ÃÛ¶¹ÊÓÆµ

Cloud 5 AEM CDN Part 1

This is a deep dive into the CDN provided as part of AEM as a Cloud Service, including what it is capable of and whether to bring your own CDN. This is part 1 of 2.

video poster

Transcript
AEM as a cloud service is shipped with a built-in CDN. Its main purpose is to reduce latency by delivering cacheable content from the CDN nodes at the edge near the browser. It is fully managed and configured for optimal performance of AEM applications. The AEM managed CDN will satisfy most customers’ performance and security requirements. For the published tier, however, customers can optimally point to it from their own CDN, which, of course, they’ll need to manage. This will be allowed on a case-by-case basis based on meeting certain prerequisites, including but not limited to the customer having a legacy integration with their CDN vendor that is difficult to abandon. This leads to many questions that the customer has of ÃÛ¶¹ÊÓÆµ. So in this video, Darren and I are going to attempt to tackle some of those most common questions. So I’m going to play the customer, and Darren is going to play the AEM architect. So, Darren, I have a question. We currently use a web application firewall. As far as I understand, AEM as a cloud service doesn’t offer that web application firewall. So how is this handled? So you’re right. We don’t offer what’s commonly referred to as the web application firewall that you traditionally see in a security appliance or CDN. But AEM as a cloud service defends against the same things that the web application firewall would, like DDOS attacks at multiple levels. Even at the edge, out of the box, our CDN has L3, L4, and L7 protection against threats, including disruptive L3 and L4 attacks, ping floods, ICMP, reflection amplification attacks, transactional floods, resource exhaustion, and all the types of attacks that you typically see on a commerce site or marketing level type sites. So plenty of protection there. Closer to the origin, our load balancer that we use also rejects nefarious traffic that make it through that CDN and was not, you know, and it’s made it through that CDN, and we can toss out that traffic. And it makes it past even that level. We have the Apache HTTP layer using our mod dispatcher that can be configured to reject requests based on application-specific requirements. Even in the near-term roadmap, there’s some items in here to make it be able to configure the cloud services DDOS defense with additional rules to block suspicious traffic at the L7 level, both by the security, you know, the typical security community at large that suspect different patterns and stuff like that, so you can add those in there. And it basically brings cloud service to a parity with, you know, the typical web application firewall rules used in a typical, like, managed services offering. Great. That’s good to know. Another issue that we have is we need to provide access to selected IP addresses and programs that our network server policy typically blocks. How can we do that in AM as a cloud service? I’ve had a hard time kind of figuring that out. So this one’s quite easy. So using Cloud Manager, there’s an IP allow list that can be configured in a self-service fashion, so you can just go in there, click a few boxes, type in the IP addresses or blocks that you need to allow or disallow. In addition to that, our AEM CDN denial of service that we just previously talked about is always on. So if there’s specific things that, you know, dynamic attacks and stuff like that that come from IPs that you wouldn’t typically think of, the denial of service protection is always on. Oh, great. Thank you.

Content covered in part one of this series

  • AEM CDN Overview
  • Web Application Firewall (WAF) capabilities
  • IP Restrictions
  • DDOS Protections

View Part Two

Additional Resources

Watch related videos on the Cloud 5 season 1 page.

recommendation-more-help
4859a77c-7971-4ac9-8f5c-4260823c6f69