Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

Do we lose any DDoS protections from CloudFront by turning caching off and forwarding all headers to origin?

0

We are trying to best protect our backend service from DDoS attacks and have setup WAF in front of CloudFront in front of our service.

A few AWS white papers (such a this) mention using CloudFront as a way to improve DDoS resiliency:

 Benefits of using CloudFront, AWS Global Accelerator, and Amazon Route 53 include:

• Access to internet and DDoS mitigation capacity across the AWS Global Edge
Network. This is useful in mitigating larger volumetric attacks, which can reach
terabit scale.

 • AWS Shield DDoS mitigation systems are integrated with AWS edge services,
reducing time-to-mitigate from minutes to sub second.

 • Stateless SYN Flood mitigation techniques proxy and verify incoming
connections before passing them to the protected service. This ensures that only
valid connections reach your application while protecting your legitimate end
users against false positives drops.

We want to disable caching and forward all headers from the original request that hits CloudFront to our backend service, basically using CloudFront as a reverse proxy. Do we still maintain the AWS Global Edge Network DDoS mitigation and protections of CloudFront by doing this?

Tópicos
Rede e entrega de conteúdo
Tags
Amazon CloudFront
Idioma
English
rePost-User-2581820
feita há um ano326 visualizações
1 Resposta
1
Resposta aceita

In short: If you disable caching you lose very little protection. Perhaps a tiny bit but not that much.

Regardless of whether caching is enabled or not, CloudFront terminates the request from the browser and then performs a new request towards the origin - assuming all things go well: WAF; Lambda@Edge; CloudFront Functions; etc. So if there is some sort of mailicious activity or DDoS event happening CloudFront will see that traffic first and you can choose to (say) block it using WAF or have the other mechanisms in CloudFront (such as SYN flood mitigation) protect you.

Caching helps here because it means that requests that are cached don't hit your origin. In a "high load" event this can reduce the amount of traffic that is sent to your application which is (in general) always a good thing. With caching disabled, all valid requests will be handled by the origin - increasing load, cost and delays to the original requester. Of course, that's up to you but if you can cache things in CloudFront it is well worth it.

profile pictureAWS
ESPECIALISTA
Brettski-AWS
respondido há um ano
profile picture
ESPECIALISTA
Sedat Salman
avaliado há um ano
profile pictureAWS
ESPECIALISTA
Tushar_J
avaliado há um ano

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante