In the last blog, we talked about how to find out and block the IP address of the clients accessing our service running on OpenShift.
Once you have your content created as a service running on OpenShift on AWS, its delivery to the end customers is extremely important. This is where AWS CloudFront can help. CloudFront is a fast-content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds within a developer-friendly environment.
CloudFront delivers static and dynamic content using a single distribution method.
CloudFront caches content at end locations, this allows customers to access content without adding additional load on the OpenShift cluster resources. Customers gain the benefit of reduced latency as they are able to access content from the edge location which may be geographically closer than the related AWS region. CloudFront can be part of the application resilience design complimenting the ability for workloads to operate at scale as well as allowing access to content should a failure manifest. As demand increases the edge locations reduce the need for backend OpenShift resources to scale, or provides time for these resources to scale. This is typically the case should additional underlying compute such as EC2 instances be required and provisioned. AWS CloudFront can also be combined with other caching solutions such as AWS elasticache which would be used with data sources such as the relational databases being used either in OpenShift or natively on AWS such as AWS relational database service (RDS).
CloudFront also enables control over users in selected countries accessing our content, by creating a whitelist or blacklist. The whitelist allows countries access to content ) while the blacklist denies content access. countries
In this blog, we will look at how to create an AWS CloudFront Distribution as well as how to restrict countries from accessing your services running on OpenShift.
For this blog, I have deployed OpenShift on AWS using the IPI (Installer Provisioned Installer), and for the service, I created a blog application, which is designed to showcase OpenShift features. The application is implemented using Python and Django.
To learn more about installing the blog application from the source, please visit: https://learn.openshift.com/introduction/deploying-python/
As I created the application using the web console, a Route was automatically created for the application and will be exposed outside the cluster. The URL to access the blog application is: http://blog-django-py-myproject.apps.mytest.ocp4-test-mshetty.com
Let's look at how we can create an AWS CloudFront Distribution and use it to blacklist certain countries from accessing your blog service.
- First, we create a AWS CloudFront Distribution on CloudFront from the AWS console:
- Next, we create a new Distribution by clicking on the “Create Distribution” button.
- In the “Select a delivery method for your content,” select the “Get Started” button under the Web distribution.
- When you click on the Origin Domain Name, field you’ll see the S3 buckets used for the registry and the Elastic Load Balancers, but ignore and that and enter “blog-django-py-myproject.apps.mytest.ocp4-test-mshetty.com”. I left the other values in the form as default for this post and clicked on the “Create Distribution” at the bottom of the page.
- The CloudFront Distribution is created when the State is Enabled, and the Status changes from “In Progress” to “Deployed”:
- We can now use the CloudFront Domain name “d2ol5va9tfpqgt.cloudfront.net” to access your service by entering it into the URL of the browser.
- Now, to blacklist a country, click on the “Distribution Settings” button, and then go to the “Restrictions” tab and click on Edit:
- Next, we can test this by connecting to a VPN server in that country or with LocaBrowser, by trying to access the service using the CloudFront domain name:
Using the CloudFront domain name is fine, but wouldn’t it be nice to use your own domain name (for example, www.example.com) in the files’ URLs instead? Check out this link for information on using alternate domain names.
AWS WAF for Additional Rules and Resources:
If you want to apply the country blacklist to your other resources on AWS, or you want to apply additional security rules to your service running on OpenShift, you could use AWS WAF to create the rules and apply them to your CloudFront distributions or other Regional resources (Application Load Balancer, API Gateway, AWS AppSync).
As you see, I have the rule that blocks countries along with three additional rules, that make up the AWS WAF Web ACL called myACL. The Web ACL is then applied to the my CloudFront Distribution resource type:
You can see below that the AWS WAF Web ACL is associated with the CloudFront resource used for your OpenShift service:
There we go! It is really that simple to deliver and block access from certain regions to services running on OpenShift on AWS.
About the author
Mayur Shetty is a Principal Solution Architect with Red Hat’s Global Partners and Alliances (GPA) organization, working closely with cloud and system partners. He has been with Red Hat for more than five years and was part of the OpenStack Tiger Team.
More like this
Browse by channel
Automation
The latest on IT automation that spans tech, teams, and environments
Artificial intelligence
Explore the platforms and partners building a faster path for AI
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
Explore how we reduce risks across environments and technologies
Edge computing
Updates on the solutions that simplify infrastructure at the edge
Infrastructure
Stay up to date on the world’s leading enterprise Linux platform
Applications
The latest on our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Developer resources
- Customer support
- Red Hat value calculator
- Red Hat Ecosystem Catalog
- Find a partner
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit