By using AWS re:Post, you agree to the Terms of Use
/ALB instead of Cloudfront in front of single server/

ALB instead of Cloudfront in front of single server

0

Hi,

AWS Recommends adding cloudfront in front of single server applications for security and performance see https://aws.amazon.com/blogs/networking-and-content-delivery/dynamic-whole-site-delivery-with-amazon-cloudfront/

I want to add it for an existing web app but the max time out of cloudfront is 180 seconds and I have some calls which are longer and will time out. I'm mainly interested in the security upside and less in the performance upside of this setup since this is for a web panel which does not require high speed delivery.

My question is - Is it a good solution to add an Application load balancer instead of dynamic cloudfront in front of the server in order to get the security benefits such as hiding the end server IP address , getting WAF and DDOS mitigation without the 180 seconds timeout issue ?

Are there downsides to doing it ?

Thanks

2 Answers
2

The biggest thing you'll be missing here is caching; and specifically caching at the edge. As a secondary thing you'll lose the performance that comes with traffic being transferred over the AWS backbone rather than the Internet - but you can regain that by using Global Accelerator.

I would suggest that the DDoS protection from CloudFront is somewhat better than that from a single ALB only because CloudFront appears as multiple IP addresses in many different geographic regions.

It's not clear from your question but I'm going to assume that the 180 second timeout you're experiencing is an idle timeout. I would definitely test that against ALB; you can increase timeouts to 4,000 seconds (documentation is here) but I would suggest that three minutes is a long time for users/applications to wait for a response.

While it would take some effort to re-architect things it might make sense to decouple the front end and back end so that you can move to a design where the front end can wait indefinitely (using some sort of request identifier and a status page for the user) while the back end provides updates in some way. That would also remove the challenge you're having with CloudFront and give a bunch of flexibility in dealing with long queries.

Definitely worth a conversation with your local AWS Solutions Architect as this is a conversation that can be long and detailed.

EXPERT
answered 2 months ago
  • Thanks for the answer Caching is not needed since the content is dynamic. Good tip about global accelerator as a solution for faster global access. I may use it in front of the ALB. the 180 second is not enough for some specific calls in the app where the user expects long wait e.g. for a report generation. Its not that the app is slow and not a UI problem. And I prefer no to re write it with polling or something. Not worth the effort. From your answer I gather that besides a bit less DDOS attack capabilities compared to cloudfront it does make sense to use ALB for this case. Assuming its the only downside.

1

Hello

It is advisable to use ALB with Multiple instances in multiple AZ with Cloud-front as ALB as orign, in this case what happens your Ec2 instances are in the private subnet so you have more security to your web servers.

Please look at the sample architecture design https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2020/10/18/Enhance-Amazon-CloudFront-Origin-Figure-1.png

Well architected workshop https://www.wellarchitectedlabs.com/security/200_labs/200_cloudfront_for_web_application/1_config_cloudfront/

answered 2 months ago
  • Thanks for the answer. I know it is advisable to use ALB with multiple instances. However in this case I need to have one instance for this server. The question is whether I can gain the same security advantage as I get with cloudfront by using ALB instead.

  • When you use the Single Ec2 you must run the Ec2 in public subnet instead of using ALB your machines are in private network

  • @GK As far as I know Its OK that the subnet is public as long as security groups are used to block it from the outside world (and allow only white listed developers to access)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions