1
00:00:00,000 --> 00:00:02,930
‫Let's explore some advance options

2
00:00:02,930 --> 00:00:05,300
‫for CloudFront that can come up in the exam.

3
00:00:05,300 --> 00:00:07,920
‫So let's talk about pricing and price classes.

4
00:00:07,920 --> 00:00:10,210
‫So we know that CloudFront edge locations

5
00:00:10,210 --> 00:00:11,940
‫are all around the world,

6
00:00:11,940 --> 00:00:13,880
‫but because they're all around the world

7
00:00:13,880 --> 00:00:18,560
‫the cost of data out per edge location will vary.

8
00:00:18,560 --> 00:00:20,220
‫And so here is a table.

9
00:00:20,220 --> 00:00:22,450
‫So as you can see based on the continent

10
00:00:22,450 --> 00:00:25,920
‫or geographic region that the edge location is in

11
00:00:25,920 --> 00:00:27,820
‫then you will have a different pricing.

12
00:00:27,820 --> 00:00:30,795
‫So if you look at this table, (mumbles)numbers.

13
00:00:30,795 --> 00:00:33,380
‫But if you look at Mexico, United States and Canada

14
00:00:33,380 --> 00:00:34,520
‫the first 10 terabytes is

15
00:00:34,520 --> 00:00:38,620
‫going to cost $0.08 per gigabytes.

16
00:00:38,620 --> 00:00:41,380
‫But if you have the same education in India

17
00:00:41,380 --> 00:00:43,100
‫is going to be about twice the cost

18
00:00:43,100 --> 00:00:48,060
‫at $0.17 per gigabyte of data transferred and so on.

19
00:00:48,060 --> 00:00:49,860
‫And the more data is transferred

20
00:00:49,860 --> 00:00:52,280
‫out of CloudFront, the lower the cost.

21
00:00:52,280 --> 00:00:53,130
‫So if you transfer

22
00:00:53,130 --> 00:00:56,160
‫over five petabytes of data out of CloudFront

23
00:00:56,160 --> 00:01:00,670
‫you're only going to pay $0.02 out of the United States.

24
00:01:00,670 --> 00:01:02,850
‫So the idea is that's from the left side

25
00:01:02,850 --> 00:01:05,680
‫to the right-hand side you have a higher cost

26
00:01:05,680 --> 00:01:08,120
‫which brings us to the price classes.

27
00:01:08,120 --> 00:01:10,160
‫So you have a choice you can make

28
00:01:10,160 --> 00:01:12,850
‫and you can reduce the number of edge locations

29
00:01:12,850 --> 00:01:13,850
‫around the world that is going

30
00:01:13,850 --> 00:01:16,100
‫to be used for your car CloudFront distribution

31
00:01:16,100 --> 00:01:18,310
‫in order to do cost reduction.

32
00:01:18,310 --> 00:01:20,520
‫And there are three price classes available.

33
00:01:20,520 --> 00:01:22,130
‫There is the price class all

34
00:01:22,130 --> 00:01:24,090
‫which is giving you all regions

35
00:01:24,090 --> 00:01:25,890
‫and obviously the best performance.

36
00:01:25,890 --> 00:01:27,480
‫But it's going to cost you a little bit more money

37
00:01:27,480 --> 00:01:29,220
‫because as you can see, for example

38
00:01:29,220 --> 00:01:31,020
‫an edge location in India will cost more

39
00:01:31,020 --> 00:01:33,150
‫than an education in the United States.

40
00:01:33,150 --> 00:01:35,210
‫You can do the price class 200

41
00:01:35,210 --> 00:01:36,480
‫which gives you most regions

42
00:01:36,480 --> 00:01:39,510
‫but excludes the most expensive regions

43
00:01:39,510 --> 00:01:40,809
‫and the press class 100

44
00:01:40,809 --> 00:01:43,836
‫to only get the least expensive regions.

