deploying amazon cloudfront with the

WHITE PAPER

Deploying Amazon

CloudFront with the

Deploying Amazon CloudFront with the Silverline Managed Services Platform 2

Silverline Managed Services

Platform

Learn how our customer built a secure, scalable, and seamless solution that leverages the

combined investments in infrastructure and services that F5 and AWS have to offer.

KEY BENEFITS

Full Stack Security

Includes multiple layers of

protection to mitigate DDoS/WAF/

Fraud/Bot attacks.

Ease of Deployment Rapidly and

easily implement services from F5

and AWS to deliver and protect

applications.

Cloud Delivered, Globally

Available, Zero Business Impact

Maintain continuous application

availability by leveraging the F5

Silverline Platform and Silverline

SOC with Amazon CloudFront.

Low Cost of Entry and Ownership

F5 Silverline allows customers to

obtain the services they need at a

competitive price and improve their

total cost of ownership.

Staff Augmentation, Security

Experts On-Call, Knowledge

Aggregation Internal customer

teams can work collaboratively with

F5 Silverline experts, who are

available 24x7 and have the latest

vulnerability information available

from internal F5 Security Incident

Response Teams (F5 SIRT).

High Availability, Dedicated Proxies,

Traffic Steering, Health Monitoring

The F5 Silverline platform offers a

99.999% uptime SLA, dedicated

F5 Silverline and Amazon CloudFront During the evaluation of various service and solution offerings that would potentially meet their

requirements, our customer, a global IT solutions company, performed an extensive review of the

variables involved in deploying and operating a solution that combines a content delivery network

(CDN), Web Application Firewall (WAF), and protections against Fraud/Bots and distributed

denial-of-service (DDoS) attacks. After considerable analysis and internal discussions with multiple

teams, our customer determined that the best solution would be a combination of F5 Silverline

and the Amazon CloudFront content delivery network.

Our customer chose this solution because it offered managed security services, fast deployment,

and lower cost to provision, maintain and operate. The internal customer teams defined a plan for

the evolution of the website and focused on completing each phase of their plan quickly, without

major impact to ongoing operations.

The ease of implementation and combined benefits of the architecture provided continuous

performance improvements, additional security controls, and extensive reporting and logging with

data-export capabilities to SIEM and other log-analysis platforms. This allowed our customer's team

to focus on what they do best: providing a seamless and engaging customer experience.

Scalable Managed Security and Service Performance Our customer selected F5 and AWS solutions for the implementation of the fourth phase of their

plan (Figure 1) primarily because of the flexibility each service offered in their configurations, the

low cost of operation, and the ability to grow the system over time through multiple iterations.

Another key factor was the ability to work with the F5 Silverline Security Operations Center (SOC)

analysts, who continually monitor the Silverline platform. (Silverline is F5’s cloud-based, managed

security services platform.) The SOC analysts helped our customer define their security posture and

maximize the usability of the system. This allowed our customer to provide a frictionless experience

while relentlessly fighting fraud and abuse.

reverse proxies, traffic shaping to

multiple or single origin services and

continuous back-end health and

availability monitoring.

Bandwidth and Routing/Direct

Peering F5 Silverline and Amazon

are direct peers and offer excellent

bandwidth and peering

connectivity globally that results in

superior performance for our

customers.


The Web Performance Challenge Balancing the cost of operations with performance improvements over the evolution of

a web application while providing a fast, secure, and frictionless customer experience.

Companies are faced with several challenges and constraints when architecting and designing web

applications. A major consideration is balancing the cost of acquiring, deploying and managing the

technology and personnel effectively to allow continuous performance improvements over the

application lifecycle. The illustration below depicts the analysis our customer performed regarding

the balance of cost versus performance that is required to evolve a web application.

Figure 1: F5 Silverline customer web application

performance lifecycle

During the

initial

phase, our

customer

focused on

deploying the application and obtaining customers. The

steps they executed to achieve their target involved:

INITIAL APP DEPLOYMENT

TARGET: CUSTOMER ACQUISITION

OPEN SOURCE SOFTWARE DEV FRAMEWORKS

DEPLOY BASIC COMPUTE, STORAGE, AND

HTTP SERVERS

MINIMAL VIABLE PRODUCT ROLLOUT

MINIMUM BANDWITH COMMIT (NO CARRIER

PREFERENCE)

SINGLE

HOMED

PAAS/IAAS

MODEL

In phase two, the customer focused on enhancements and improvements to acquire a customer

base and prepare for additional expansion.

