I've attached my architecture as shown as above. For HA, I've put ELB in front of my three API ECS instances. For security purpose (as geo restriction and so on), I want to add Cloudfront in front of ELB but I don't want caching that could be set TTL to 0. Please suggest me. Many thanks.
Asked
Active
Viewed 844 times
1
PPShein
- 13,309
- 42
- 142
- 227
-
Can explain why are you planning to add CloudFront and how will it help. Also what kind of security features do you need ? – Ankit Deshpande May 16 '19 at 08:06
-
@AnkitDeshpande I want to restrict geo-location, custom header-type and so on. – PPShein May 16 '19 at 08:50
-
cool. As suggested by Aniket then, you can use WAF and cloudfront. – Ankit Deshpande May 16 '19 at 09:10
-
@AnkitDeshpande WAF ***or*** cloudfront, right? – PPShein May 16 '19 at 09:38
-
I think you can start with WAF and then if you run into any cases which cannot be solved using WAF, then add CloudFront. – Ankit Deshpande May 16 '19 at 10:05
1 Answers
3
I would add WAF or Cloudfront if ELB is internet-facing. Please refer to DDoS whitepaper from AWS which lists best practices.
Cloudfront can be leveraged to protect against all known infrasture layer attacks.
Aniket Chopade
- 801
- 5
- 12