Cloud 5 AEM CDN Part 1

Transcript

AEM as a cloud service is shipped with a built in CDN. It’s main purpose is to reduce latency by delivering cashable content from the CDN nodes at the edge near the browser. It is fully managed and configured for optimal performance of AEM applications. The AEM managed CDN will satisfy most customers performance and security requirements for the published tier however, customers can optimally point to it from their own CDN, which of course they’ll need to manage. This will be allowed on a case by case basis based on meeting certain prerequisites, including, but not limited to the customer having a legacy integration with their CDN vendor that is difficult to abandon. This leads to many questions that the customer has of Adobe. So in this video, Darin and I are going to attempt to tackle some of those most common questions. So I’m going to play the customer and Darin is going to play the AEM architect.

So Darin, I have a question. We currently use a web application Firewall, as I understand AEM as a cloud service doesn’t offer that web application Firewall. So how is this handled? So you’re right, we don’t offer what’s commonly referred to as the web application Firewall that you traditionally see in, you know, security appliance or CDN but AEM as a cloud service defends against the same things that the web application Firewall would, like DDoS attacks at multiple levels. Even at the edge, out of the box, our CDN has L3, L4 and L7 action against threats including disruptive L3 and L4 text, ping floods ICMP, reflection and amplification attacks, transactional floods, resource exhaustion, and all the types of attacks that you typically see on a commerce site or marketing level type site. So plenty of protection there. Closer to the origin, our low balancer that we use also rejects nefarious traffic that make it through that CDN and was not, you know, and it made it through that CDN and we can toss out that traffic and if makes it past even that level we have the Apache HTTP layer using our mod dispatcher that can be configured to re reject requests based on application specific requirements even in the near term roadmap.

There’s some items in here to make you, make it be able to configure the cloud services DDoS defense with additional rules to block suspicious traffic at the L7 level, both by the security, you know, the typical security community at large that suspect different patterns and stuff like that. So you can add those in there.

And it basically brings cloud service to a parody with the typical web application Firewall rules used in a typical like managed services offering.

Great, that’s good to know. Another issue that we have is we need to provide access to selected IP addresses and programs that our network server policy typically blocks. How can we do that in AEM as a cloud service, I’ve had a hard time kind of figuring that out. So this one’s quite easy. So using cloud manager there’s an IP allow list that can be configured in a self-service fashion. So you can just go in there and click a few boxes, type in the IP addresses, or blocks that you need to allow or disallow. In addition to that, our AEM CDN denial of service that we just previously talked about is always on. So if there’s specific things that, you know, dynamic attacks and stuff like that, that come from IPS that you wouldn’t typically think of, the no dial of service protection is always on. Oh, great, thank you. -