Amazon EC2 with Auto Scaling (BP7) - AWS Best Practices for DDoS Resiliency

Amazon EC2 with Auto Scaling (BP7)

Another way to mitigate both infastructure and application layer attacks is to operate at scale. If you have web applications, you can use load balancers to distribute traffic to a number of Amazon EC2 instances that are overprovisioned or configured to automatically scale. These instances can handle sudden traffic surges that occur for any reason, including a flash crowd or an application layer DDoS attack. You can set Amazon CloudWatch alarms to initiate Auto Scaling to automatically scale the size of your Amazon EC2 fleet in response to events that you define, such as CPU, RAM, Network I/O and even Custom metrics. This approach protects application availability when there’s an unexpected increase in request volume. If you use Amazon CloudFront, Application Load Balancer, Classic Load Balancers or Network Load Balancer with your application, TLS negotiation is handled by the distribution (Amazon CloudFront) or by the load balancer. This helps protect your instances from being impacted by TLS-based attacks by scaling to handle legitimate requests as well as TLS abuse attacks.

To learn more about using Amazon CloudWatch to invoke Auto Scaling, see Monitoring Your Auto Scaling Groups and Instances Using Amazon CloudWatch.

Amazon EC2 provides resizable compute capacity so that you can quickly scale up or down as your requirements change. You can scale horizontally by automatically adding instances to your application using Amazon EC2 Auto Scaling Groups, and you can scale vertically by using larger EC2 instance types.