APP CONTINUOUS

ENHANCEMENTS TARGET:

EXPAND CUSTOMER BASE

EXPAND APPLICATION FUNCTIONALITY

AND FEATURES


ENHANCE EXISTING FEATURES FROM SITE

USAGE STATS

CONTINUOUS IMPROVEMENT LIFE-CYCLE

INTRODUCTION

ANALYZE RESOURCE CONSUMPTION

(HUMAN/MACHINE)

PREPARE TO SCALE APPLICATION

COMPLETE APPLICATION SECURITY

ANALYSIS

In phase three, our customer worked with our F5 Silverline account team to deploy the managed

security components and configure Amazon CloudFront to ensure the application would scale and

accommodate all traffic generated.

APP INFRASTRUCTURE

ENHANCEMENTS TARGET:

SCALABILITY AND SECURITY

IMPLEMENT APPLICATION AUTO-SCALING

DEPLOY WEB APPLICATION FIREWALL

DEPLOY DDOS PROTECTION

DEPLOY AUTOMATED THREAT AND FRAUD

PROTECTION ANALYZE/DEPLOY MULTI-

HOMED NETWORK LINKS ANALYZE

DEPLOY DIRECT PEERING

RELATIONSHIPS

For phase four, our customer analyzed customer origin requests and determined that many of their

customers were transacting from countries outside the US. This observation, coupled with additional

analysis of increased demand in the US, motivated their implementation of Amazon CloudFront to

extend their reach and improve global performance.

INFRASTRUCTURE EXTENSIBILITY

TARGET: IMPROVE GLOBAL PERFORMANCE

IMPLEMENT CONTENT DELIVERY STRATEGY

ACCELERATE CONTENT - CONTENT

DELIVERY NETWORK

CDN REGIONAL ASSIGNMENT PER USAGE

STATISTICS

DEPLOY CONTINUOUS MONITORING FOR

AVAILABILITY

DEPLOY CONTINOUS MONITORING FOR

PERFORMANCE HEADERS AND ACLs IN

CDN/SECURITY INFRASTRUCTURE

For the final phase, customer teams focused on deploying a hybrid environment of both mixed

colocation services and SaaS/IaaS/PaaS platforms to enhance their operational capabilities and

adaptation to fast-changing global market environments.

APP CONTINUOUS IMPROVEMENT

TARGET: EHANCE CUSTOMER

EXPERIENCE/REDUCE FRICTION

MATURE APPLICATION STAGE:UX

REDESIGN+FEATURES

DEPLOY HYBRID ENVIRONMENT OF SAAS AND

COLOCATION

EXPAND BANDWIDTH

COMMITMENTS/MULTI-HOMING

OPTIMIZE CONTENT DISTRIBUTION


OPTIMIZE OBJECT PERFORMANCE

INDUSTRY CERTIFICATIONS FOR

SECURITY/COMPLIANCE

This document will focus on the technical steps our customer executed to complete the phase four

integration of Amazon CloudFront with the F5 Silverline managed security services platform.

Service Components for Integration Basic requirements to ensure a successful service deployment and system integration.

To prepare for the integration of Amazon CloudFront into the F5 Silverline Platform, our customer

provisioned the following items, with assistance from the Silverline team:

F5 SILVERLINE MANAGED SERVICES

Minimum Requirement:

Single proxy (one FQDN)

Includes IPv4/v6 address space CNAME assignment DDoS protection Multi-homed and route optimized network Direct peering with AWS/Azure/GCP 24/7 support Portal Management

SSL security profile management Optional

WAF Additional DDoS commitments

Fraud/Bot protection Threat Intelligence

Our customers’ choice: All items selected by customer

AMAZON WEB SERVICES


Minimum Requirement: AWS EC2 Compute Includes

OS, Database...

AWS S3 Includes

Content storage services

HTTP Server Includes

Content origin management

AWS Cloudfront Includes

Content Delivery Services

Our customers’ choice: All items selected by customer

Architecture Building a secure and scalable network that allows customers to obtain the best

performance and engagement experience globally.

Deploying a secure, fast, global network with multi-homed links and multiple services is not easy for

any organization. Fortunately, customers can benefit from the combined investments in

infrastructure and services that F5 and AWS can offer. This allows customers to construct a solution

that can be deployed rapidly to onboard applications with maximum efficacy and realize an

immediate return on investments.

