Web Application Delivery at the Edge (BP1) - AWS Best Practices for DDoS Resiliency

Web Application Delivery at the Edge (BP1)

Amazon CloudFront is a service that can be used to deliver your entire website, including static, dynamic, streaming, and interactive content. Persistent connections and variable time-to-live (TTL) settings can be used to offload traffic from your origin, even if you are not serving cacheable content. These features mean that using Amazon CloudFront reduces the number of requests and TCP connections back to your origin which helps protect your web application from HTTP floods. Amazon CloudFront only accepts well-formed connections, which helps prevent many common DDoS attacks, like SYN floods and UDP reflection attacks, from reaching your origin. DDoS attacks are also geographically isolated close to the source which prevents the traffic from impacting other locations. These capabilities can greatly improve your ability to continue serving traffic to users during large DDoS attacks. You can use Amazon CloudFront to protect an origin on AWS or elsewhere on the internet.

If you’re using Amazon S3 to serve static content on the internet, you should use Amazon CloudFront to protect your bucket. You can use Origin Access Identify (OAI) to ensure that users only access your objects by using CloudFront URLs. To learn more about OAI, see Restricting Access to Amazon S3 Content by Using an Origin Access Identity.

To learn more about protecting and optimizing the performance of web applications using Amazon CloudFront, see Getting Started with CloudFront.