AWS re:Invent 2025 - State of the Edge: Delivery of the web with CloudFront, WAF, & Shield (NET211)

AWS re:Invent 2025 - State of the Edge: Delivery of the web with CloudFront, WAF, & Shield (NET211)

What is the Edge?

• Edge services are distributed computing services that bring network, storage, and compute capabilities closer to users, reducing latency.
• Key AWS edge services covered in this session: Amazon CloudFront, AWS Shield, and AWS WAF.
• The mission is to protect applications, make them fast, secure, and resilient, and enable a fun and engaging internet experience for billions of users.

Evolution of the Internet and Edge Services

• The internet has gone through massive shifts, from simple static web to transactional/e-commerce, social/mobile, and now the "agentic web" or AI-powered web.
• Edge services have evolved to address the changing performance, security, and resiliency needs of these internet eras.
• Key trends driving edge service investments:
  1. Changing traffic profiles with bursts, duplex connections, and new content types (e.g. AI model tokens)
  2. Increasing security needs, including protecting AI-powered applications and defending against AI-powered attacks
  3. Developer need for infrastructure that keeps pace with rapid application development cycles, including AI coding assistants

Powering Performance and Resiliency at the Edge

• The AWS network comprises AWS regions and 750+ CloudFront edge locations in 200+ cities across 50+ countries.
• This network handles trillions of requests per day and hundreds of terabits per second of peak traffic.
• Recent enhancements:
  • Global Anycast Bring Your Own IP: Allows using static IPs for CloudFront distributions
  • Quick HTTP/3: 25%+ of CloudFront requests use this faster protocol
  • HTTPS DNS Records: Enables optimal protocol selection during DNS lookup
  • TLS 1.3 to Origin: 36% improvement in handshake time
  • TCP Fast Open: 50% improvement in TCP connect times
• These performance optimizations are enabled by default and free for customers to use.

Securing the Edge

• CloudFront provides security features like:
  • VPC Origin Access: Ingress traffic into private subnets
  • MTLS Support: Clients can authenticate with certificates
  • Post-Quantum Crypto Support: Future-proofing against quantum attacks
  • AWS Shield: Protects against Layer 3/4 DDoS attacks
  • AWS WAF: Protects against Layer 7 attacks with customizable rules
• AWS WAF features:
  • Anti-DDoS Rule Sets: Quickly deploy effective DDoS mitigation
  • Bot Control: Detect and manage bot traffic, including AI bots
  • Fraud Prevention: Protect against credential stuffing and account creation abuse

Simplifying Developer Experience

• Streamlined security configuration with "Protection Packs" - pre-built rule sets tailored to traffic profiles.
• Flat Rate Pricing Plans: Fixed monthly pricing with no overages for CloudFront, WAF, Shield, and other services.
• CloudFront SaaS Manager: Unified management of multi-tenant applications on CloudFront.

Atlassian's Journey with the AWS Edge

• Atlassian, a leading collaboration software company, has fully migrated to the cloud and uses CloudFront extensively.
• Goals for moving Jira and Confluence to CloudFront:
  1. Strengthen global security posture against modern attacks
  2. Deploy layered defense at the edge with a consistent control plane
  3. Identify shared logic to perform closer to customers
  4. Improve last-mile performance for end-users
• Key Atlassian Implementations:
  • Anycast Static IPs: Enabled Atlassian to meet customer firewall requirements
  • Origin Control Helper: Steered traffic to the correct origin region, reducing cross-region data transfer costs
  • CloudFront SaaS Manager: Enabled self-service CloudFront adoption for Atlassian's many services
  • Network Error Logging: Provided enhanced visibility into client-side network issues

Key Takeaways

• Leverage CloudFront's Anycast Static IPs and Origin Control Helper to optimize performance and cost.
• Consider CloudFront SaaS Manager for managing multi-tenant applications on the edge.
• Enhance observability by integrating CloudFront with Network Error Logging.
• Take advantage of out-of-the-box performance and security enhancements like Quick HTTP/3, TLS 1.3, and AWS WAF managed rule sets.
• Atlassian's journey demonstrates the business impact of migrating to the AWS edge: improved security, performance, cost optimization, and developer experience.