The architecture our customer chose to deploy is depicted in the illustration below:


Solution Provisioning Ease of deployment for rapid integration.

Organizations are being pressed to roll out applications that quickly respond to market challenges

to gain a competitive advantage and/or cost savings. Deployments that can be done in a short

period of time offer a considerable advantage over deployments that require extensive resources

and additional costs. With F5 and AWS, the deployment of these configurations is easy; if

customers have all the components and data ready to configure, it can be done in minutes.

With phase three complete, our customer moved to the fourth phase, which entailed

integrating Amazon CloudFront with the F5 Silverline Platform and included the following

steps.

F5 SILVERLINE - PROXY CONFIGURATION

When our Silverline SOC team deploys the portal account, customers can log in and configure the

proxy root object with required settings for the proxy display name, the FQDN (Fully Qualified

Domain Name), the origin server IP address or ELB CNAME (Canonical Record), Threat Intelligence

profiles, WAF policies, SSL certificates, and Fraud/Bot protection endpoints. Customers will review

these steps with a Silverline SOC analyst during the onboarding phase. Customers may also engage a

SOC analyst to assist with any proxy deployment.

Once the proxy has been saved and deployed to the Silverline platform, customers will receive a

unique CNAME that will be used as the origin for the Amazon CloudFront network. Customers may

locate this proxy CNAME in the main configuration panel after deployment.

Once the proxy is enabled, it is ready to receive traffic immediately and can be used to route user

requests from CloudFront as soon as that service is configured.

AMAZON CLOUDFRONT - SERVICE CONFIGURATION


To ensure a smooth integration, customers should have the following information available before

performing the CloudFront integration.

Once these components are in place and provisioned, customers can initiate the CloudFront

configuration by navigating to the AWS management console. In the console menu, locate and select

the sub-category "Networking & Content Delivery" / CloudFront. Locate and select the

"Distributions" link and proceed to create the initial distribution.

To initiate the object configuration, select the "Create Distribution" control. You may be

prompted to create a "Specific Deliver Method". Our customer chose the "Web" delivery

method.


Select the "Get Started" control. The panels below will render on the browser. Configure the Origin

Settings as shown:

Origin Connection Attempts, Origin Timeout, Origin Response Timeout, Origin Keep-Alive Timeout,

HTTP and HTTPS Ports should remain as defaults unless a change is required.

Origin Customer Headers: Custom header keys and values will be in every request to origin. These

settings may also be used to filter out any requests at the Silverline proxy that are not originating

from CloudFront.

Default Cache Behavior Settings can be programmed according to internal policies defined by the

application developers, information technology, DevOps, security teams, and other stakeholders. It

is critical to emphasize the importance of understanding the degree of impact any changes to the

values may have on the overall operation of the application. F5 Silverline recommends an

evolutionary approach as each setting may introduce variances in cost, security exposure,

performance impact, and interaction with the Silverline WAF or Bot/Fraud protection. AWS provides

excellent documentation from the management console to help organizations understand how to


apply each control and what impact it may have on existing operations. Our Silverline SOC analysts

may also provide information on how these settings will affect the Silverline proxy, WAF or

Bot/Fraud protection.

Distribution Settings may also have a considerable impact on operations. The settings that are worth

additional consideration are as follows:

The final step will be to create the distribution.

This should take a few minutes and, once completed, customers will receive a CNAME.

The CNAME issued by Amazon CloudFront can now be used with AWS Route 53 as the authoritative

record of resolution for any traffic bound for the application.

Conclusion Our customer's internal security, information technology, operations, and development teams

spent a lot of time evaluating the best solution for their customer engagement and marketing

strategy goals. Once our customer selected the solution, the implementation proceeded without

any roadblocks and they had the services and applications up and running globally within minutes,

providing their worldwide customers with a much smoother and faster engagement experience.

To learn more about Silverline Managed Security Services, contact your F5

representative, or visit www.f5.com/products/security/silverline.

©2021 F5, Inc. All rights reserved. F5, and the F5 logo are trademarks of F5, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, expressed or implied, claimed by F5, Inc. DC0921 | WP-KIT-8

https://www.f5.com/products/security/silverline

https://www.f5.com/products/security/silverline

deploying amazon cloudfront with the

Documents