The document discusses how Slack uses Amazon CloudFront to accelerate its API delivery. Some key points: - Slack saw performance and latency improvements by migrating its API from Elastic Load Balancers to CloudFront. This included average latency dropping from 90ms to 15ms worldwide. - CloudFront provides automatic DDoS protection and security benefits that have improved reliability compared to other CDN providers. - Slack serves over 5 billion API requests per week and saw response times drop from 480ms to 200ms on average worldwide after using CloudFront. - Future plans include pushing more functionality like rate limiting to the edge for improved performance and security.

1. Secured API Acceleration
June 23, 2016
Nihar Bihani
Principal Product Manager, Amazon CloudFront
Alex Graham
Sr. Operations Engineer, Slack

2. Agenda
Challenges with Delivering APIs
CloudFront for API Delivery
Customer Story: Slack
@cloudfront

3. Delivering APIs
@cloudfront

4. API Proliferation
2,418
10,302
0
2000
4000
6000
8000
10000
12000 Jun-05
Sep-05
Dec-05
Mar-06
Jun-06
Sep-06
Dec-06
Mar-07
Jun-07
Sep-07
Dec-07
Mar-08
Jun-08
Sep-08
Dec-08
Mar-09
Jun-09
Sep-09
Dec-09
Mar-10
Jun-10
Sep-10
Dec-10
Mar-11
Jun-11
Sep-11
Dec-11
Mar-12
Jun-12
Sep-12
Dec-12
Mar-13
Jun-13
Sep-13
* Data from ProgrammableWeb
#ofpublishedAPIs
@cloudfront

5. Challenges with Delivering APIs
API Response Time
APIs are often not
cacheable
Improving performance is
non-trivial
Security & DDoS Target
Protect from DDoS attacks
Block malicious activity
Scaling & Availability
Operational burden
Availability risks
@cloudfront

6. How can Amazon CloudFront help APIs
@cloudfront

7. Amazon CloudFront
 Global Content Delivery Network
 Accelerate Web Applications and APIs
 Also, Accelerate images, video etc.
@cloudfront

8. CloudFront for API Delivery: Benefits
Application Acceleration
Network Optimizations
Secured Delivery
AWS WAF
Inherent DDoS Protection
Designed for High
Availability
Global Edge Network
Intelligent Routing
AWS WAF
@cloudfront

9. Let’s Dive Deeper
@cloudfront

10. API Delivery: App Acceleration
Application Acceleration
Network Optimizations
AWS WAF
@cloudfront

11. Behind the Scenes: Application Acceleration
 CloudFront Latency Based Routing
 TCP/IP Optimizations for the Network Path
 Keep-Alive Connections to reduce RTT
 AWS Backbone Network
 SSL/TLS Optimizations
@cloudfront

12. SSL/TLS Optimizations
 SSL/TLS Termination close to viewers
 OCSP Stapling
 Caching Session Tickets CloudFront
Edge location
Caching Session tickets
@cloudfront

13. API Delivery: Security
Secured Delivery
AWS WAF
Inherent DDoS Protection
AWS WAF
@cloudfront

14. DDoS Protection for AWS Infrastructure
 Inherent Protection
You don’t have to
enable anything
Layer 3/4 attacks like
SYN and UDP floods.
Layer 7 attacks like
Slowloris
 Inline Detection &
Mitigation
Low MTTR
Microsecond latencies
 Proven DDoS
Mitigation Techniques
Targeted and heuristic
mitigations
virtual private cloud
AWS global infrastructure
DDoS attack
Users AWS
DDoS mitigation
Amazon
CloudFront
Amazon
Route 53
@cloudfront

15. DDoS Mitigation Techniques
Basic Hygiene
Automatically filters
invalid Packets
e.g., block any UDP
destined to CloudFront
Traffic ACLs
Prioritize good vs bad
traffic based on several
factors
- DNS Request validation
- Source IP
- Source ASN
- Traffic Levels
- Validated Sources
Redundant High
Capacity Network Paths
Viewers always have a path
to reach CloudFront
@cloudfront

