WIXLIB

WHITE PAPERDeploying AmazonCloudFront with the

Silverline Managed ServicesPlatformLearn how our customer built a secure, scalable, and seamless solution that leverages thecombined investments in infrastructure and services that F5 and AWS have to offer.Deploying Amazon CloudFront with the Silverline Managed Services Platform2

KEY BENEFITSF5 Silverline and Amazon CloudFrontFull Stack SecurityIncludes multiple layers ofprotection to mitigate DDoS/WAF/Fraud/Bot attacks.During the evaluation of various service and solution offerings that would potentially meet theirEase of Deployment Rapidly andeasily implement services from F5and AWS to deliver and protectapplications.Cloud Delivered, GloballyAvailable, Zero Business ImpactMaintain continuous applicationavailability by leveraging the F5Silverline Platform and SilverlineSOC with Amazon CloudFront.Low Cost of Entry and OwnershipF5 Silverline allows customers toobtain the services they need at acompetitive price and improve theirtotal cost of ownership.Staff Augmentation, SecurityExperts On-Call, KnowledgeAggregation Internal customerteams can work collaboratively withF5 Silverline experts, who areavailable 24x7 and have the latestvulnerability information availablefrom internal F5 Security IncidentResponse Teams (F5 SIRT).High Availability, Dedicated Proxies,Traffic Steering, Health MonitoringThe F5 Silverline platform offers a99.999% uptime SLA, dedicatedreverse proxies, traffic shaping tomultiple or single origin services andcontinuous back-end health andavailability monitoring.Bandwidth and Routing/DirectPeering F5 Silverline and Amazonare direct peers and offer excellentbandwidth and peeringconnectivity globally that results insuperior performance for ourcustomers.requirements, our customer, a global IT solutions company, performed an extensive review of thevariables involved in deploying and operating a solution that combines a content delivery network(CDN), Web Application Firewall (WAF), and protections against Fraud/Bots and distributeddenial-of-service (DDoS) attacks. After considerable analysis and internal discussions with multipleteams, our customer determined that the best solution would be a combination of F5 Silverlineand the Amazon CloudFront content delivery network.Our customer chose this solution because it offered managed security services, fast deployment,and lower cost to provision, maintain and operate. The internal customer teams defined a plan forthe evolution of the website and focused on completing each phase of their plan quickly, withoutmajor impact to ongoing operations.The ease of implementation and combined benefits of the architecture provided continuousperformance improvements, additional security controls, and extensive reporting and logging withdata-export capabilities to SIEM and other log-analysis platforms. This allowed our customer's teamto focus on what they do best: providing a seamless and engaging customer experience.Scalable Managed Security and Service PerformanceOur customer selected F5 and AWS solutions for the implementation of the fourth phase of theirplan (Figure 1) primarily because of the flexibility each service offered in their configurations, thelow cost of operation, and the ability to grow the system over time through multiple iterations.Another key factor was the ability to work with the F5 Silverline Security Operations Center (SOC)analysts, who continually monitor the Silverline platform. (Silverline is F5’s cloud-based, managedsecurity services platform.) The SOC analysts helped our customer define their security posture andmaximize the usability of the system. This allowed our customer to provide a frictionless experiencewhile relentlessly fighting fraud and abuse.

The Web Performance ChallengeBalancing the cost of operations with performance improvements over the evolution ofa web application while providing a fast, secure, and frictionless customer experience.Companies are faced with several challenges and constraints when architecting and designing webapplications. A major consideration is balancing the cost of acquiring, deploying and managing thetechnology and personnel effectively to allow continuous performance improvements over theapplication lifecycle. The illustration below depicts the analysis our customer performed regardingthe balance of cost versus performance that is required to evolve a web application.Figure 1: F5 Silverline customer web applicationperformance lifecycleDuring theinitialphase, ourcustomerfocused ondeploying the application and obtaining customers. Thesteps they executed to achieve their target involved:INITIAL APP DEPLOYMENTTARGET: CUSTOMER ACQUISITIONOPEN SOURCE SOFTWARE DEV FRAMEWORKSDEPLOY BASIC COMPUTE, STORAGE, ANDHTTP SERVERSMINIMAL VIABLE PRODUCT ROLLOUTMINIMUM BANDWITH COMMIT (NO CARRIERPREFERENCE)SINGLEHOMEDPAAS/IAASMODELIn phase two, the customer focused on enhancements and improvements to acquire a customerbase and prepare for additional expansion.APP CONTINUOUSENHANCEMENTS TARGET:EXPAND CUSTOMER BASEEXPAND APPLICATION FUNCTIONALITYAND FEATURESDeploying Amazon CloudFront with the Silverline Managed Services Platform4

