1. AWS Finland Meetup CloudFront authentication and Lambda@Edge Uri Savelchev, 24.05.2022 *Note: Replace cover image / Pattern (Mouse right button → Replace image)

2. AWS Finland Meetup Agenda CloudFront authentication and Lambda@Edge 1. About Zalando 2. Problem statement 3. History 4. CloudFront 5. Solution Design 6. Details and Caveats 7. Why it is cool? 8. Q&A 2

3. This is Zalando. The Starting Point for Fashion.

4. This is Zalando We take the lead in European fashion. 14.3 bn Euro GMV almost 49 m Active Customers >5,800 Brands 4

5. Markets Bringing fashion to 23 countries 2008-2009 2010 2011 2012-2013 2018 2021 5

6. Office 06 Zalando offices 05 01 Berlin Headquarters 02 Erfurt Tech Office 01 03 Mönchengladbach Tech Office 04 Dortmund Tech Hub 03 04 02 05 Dublin Tech Hub 06 Helsinki Tech Hub 07 Zurich Tech Hub 07 6

7. Platform Zalando Helsinki Founded in 2015 Location Kamppi 7 160+ employees 39 nationalities Company language English

8. Zalando Finland Business Units 01 Connected Retail 02 Customer Fulfillment 03 Digital Experience 04 Recommerce 8 Connected Retail offers physical retailers a chance to connect to the Zalando platform and sell products directly to our growing online customer base. In Helsinki, the Customer Fulfillment teams are building products to streamline a wide range of processes and material flows in Zalando’s fulfillment network. The Digital Experience teams build the actual customer experience of the Zalando Fashion Store. We are responsible for some of the most prestigious real estate on Zalando - the Home screen of Zalando Fashion Store The Helsinki Recommerce Engineering team is focusing on integrating the pre-owned fashion experience into the main Zalando site and apps.

9. Vision Be part of our journey. The Starting Point for Fashion. zalandohelsinki.com 9

10. AWS Finland Meetup CloudFront authentication and Lambda@Edge Problem Need to serve static web content for internal users: ● ● ● ● 10 E2E functional test results Load test results Domain specific reports … The content is internal and it should not be visible outside Zalando, so we need authentication. The content is static but it is not persistent, it is updated regularly or occasionally. The content does not contain sensitive information and can be shared to anyone in the company, so no special authorization or roles are required. The content may be quite different in terms of its size.

11. AWS Finland Meetup CloudFront authentication and Lambda@Edge The very first idea: “Let’s use S3” It is robust and durable, it can store any amount of data. It supports data aging via its “storage lifecycle policy”. It is reasonably cheap. We actively use S3 in our apps in Zalando, our CI/CD solution supports uploading to S3 out of the box. S3 supports static website hosting. S3 supports authentication, is the problem solved? 11 S3 works with AWS authentication only, that means the user has to authenticate with Amazon for the specific AWS account. We want it to work with our Platform IAM system (OAuth2). S3 may be slow when you need to access many small files.

12. AWS Finland Meetup CloudFront authentication and Lambda@Edge S3 seems to be a proper storage for the content, but we have something else to serve it to users 12

13. AWS Finland Meetup CloudFront authentication and Lambda@Edge History First solution NGINX with a Lua script to go through OAuth2 authentication flow, based on the Cloudflare script aws s3 sync to synchronize content in S3 to a local K8s volume, running as sidecar container. 13

14. AWS Finland Meetup CloudFront authentication and Lambda@Edge It worked, but… The content size tends to grow up, that makes difficult to use local storage. Using persisted volumes (EBS) has its own problems. 14

15. AWS Finland Meetup CloudFront authentication and Lambda@Edge Can we serve from S3 directly? 15

16. AWS Finland Meetup CloudFront authentication and Lambda@Edge AWS CloudFront CloudFront is the AWS managed CDN. Being connected to many large internet providers it provides fast and effective delivery of a content. AWS S3 is the most popular Origin for CloudFront distributions. For low-profile distribution CloudFront is almost free (Free tier is 1TB/month per account). In 2021 Zalando migrated our CDNs to CloudFront.

17. AWS Finland Meetup CloudFront authentication and Lambda@Edge What if we use CloudFront? CloudFront supports access authorization via signed URLs and signed cookies. The public access is blocked. We need some code to handle the OAuth2 authentication and then to issue the signed cookies for a limited time.

18. AWS Finland Meetup CloudFront authentication and Lambda@Edge OAuth2 Authorization Code Flow The common user authentication flow for web applications. The access token is never sent to the client browser, so the access is limited by the client application logic (server side). 18

19. AWS Finland Meetup CloudFront authentication and Lambda@Edge The obvious choice is to deploy the code as Lambda@Edge There is a number of published articles with ready blueprints to deploy CloudFront and Lambda@Edge together, e.g. the nice one from Ernest Chiang. To be run at edge a Lambda has to be deployed to us-east-1. Unfortunately at the time of creating the solution (Spring 2021) deploying to non-european regions was not supported for us.

20. AWS Finland Meetup CloudFront authentication and Lambda@Edge Had to resort * to a plain Kubernetes service * Now we can deploy Lambda@Edge, so I’m going to migrate it to Lambda 20

21. AWS Finland Meetup CloudFront authentication and Lambda@Edge Solution A Kubernetes service goes through the OAuth2 authorization code flow and then issues signed cookies for CloudFront ● ● the service is responsible only for the OAuth2 flow, the rest is handled by CloudFront when the cookies are expired, CloudFront has to return error 403. We set a custom page for it, saying the session is expired and asking to click-n-go to the Auth URL

22. AWS Finland Meetup CloudFront authentication and Lambda@Edge 01 Domain magic 02 Specific URL for redirect 03 Different cache behaviors 04 Think about invalidations 05 Use a mainstream language 22 Cookies may be set for super-domain using the “Lax” policy Use something like /index.html to avoid looping Disable caching for the Auth Origin In our case we invalidate root document every time it is updated in S3. Also keep the CloudFront distribution ID somewhere - you need it to trigger invalidations. Signed cookie generation is trivial, but picky about details, use some ready-to-use code, if possible.

23. AWS Finland Meetup CloudFront authentication and Lambda@Edge

24. AWS Finland Meetup CloudFront authentication and Lambda@Edge

25. AWS Finland Meetup CloudFront authentication and Lambda@Edge Why do I think the solution is cool? 25

26. AWS Finland Meetup 01 Simplicity 02 Effectiveness 03 Cost effective 04 Robust 05 Customizable 26 CloudFront authentication and Lambda@Edge We need to validate the user and issue a cookie, the rest is handled for us by AWS Whatever is the content size, it is served fast While your traffic is under 1TB/month, you pay Amazon for invalidations only. The authentication service is very light and does not consume much resources. The authentication service is very simple and it has only dependency - the Zalando OAuth2 service If I need to add authorization rules, I can extend the authentication service and I don’t need to touch CloudFront part at all

27. Thank You 27