16. DDoS Mitigation
No Impact to Availability even during DDoS Attack
Sample Attack on CloudFront Customer
@cloudfront

17. AWS WAF for Secured API Delivery
@cloudfront

18. API Delivery: Availability
Designed for High
Availability
Global Edge Network
Intelligent Routing
AWS WAF
@cloudfront

19. Designed for High Availability
DDoS Attacks
Ensures DDoS attacks
don’t cause outages
Scale for Traffic Surge
Load based dynamic routing
Multiple transit providers
Collapse forwarding
Maintain buffer
Operator Errors
Fault tolerant deployment
Mitigate the Top 3 Risks for Availability
@cloudfront

20. Scalability
Built to handle large scale events
@cloudfront

21. Slack uses CloudFront for API Acceleration
Amazon
CloudFront

22. Alex Graham
Sr. Operations Engineer

23. Secure API Acceleration using
Amazon CloudFront

24. Agenda:
1. Slack API Overview
2. Why Amazon CloudFront?
3. Migration from ELB
4. Performance Metrics
5. Future Plans

25. Slack API Overview

26. ● POSTs and GETs to an HTTPS endpoint
Responses will come back as json objects
● All Slack clients are API consumers
Mobile, Desktop and Web clients use our API
● Accelerated Globally using CloudFront
Requests to slack.com and the HTTPS API are powered by
CloudFront
Web API

27. ● Search for all files or messages containing the string “Hello”
GET https://slack.com/api/search.all?token=xoxp-...&query=Hello
● List all channels along with their members
GET https://slack.com/api/channels.list?token=xoxp-...
● Create a new channel called “#test”
GET https://slack.com/api/channels.create?token=xoxp-...&name=test
Web API Examples

28. 3 Million Daily Active Users
Each user is making API calls all day.
1.5 Billion Total Requests Per Day
Over 10 Billion per week!
52% of those are API requests
Over 5 Billion API requests per week!
👤
🚀
📈
Web API Stats

29. Why Amazon CloudFront?

30. DDoS Protection & Security Benefits
Amazon has some tricks up their sleeve.
Network Infrastructure
AWS Global Network Backbone
Performance and Reliability
CloudFront is designed for high volumes of traffic.
🔒
📈
📡
Benefits with Amazon CloudFront

31. ● Flexibility and ability to customize
No magic switches, everything can be configured.
● Outperformed all other DDoS and CDN providers
CloudFront stability was better than the other providers we tested.
● Pairs nicely with existing AWS technology
CloudFront is easy to configure with ELB and S3.
Why We Chose Amazon CloudFront

32. Migration from ELB

33. Caching Disabled
All API responses are dynamic so nothing is cached.
Forward all headers, cookies and query strings to origin
Forward all the things!
S3 bucket with static HTML error pages
If the origin is not responding we will still serve an error page from
S3.
💥
📉
Amazon CloudFront Configuration

34. Slack API Before Amazon CloudFront

35. Slack API During Migration to Amazon CloudFront

36. Slack API Today

37. Performance Metrics

38. Average latency around the world to slack.com dropped from 90ms to
15ms.
Network Latency

39. Average response time around the world to slack.com dropped from 480ms to
200ms.
Response Time

40. Connection Breakdown
Amazon CloudFrontus-east-1 ELB

42. ● Less affected by internet outages and route leaks.
Traffic enters the AWS backbone closer to the client.
● Slack loads more quickly all around the world.
The client spends less time waiting for API calls.
● Automatic DDoS protection
We let AWS deal with DDoS attacks without waking up the ops team.
Direct Benefits for Slack

43. Future Plans

44. ● Pushing Rate Limits to the edge.
Less infrastructure to maintain means less time and money.
● Limiting unauthenticated requests at the edge.
Stop high layer DDoS attacks early by setting per IP request limits.
● Alerting or posting to Slack when rate limits are tripped.
We want to know about this, it might be an attack or misconfiguration.
Rate Limiting

45. ● Manually adding rules to mitigate an attack
If our infrastructure is overwhelmed we can block at the edge.
● Blocking known bad IPs
Block known botnets using IP Blacklists.
● Using Lambda and WAF to block based on rule sets
Determine safe limits and temporarily block offenders.
Blocking Malicious Traffic

46. Thanks!

47. We are Hiring!
slack.com/jobs