By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How does fronting API Gateway with CloudFront help with DDoS mitigation and protection?

0

Hi,

We have an API Gateway with regional endpoints. We have attached WAF to the API Gateway for L7 protection.

Researching how we can further protect our system, this AWS whitepaper suggests we use CloudFront in front of the API Gateway:

Amazon CloudFront distributes traffic across multiple edge locations, and filters requests to help ensure that only valid requests will be forwarded to your API Gateway deployments.

I suspect my understanding of the edge network is limited and the answer may be obvious, but can someone expand on this quote or provide further information on why CloudFront helps with DDoS mitigation?

Also as far as I know, CloudFront uses Shield for DDoS mitigation and detection at L3/L4. But Shield Standard is also used in all AWS services, including API Gateway. Are there benefits to using CloudFront for DDoS mitigation and protection beyond Shield?

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayAWS ShieldAmazon CloudFront
Language
English
rePost-User-2581820
asked a year ago1685 views
2 Answers
1
Accepted Answer

Hi,

When you use AWS Shield Standard with Amazon CloudFront, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks. These services are part of the AWS Global Edge Network and can improve the DDoS resiliency of your application when serving any type of application traffic from edge locations distributed around the world.

Some benefits of using CloudFront are:

  • Access to internet and DDoS mitigation capacity across the AWS Global Edge Network. This is useful in mitigating larger volumetric attacks, which can reach terabit scale.
  • AWS Shield DDoS mitigation systems are integrated with AWS edge services, reducing time-to-mitigate from minutes to sub second.
  • Stateless SYN Flood mitigation techniques proxy and verify incoming connections before passing them to the protected service. This ensures that only valid connections reach your application while protecting your legitimate end users against false positives drops.
  • Automatic traffic engineering systems that disperse or isolate the impact of large volumetric DDoS attacks. These services isolate attacks at the source before they reach your origin, which means less impact on systems protected by these services.

I Suggest you to read the AWS Best Practices for DDoS Resiliency Whitepaper is an AWSome source of knowledge regarding this topic.

Additionally, you have some other security benefits with CloudFront:

  • Reduced latency for your end users if they access your services from other countries
  • Restricting the geographic distribution of your content
  • Serving private content with signed URLs and signed cookies
  • And others...

Another good benefit is a cheaper DTO using CloudFront, example (from AWS Pricing Calculator):

  • DTO in US East (N. Virginia) - Internet: 1024 GB x 0.09 USD per GB = 92.16 USD
  • CloudFront DTO in US East (N. Virginia) - Internet: 1024 GB x 0.085 USD = 87.04 USD

Best Regards,

Ricardo Makino

profile pictureAWS
Ricardo_M
answered a year ago
0

Currently, AWS Shield Advanced doesn't support enabling protection on API Gateways, but supports CloudFront. Therefore, it's a best practice to place the CloudFront Distribution in front of the API Gateway and then enable protection on that distribution.

https://repost.aws/questions/QUGMi_eNmkTB-nVwLdze9eKA/what-are-the-benefits-of-using-amazon-cloud-front-together-with-amazon-api-gateway

profile pictureAWS
Gautam Kumar
answered a year ago
  • Ricardo_M
    a year ago

    Hi Gautam, but Shield Standard protects all AWS Resources, the question is what are the benefits including Amazon CloudFront within Amazon API Gateway just using AWS Shield Standard?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content