45
00:01:43,836 --> 00:01:46,524
‫And this is summarized in this table.

46
00:01:46,524 --> 00:01:48,750
‫Now the table is not really fun to look at.

47
00:01:48,750 --> 00:01:51,470
‫So I made a little diagram here is the world

48
00:01:51,470 --> 00:01:53,890
‫and we have a lot of edge locations around the world.

49
00:01:53,890 --> 00:01:56,590
‫Now the price class 100 is going to give us

50
00:01:56,590 --> 00:01:59,460
‫the America, the North America and Europe.

51
00:01:59,460 --> 00:02:00,630
‫Then price class 200

52
00:02:00,630 --> 00:02:02,880
‫is going to add some of these regions

53
00:02:02,880 --> 00:02:04,900
‫and price class all is going to

54
00:02:04,900 --> 00:02:09,900
‫have the entire world available for the edge locations.

55
00:02:09,970 --> 00:02:12,160
‫So now let's talk about multiple origin

56
00:02:12,160 --> 00:02:14,320
‫in the cloud fronts and then origin groups.

57
00:02:14,320 --> 00:02:17,300
‫So for example, you may want to redirect

58
00:02:17,300 --> 00:02:19,500
‫and route to different kinds of origins based

59
00:02:19,500 --> 00:02:20,333
‫on the content type

60
00:02:20,333 --> 00:02:23,030
‫or the path being passed to CloudFront.

61
00:02:23,030 --> 00:02:25,890
‫For example, you have a path for images,

62
00:02:25,890 --> 00:02:29,190
‫a path for the API and a path for everything else.

63
00:02:29,190 --> 00:02:30,910
‫In which case in CloudFront

64
00:02:30,910 --> 00:02:32,620
‫you can set different cache behaviors

65
00:02:32,620 --> 00:02:34,320
‫with a path being determined.

66
00:02:34,320 --> 00:02:35,153
‫And for example

67
00:02:35,153 --> 00:02:38,160
‫if you have this /API/* path, okay

68
00:02:38,160 --> 00:02:40,776
‫you can say that you need to have a response

69
00:02:40,776 --> 00:02:44,775
‫from the origin being your Application Load Balancer.

70
00:02:44,775 --> 00:02:47,900
‫But in case anything else is requested

71
00:02:47,900 --> 00:02:50,620
‫maybe everything else is steady content,

72
00:02:50,620 --> 00:02:54,520
‫then you should get that content out of your S3 buckets.

73
00:02:54,520 --> 00:02:55,690
‫And so, as we can see

74
00:02:55,690 --> 00:02:58,240
‫we have defined the multiple origins based

75
00:02:58,240 --> 00:03:01,650
‫on the path being in Amazon CloudFront.

76
00:03:01,650 --> 00:03:04,210
‫Now you can also set up origin groups

77
00:03:04,210 --> 00:03:05,660
‫and this is a different use case.

78
00:03:05,660 --> 00:03:07,840
‫This is to increase high availability

79
00:03:07,840 --> 00:03:11,070
‫and do failover in case one origin has failed.

80
00:03:11,070 --> 00:03:12,970
‫So an origin group consists

81
00:03:12,970 --> 00:03:16,027
‫of one primary and one secondary origin.

82
00:03:16,027 --> 00:03:18,506
‫And if the primary origin fails

83
00:03:18,506 --> 00:03:21,096
‫then CloudFront will try to failover

84
00:03:21,096 --> 00:03:22,944
‫to the second origin.

85
00:03:22,944 --> 00:03:26,460
‫So let's take an example, say we have CloudFront

86
00:03:26,460 --> 00:03:29,910
‫and we have an origin group made of two EC2 instances.

87
00:03:29,910 --> 00:03:32,090
‫The first one is going to be our primary origin

88
00:03:32,090 --> 00:03:35,350
‫and the second one is going to be our secondary origin.

