In this video, take a look at how AWS performs in custom Distributed Denial of Service protection. Discover what is and what is not protected by AWS.
- [Instructor] Now maybe that's not enough for you. So you want to move into Shield Advanced. Which means you're paying money a monthly fee and involving the Amazon experts, you're saying hey I need some help with this Attack, I can't solve it. So Amazon will send over their DDoS Response Team and the DRT is going to diagnose the attacks, look at the situation and help you to create and deploy solutions on your behalf. One of the things that Shield does, is look at your protection that you currently have. And if you are using network access control lists, these are protections for your subnet, this allows certain traffic in and certain traffic out, certain ports are allowed certain ports are not. It moves that set of rules to the border of the AWS network during an attack saying, the customer only wants this type of traffic that's all we're letting through. If you're under attack, and let's say your applications are scaled up, or your applications are overwhelmed, well, you're using more compute resources, more storage resources. Shield Advanced provides cost protection from any DDoS attacks. So you get that spent money back off your bill. And the configuration of Web Application Firewall rules is included at no additional cost. We're going to be talking about WAF later on in this class that allows you to create your own ACLs for public facing resources. So Amazon is taking on that job for you as well at no additional cost. The beauty of the Web Application Firewall ACLs is that Layer 7 mitigation' are performed by the Web Application Firewall. So Shield Advanced Protection has a little more intelligence because you're working with the Amazon experts to detect the attacks and mitigate the attacks. Now the actual components that are going to be part of the public equation for communication, will be things like you Elastic IP addresses. An Elastic IP address is a static public IP address so the IP address itself doesn't change, that's assigned to your account. Once it's assigned to your account, you can then add it to load balancers or you can add it to an EC2 instance. It's for Public Communication. So, once we add in Elastic IP addresses into what Shield Advanced is going to protect, then any cursed or DDoS traffic that gets through that elastic IP address will be protected, including Cost Protection. Elastic IP addresses are used for public facing, Elastic Load Balancers, whether it's an Application Load Balancer or a Network Load Balancer. Shield Advanced also protects the traffic, the ingress traffic coming through CloudFront, the CDN. And of course it's protecting Route 53, the DNS service and this also includes the Global Accelerator. And what the Global Accelerator is, is custom traffic rules for helping to protect your applications from the point of view of failover or directing users to their fastest location. So the Global Accelerator is protected as well. So for Web Applications, Enabling Shield Advanced will help you protect your CloudFront distributions and your Load Balancers, specifically, an Application Load Balancer. For your TCP Applications, Shield Advanced will protect your Application at that higher level because we've got those experts working on our behalf, if it's a TCP Application, then then Network Load Balancer is the correct Load Balancer to be using for that type of application as it supports a TCP, Web Applications Support, the Application Load Balancer, Network Load Balancers also use Elastic IP addresses. So, they can be protected. If it's a EC2 instance, was Shield Advanced Enabled, we're protecting the instance through protection of the Elastic IP address. So if this sounds of interest to you, you'd go into the Console, activate Shield Advanced, then select the resources that you want to protect. Optionally, you could deploy Web Application Firewall rules, you could also add in rate-based rules, a rate based rule actually counts what's going on traffic-wise, it counts the requests that are arriving from a specific IP address every five minutes. So if you see a large increase in traffic, this rule could alert you to, hey there's a spike in traffic this could be a DDoS event. We can also configure CloudWatch alarms and the CloudWatch alarms will alert us when there's issues and if you've signed up for AWS Shield Advanced, you also have a global threat environment dashboard where you can watch the attacks and the remediations in real time.