- Newest
- Most votes
- Most comments
Hi,
When you use AWS Shield Standard with Amazon CloudFront, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks. These services are part of the AWS Global Edge Network and can improve the DDoS resiliency of your application when serving any type of application traffic from edge locations distributed around the world.
Some benefits of using CloudFront are:
- Access to internet and DDoS mitigation capacity across the AWS Global Edge Network. This is useful in mitigating larger volumetric attacks, which can reach terabit scale.
- AWS Shield DDoS mitigation systems are integrated with AWS edge services, reducing time-to-mitigate from minutes to sub second.
- Stateless SYN Flood mitigation techniques proxy and verify incoming connections before passing them to the protected service. This ensures that only valid connections reach your application while protecting your legitimate end users against false positives drops.
- Automatic traffic engineering systems that disperse or isolate the impact of large volumetric DDoS attacks. These services isolate attacks at the source before they reach your origin, which means less impact on systems protected by these services.
I Suggest you to read the AWS Best Practices for DDoS Resiliency Whitepaper is an AWSome source of knowledge regarding this topic.
Additionally, you have some other security benefits with CloudFront:
- Reduced latency for your end users if they access your services from other countries
- Restricting the geographic distribution of your content
- Serving private content with signed URLs and signed cookies
- And others...
Another good benefit is a cheaper DTO using CloudFront, example (from AWS Pricing Calculator):
- DTO in US East (N. Virginia) - Internet: 1024 GB x 0.09 USD per GB = 92.16 USD
- CloudFront DTO in US East (N. Virginia) - Internet: 1024 GB x 0.085 USD = 87.04 USD
Best Regards,
Ricardo Makino
Currently, AWS Shield Advanced doesn't support enabling protection on API Gateways, but supports CloudFront. Therefore, it's a best practice to place the CloudFront Distribution in front of the API Gateway and then enable protection on that distribution.
Relevant content
- asked 3 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
Hi Gautam, but Shield Standard protects all AWS Resources, the question is what are the benefits including Amazon CloudFront within Amazon API Gateway just using AWS Shield Standard?