89
00:03:35,350 --> 00:03:37,240
‫So Amazon CloudFront will send a request

90
00:03:37,240 --> 00:03:38,920
‫to the first EC2 instance.

91
00:03:38,920 --> 00:03:41,340
‫And in case there is an error coming back

92
00:03:41,340 --> 00:03:42,541
‫from the EC2 instance

93
00:03:42,541 --> 00:03:44,580
‫then Amazon platform will retry

94
00:03:44,580 --> 00:03:47,275
‫the same request on the origin B

95
00:03:47,275 --> 00:03:49,590
‫and hopefully this one will respond

96
00:03:49,590 --> 00:03:50,810
‫with an okay status code.

97
00:03:50,810 --> 00:03:53,280
‫So there is a failover happening.

98
00:03:53,280 --> 00:03:56,080
‫You can also use this with Amazon is free.

99
00:03:56,080 --> 00:03:57,520
‫So in this example,

100
00:03:57,520 --> 00:04:01,130
‫if we use S3 and CloudFront with origin groups,

101
00:04:01,130 --> 00:04:02,710
‫we can get to region level

102
00:04:02,710 --> 00:04:05,240
‫high availability and disaster recovery.

103
00:04:05,240 --> 00:04:06,340
‫So let's have a look.

104
00:04:06,340 --> 00:04:09,730
‫We have an origin group made of two S3 buckets.

105
00:04:09,730 --> 00:04:12,210
‫The first one is going to be a primary origin

106
00:04:12,210 --> 00:04:15,030
‫and the second one's going to be our secondary origin.

107
00:04:15,030 --> 00:04:18,081
‫And if these S3 buckets are in different regions

108
00:04:18,081 --> 00:04:21,420
‫then we can set up replication between these buckets.

109
00:04:21,420 --> 00:04:23,870
‫So all the content of origin A

110
00:04:23,870 --> 00:04:25,977
‫will be replicated into origin B.

111
00:04:25,977 --> 00:04:28,520
‫Now, if Amazon CloudFront sends a request

112
00:04:28,520 --> 00:04:31,000
‫and we get an error from the first S3 bucket

113
00:04:31,000 --> 00:04:33,400
‫because maybe there is a region level outage,

114
00:04:33,400 --> 00:04:35,300
‫then CloudFront will try the same request

115
00:04:35,300 --> 00:04:38,170
‫onto another S3 buckets in another region

116
00:04:38,170 --> 00:04:40,160
‫that will have all the data as the first one,

117
00:04:40,160 --> 00:04:42,210
‫because of thanks to the replication.

118
00:04:42,210 --> 00:04:44,740
‫And therefore this one should hopefully reply

119
00:04:44,740 --> 00:04:45,920
‫with an okay status.

120
00:04:45,920 --> 00:04:48,500
‫So it just gives you a great architecture to get

121
00:04:48,500 --> 00:04:50,370
‫to regional level disaster recovery

122
00:04:50,370 --> 00:04:53,987
‫for Amazon CloudFront and your S3 buckets.

123
00:04:53,987 --> 00:04:57,950
‫Finally, let's talk about field-level encryption.

124
00:04:57,950 --> 00:05:00,900
‫So this is to protect sensitive information

125
00:05:00,900 --> 00:05:02,700
‫through the application stack.

126
00:05:02,700 --> 00:05:05,327
‫And this adds an additional level of security

127
00:05:05,327 --> 00:05:09,121
‫alongside using encryption in flight using HTTPS.

128
00:05:09,121 --> 00:05:11,587
‫So the idea is that anytime

129
00:05:11,587 --> 00:05:14,730
‫a sensitive information is sent by the user

130
00:05:14,730 --> 00:05:17,520
‫the edge location is going to encrypt it

131
00:05:17,520 --> 00:05:20,080
‫and they will be only be able to be decrypted

132
00:05:20,080 --> 00:05:22,150
‫if someone has access to a private key.

133
00:05:22,150 --> 00:05:22,983
‫And therefore,

134
00:05:22,983 --> 00:05:26,010
‫this will be using asymmetric encryption.

