Amazon CloudFront and EC2: Global Load Balancing

We have an app that is going to store and serve up a decent amount of data in S3 to a global audience where latency should be minimized. So, we've been doing tests with Amazon CloudFront and have seen favorable results.

However, we need a thin middleware layer (to do security etc.) and we'd like to put that in EC2. Due to security restrictions, this middleware layer will do the file streaming from S3/CloudFront:

S3/CloudFront -> EC2 -> Clients

We can geographically distribute the EC2 nodes (US East/West, and Ireland) but the problem is that a client in the EU would hit our US server and be fed data from there, thus rendering much of the performance benefit of CloudFront moot. I've been digging through the EC2 docs but I can't find a built-in way to get a geographically distributed version of EC2 a la CloudFront.

Elastic Load Balancing sounds like the way to go, but I can't seem to find a way with that to direct based on routing... Preferably, we'd like to keep the amount of stuff outside of EC2/S3/etc. to a minimum (for obvious reasons).

Any ideas how to do that within the EC2/S3 framework? DNS/routing tricks?

Thanks!


Solution 1:

Using a middle layer usually negates the benefits of a distributed CDN, as you will only have a few nodes in large central data centers serving the content instead of many edge-cache nodes. If your plan truly requires piping the content through a server first then skip CloudFront and just stick with S3, as you will not get any benefits from it.

A better approach is to formalize what you mean by "security etc." and see if you can get away with using the Authentication and Access Controls that are built into the CDN. S3 and Cloudfront use signatures to provide extensive control over who can access the content, and you can even create time limited URLS that will expire after a few hours or minutes. These special urls can be created by your website so that users can't deep link to the content or share the link with someone else, and usually provide good enough security that still lets you benefit from edge caching.

I am not very familiar with the Amazon documentation, but Windows Azure also has the concept of Shared Access Signatures that let you delegate permissions for uploading or downloading without ever releasing your private keys. There was a recent Cloud Cover episode on Channel 9 that does a great job of describing how to create shared access signatures and how they can be used to secure content and delegate permissions on a CDN.

Solution 2:

You can use a DNS service which supports routing requests based on a user's country to a different server, but there is probably no point in using Cloudfront if you're serving data from EC2, and from the looks of it no point in using S3 either, since you're always sending the data from your EC2 instance.

Perhaps if you offered more info on what sort of data you're sending out a better solution might become visible.