ENHANCE EXISTING FEATURES FROM SITEUSAGE STATSCONTINUOUS IMPROVEMENT LIFE-CYCLEINTRODUCTIONANALYZE RESOURCE CONSUMPTION(HUMAN/MACHINE)PREPARE TO SCALE APPLICATIONCOMPLETE APPLICATION SECURITYANALYSISIn phase three, our customer worked with our F5 Silverline account team to deploy the managedsecurity components and configure Amazon CloudFront to ensure the application would scale andaccommodate all traffic generated.APP INFRASTRUCTUREENHANCEMENTS TARGET:SCALABILITY AND SECURITYIMPLEMENT APPLICATION AUTO-SCALINGDEPLOY WEB APPLICATION FIREWALLDEPLOY DDOS PROTECTIONDEPLOY AUTOMATED THREAT AND FRAUDPROTECTION ANALYZE/DEPLOY MULTIHOMED NETWORK LINKS ANALYZEDEPLOY DIRECT PEERINGRELATIONSHIPSFor phase four, our customer analyzed customer origin requests and determined that many of theircustomers were transacting from countries outside the US. This observation, coupled with additionalanalysis of increased demand in the US, motivated their implementation of Amazon CloudFront toextend their reach and improve global performance.INFRASTRUCTURE EXTENSIBILITYTARGET: IMPROVE GLOBAL PERFORMANCEIMPLEMENT CONTENT DELIVERY STRATEGYACCELERATE CONTENT - CONTENTDELIVERY NETWORKCDN REGIONAL ASSIGNMENT PER USAGESTATISTICSDEPLOY CONTINUOUS MONITORING FORAVAILABILITYDEPLOY CONTINOUS MONITORING FORPERFORMANCE HEADERS AND ACLs INCDN/SECURITY INFRASTRUCTUREFor the final phase, customer teams focused on deploying a hybrid environment of both mixedcolocation services and SaaS/IaaS/PaaS platforms to enhance their operational capabilities andadaptation to fast-changing global market environments.APP CONTINUOUS IMPROVEMENTTARGET: EHANCE CUSTOMEREXPERIENCE/REDUCE FRICTIONMATURE APPLICATION STAGE:UXREDESIGN FEATURESDEPLOY HYBRID ENVIRONMENT OF SAAS ANDCOLOCATIONEXPAND BANDWIDTHCOMMITMENTS/MULTI-HOMINGOPTIMIZE CONTENT DISTRIBUTIONDeploying Amazon CloudFront with the Silverline Managed Services Platform5

OPTIMIZE OBJECT PERFORMANCEINDUSTRY CERTIFICATIONS FORSECURITY/COMPLIANCEThis document will focus on the technical steps our customer executed to complete the phase fourintegration of Amazon CloudFront with the F5 Silverline managed security services platform.Service Components for IntegrationBasic requirements to ensure a successful service deployment and system integration.To prepare for the integration of Amazon CloudFront into the F5 Silverline Platform, our customerprovisioned the following items, with assistance from the Silverline team:F5 SILVERLINE MANAGED SERVICESMinimum Requirement:Single proxy (one FQDN)IncludesIPv4/v6 address spaceCNAME assignmentDDoS protectionMulti-homed and route optimizednetwork Direct peering withAWS/Azure/GCP24/7 supportPortal ManagementSSL security profile managementOptionalWAFAdditional DDoS commitmentsFraud/Bot protectionThreat IntelligenceOur customers’ choice:All items selected by customerAMAZON WEB SERVICESDeploying Amazon CloudFront with the Silverline Managed Services Platform6

MinimumRequirement: AWSEC2 ComputeIncludesOS, Database.AWS S3IncludesContent storage servicesHTTP ServerIncludesContent origin managementAWS CloudfrontIncludesContent Delivery ServicesOur customers’ choice:All items selected by customerArchitectureBuilding a secure and scalable network that allows customers to obtain the bestperformance and engagement experience globally.Deploying a secure, fast, global network with multi-homed links and multiple services is not easy forany organization. Fortunately, customers can benefit from the combined investments ininfrastructure and services that F5 and AWS can offer. This allows customers to construct a solutionthat can be deployed rapidly to onboard applications with maximum efficacy and realize animmediate return on investments.The architecture our customer chose to deploy is depicted in the illustration below:Deploying Amazon CloudFront with the Silverline Managed Services Platform7

Solution ProvisioningEase of deployment for rapid integration.Organizations are being pressed to roll out applications that quickly respond to market challengesto gain a competitive advantage and/or cost savings. Deployments that can be done in a shortperiod of time offer a considerable advantage over deployments that require extensive resourcesand additional costs. With F5 and AWS, the deployment of these configurations is easy; ifcustomers have all the components and data ready to configure, it can be done in minutes.With phase three complete, our customer moved to the fourth phase, which entailedintegrating Amazon CloudFront with the F5 Silverline Platform and included the followingsteps.F5 SILVERLINE - PROXY CONFIGURATIONWhen our Silverline SOC team deploys the portal account, customers can log in and configure theproxy root object with required settings for the proxy display name, the FQDN (Fully QualifiedDomain Name), the origin server IP address or ELB CNAME (Canonical Record), Threat Intelligenceprofiles, WAF policies, SSL certificates, and Fraud/Bot protection endpoints. Customers will reviewthese steps with a Silverline SOC analyst during the onboarding phase. Customers may also engage aSOC analyst to assist with any proxy deployment.Once the proxy has been saved and deployed to the Silverline platform, customers will receive aunique CNAME that will be used as the origin for the Amazon CloudFront network. Customers maylocate this proxy CNAME in the main configuration panel after deployment.Once the proxy is enabled, it is ready to receive traffic immediately and can be used to route userrequests from CloudFront as soon as that service is configured.AMAZON CLOUDFRONT - SERVICE CONFIGURATIONDeploying Amazon CloudFront with the Silverline Managed Services Platform8

To ensure a smooth integration, customers should have the following information available beforeperforming the CloudFront integration.Once these components are in place and provisioned, customers can initiate the CloudFrontconfiguration by navigating to the AWS management console. In the console menu, locate and selectthe sub-category "Networking & Content Delivery" / CloudFront. Locate and select the"Distributions" link and proceed to create the initial distribution.To initiate the object configuration, select the "Create Distribution" control. You may beprompted to create a "Specific Deliver Method". Our customer chose the "Web" deliverymethod.Deploying Amazon CloudFront with the Silverline Managed Services Platform9