Building basic DDoS resilient architectures with Shield Advanced
This page explains Distributed Denial of Service (DDoS) resiliency and introduces two example architectures.
DDoS resiliency is the ability of your application architecture to withstand DDoS attacks while continuing to serve legitimate end users. An application that is highly resilient can remain available during an attack with minimal impact on performance metrics such as errors or latency. This section shows some common example architectures and describes how to use the DDoS detection and mitigation capabilities that are provided by Amazon and Shield Advanced to increase their DDoS resiliency.
The example architectures in this section highlight the Amazon services that provide the greatest DDoS resiliency benefits for your deployed applications. The benefits of the highlighted services include the following:
-
Access to globally distributed network capacity – The services Amazon CloudFront, Amazon Global Accelerator, and Amazon Route 53 provide you with access to internet and DDoS mitigation capacity across the Amazon global edge network. This is useful in mitigating larger volumetric attacks, which can reach terabits in scale. You can run your application in any Amazon Region and use these services to protect availability and optimize performance for your legitimate users.
-
Protection against web application layer DDoS attack vectors – Web application layer DDoS attacks are best mitigated using a combination of application scale and a web application firewall (WAF). Shield Advanced uses web request inspection logs from Amazon WAF to detect anomalies that can be mitigated either automatically or via engagement with the Amazon Shield Response Team (SRT). Automatic mitigation is available through deployed Amazon WAF rate-based rules and also through the Shield Advanced automatic application layer DDoS mitigation.
In addition to reviewing these examples, review and follow the applicable best practices at Amazon Best Practices for DDoS Resiliency.