135
00:05:26,010 --> 00:05:26,904
‫So how does it work?

136
00:05:26,904 --> 00:05:31,200
‫Well, in the POST requests being made

137
00:05:31,200 --> 00:05:34,810
‫to Amazon CloudFront, then they will be a set

138
00:05:34,810 --> 00:05:36,560
‫of fields that we want to be encrypted

139
00:05:36,560 --> 00:05:39,470
‫up to 10 fields, for example, a credit card.

140
00:05:39,470 --> 00:05:40,330
‫And they will specify

141
00:05:40,330 --> 00:05:42,090
‫the public key to encrypt them with.

142
00:05:42,090 --> 00:05:44,120
‫So let's go through an example.

143
00:05:44,120 --> 00:05:47,830
‫We have a client taking over HTTPS to edge location

144
00:05:47,830 --> 00:05:48,920
‫which will be forwarding it

145
00:05:48,920 --> 00:05:51,937
‫to the CloudFront service using HTTPs again.

146
00:05:51,937 --> 00:05:53,980
‫And then it will go all the way

147
00:05:53,980 --> 00:05:55,373
‫to the origin using HTTPS

148
00:05:55,373 --> 00:05:57,050
‫through Application Load Balancer

149
00:05:57,050 --> 00:05:59,690
‫which will forward all the data using HTTPS

150
00:05:59,690 --> 00:06:01,077
‫to your web server.

151
00:06:01,077 --> 00:06:02,450
‫So everything is encrypted in flights

152
00:06:02,450 --> 00:06:05,710
‫but we want to specify field-level encryption.

153
00:06:05,710 --> 00:06:07,580
‫So say for example, that our user

154
00:06:07,580 --> 00:06:10,430
‫is sending us some credit card information

155
00:06:10,430 --> 00:06:12,610
‫and this is the one in orange right now.

156
00:06:12,610 --> 00:06:15,480
‫We specify that we want to have it field level encryption

157
00:06:15,480 --> 00:06:17,200
‫for the credit card information.

158
00:06:17,200 --> 00:06:19,900
‫And therefore the edge location will encrypt

159
00:06:19,900 --> 00:06:22,300
‫that field using a public key.

160
00:06:22,300 --> 00:06:25,830
‫So now the data being passed from the edge location

161
00:06:25,830 --> 00:06:28,100
‫to Amazon CloudFront to the origin

162
00:06:28,100 --> 00:06:31,167
‫will have the credit card information

163
00:06:31,167 --> 00:06:34,200
‫being encrypted thanks to the public key.

164
00:06:34,200 --> 00:06:37,230
‫And so the information will be passed all along

165
00:06:37,230 --> 00:06:38,422
‫until the web server.

166
00:06:38,422 --> 00:06:42,490
‫And then the web server will have access to the private key

167
00:06:42,490 --> 00:06:45,470
‫and we'll be able to decrypt that encrypted field

168
00:06:45,470 --> 00:06:46,750
‫using the private key to decrypt

169
00:06:46,750 --> 00:06:48,330
‫and get the credit card number.

170
00:06:48,330 --> 00:06:51,080
‫As we can see all along the stack, none

171
00:06:51,080 --> 00:06:53,079
‫of the CloudFront location

172
00:06:53,079 --> 00:06:55,500
‫and Application Load Balancer will have

173
00:06:55,500 --> 00:06:57,350
‫the opportunity to decrease that field.

174
00:06:57,350 --> 00:06:59,350
‫Only the web server will need you have some custom

175
00:06:59,350 --> 00:07:02,173
‫application logic to decrypt that field.

176
00:07:03,100 --> 00:07:04,410
‫So that's it for this lecture.

177
00:07:04,410 --> 00:07:05,243
‫I hope you liked it.

178
00:07:05,243 --> 00:07:07,090
‫And I will see you in the next lecture.