka Region (Primary Origin)
    OsakaOriginStack
    ap-northeast-3
    CloudFrontStack
    us-east-1
    TokyoOriginStack
    ap-northeast-1

    View Slide

  20. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Origin Group
    Sharing CloudFront Distribution Domain Name
    Users
    Edge Locations
    Tokyo Region (Secondary Origin)
    Amazon
    CloudWatch
    Synthetics
    Osaka Region (Primary Origin)
    CloudFrontStack
    us-east-1
    SyntheticsStack
    us-west-2

    View Slide

  21. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Origin Group
    Sharing x-pre-shared-key using AWS Systems Manager
    Parameter Store
    Users
    Edge Locations
    Tokyo Region (Secondary Origin)
    Amazon
    CloudWatch
    Synthetics
    Osaka Region (Primary Origin)
    OsakaOriginStack
    ap-northeast-3
    CloudFrontStack
    us-east-1
    TokyoOriginStack
    ap-northeast-1
    ParameterStack
    ap-northeast-3

    View Slide

  22. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Adding custom headers to origin requests
    • Configure your origin to accept requests which contains custom
    headers only.
    • ALB's custom rules also supports HTTP headers check capabilities.
    • Configure CloudFront to add custom headers which origin expects.
    • Then, you will be able to block malicious requests which try to bypass
    CloudFront to access origin directly (prevents inappropriate route
    access).
    Controlling access to content
    CloudFront Edge
    Custom origin server
    Client
    Header
    restriction
    Client
    Direct
    access
    Adding custom headers
    403

    View Slide

  23. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Why use cdk-remote-stack?
    https://github.com/pahud/cdk-remote-stack

    View Slide

  24. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Accessing resources in a different stack using CDK
    You can access resources in a different stack, as long as they are in the
    same account and AWS Region.
    https://docs.aws.amazon.com/ja_jp/cdk/latest/guide/resources.html#resource_stack
    const prod = { account: '123456789012', region: 'us-east-1' };
    const stack1 = new StackThatProvidesABucket(app, 'Stack1' , { env: prod });
    // stack2 will take a property { bucket: IBucket }
    const stack2 = new StackThatExpectsABucket(app, 'Stack2', {
    bucket: stack1.bucket,
    env: prod
    });

    View Slide

  25. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    AWS CDK cross-regional cross-
    stack reference is not easy with
    the native AWS CDK construct
    library.
    https://github.com/pahud/cdk-remote-stack

    View Slide

  26. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    cdk-remote-stack
    cdk-remote-stack aims to simplify the cross-regional cross-stack
    reference to help you easily build cross-regional multi-stack AWS CDK
    apps.
    This construct library provides two major constructs:
    • RemoteOutputs - cross regional stack outputs reference.
    • RemoteParameters - cross regional/account SSM parameters
    reference.
    https://github.com/pahud/cdk-remote-stack

    View Slide

  27. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    RemoteOutputs uging cdk-remote-stack
    OsakaOriginStack in ap-northeast-3
    CloudFrontStack in us-east-1
    // Output ApplicationLoadBalancer DNS Name
    new cdk.CfnOutput(this, "AlbDomainName", {
    value: domainName
    });
    // RemoteOutputs
    const primaryOriginStackOutputs = new RemoteOutputs(this, 'PrimaryOriginStackOutputs', {
    stack: props.primaryOriginStack,
    alwaysUpdate: false
    });
    const primaryAlbDomainName = primaryOriginStackOutputs.get('AlbDomainName');
    Example of referencing OsakaOriginStack's ALB Domain Name from
    N.Virginia's CloudFrontStack

    View Slide

  28. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    RemoteParameters using cdk-remote-stack
    • Stacks from single
    account and different
    regions
    • Stacks from different
    accounts and different
    regions
    • dedicated account for a
    centralized parameter
    store
    https://github.com/pahud/cdk-remote-stack

    View Slide

  29. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    RemoteParameters using cdk-remote-stack
    ParameterStack in ap-northeast-3
    CloudFrontStack in us-east-1
    // set SSM Parameter
    new ssm.StringParameter(this, 'SSMCFSecretKey', {
    parameterName: `${props.parameterPath}/${cFCustomHeaderKeyName}`,
    stringValue:
    secretManagerCFSecretKey.secretValueFromJson(cFCustomHeaderKeyName).toString(),
    });
    Example of referencing Osaka’s ParameterStack from N.Virginia's CloudFrontStack
    // RemoteParameters
    const parameters = new RemoteParameters(this, 'Parameters', {
    path: props.parameterPath,
    region: props.parameterRegion
    });
    const cFCustomHeaderKeyName = 'x-pre-shared-key';
    const cFCustomHeaderKeyValue =
    parameters.get(`${props.parameterPath}/${cFCustomHeaderKeyName}`);

    View Slide

  30. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Key Takeaways

    View Slide

  31. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Key Takeaways
    • RemoteOutputs and RemoteParameter in cdk-remote-stack make
    it simple to build cross-regional applications using AWS Edge
    Networking Services such as CloudFront.
    • You can build a cross-regional application with Osaka Region as the
    primary region!

    View Slide

  32. © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    © 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    THANK YOU!

    View Slide