- Newest
- Most votes
- Most comments
The biggest thing you'll be missing here is caching; and specifically caching at the edge. As a secondary thing you'll lose the performance that comes with traffic being transferred over the AWS backbone rather than the Internet - but you can regain that by using Global Accelerator.
I would suggest that the DDoS protection from CloudFront is somewhat better than that from a single ALB only because CloudFront appears as multiple IP addresses in many different geographic regions.
It's not clear from your question but I'm going to assume that the 180 second timeout you're experiencing is an idle timeout. I would definitely test that against ALB; you can increase timeouts to 4,000 seconds (documentation is here) but I would suggest that three minutes is a long time for users/applications to wait for a response.
While it would take some effort to re-architect things it might make sense to decouple the front end and back end so that you can move to a design where the front end can wait indefinitely (using some sort of request identifier and a status page for the user) while the back end provides updates in some way. That would also remove the challenge you're having with CloudFront and give a bunch of flexibility in dealing with long queries.
Definitely worth a conversation with your local AWS Solutions Architect as this is a conversation that can be long and detailed.
Hello
It is advisable to use ALB with Multiple instances in multiple AZ with Cloud-front as ALB as orign, in this case what happens your Ec2 instances are in the private subnet so you have more security to your web servers.
Please look at the sample architecture design https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2020/10/18/Enhance-Amazon-CloudFront-Origin-Figure-1.png
Well architected workshop https://www.wellarchitectedlabs.com/security/200_labs/200_cloudfront_for_web_application/1_config_cloudfront/
Thanks for the answer. I know it is advisable to use ALB with multiple instances. However in this case I need to have one instance for this server. The question is whether I can gain the same security advantage as I get with cloudfront by using ALB instead.
When you use the Single Ec2 you must run the Ec2 in public subnet instead of using ALB your machines are in private network
@GK As far as I know Its OK that the subnet is public as long as security groups are used to block it from the outside world (and allow only white listed developers to access)
Relevant content
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated 3 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
Thanks for the answer Caching is not needed since the content is dynamic. Good tip about global accelerator as a solution for faster global access. I may use it in front of the ALB. the 180 second is not enough for some specific calls in the app where the user expects long wait e.g. for a report generation. Its not that the app is slow and not a UI problem. And I prefer no to re write it with polling or something. Not worth the effort. From your answer I gather that besides a bit less DDOS attack capabilities compared to cloudfront it does make sense to use ALB for this case. Assuming its the only downside.