CloudFront 宣佈支援 ECDSA 的 Certificate

Amazon CloudFront 宣佈支援 ECDSA 的 certificate:「Amazon CloudFront now supports ECDSA certificates for HTTPS connections to viewers」。

用主要是讓 certificate 更小,讓 HTTPS 建立時的過程更快 (包括了傳輸的速度與計算的速度):

As a result, conducting TLS handshakes with ECDSA certificates requires less networking and computing resources making them a good option for IoT devices that have limited storage and processing capabilities.

很久以前好像有看到資料說 256 bits 的 EC 運算量跟 768~1024 bits 的 RSA 差不多,但一時間找不到資料...

目前 CloudFront 只支援 NIST P-256 (secp256r1,或稱作 prime256v1):

Starting today, you can use Elliptic Curve Digital Signature Algorithm (ECDSA) P256 certificates to negotiate HTTPS connections between your viewers and Amazon CloudFront.

但 NIST P-256 一直為人詬病,在「SafeCurves: choosing safe curves for elliptic-curve cryptography」這邊可以看到 NIST 宣稱的效率設計實際上都不是真的:

Subsequent research (and to some extent previous research) showed that essentially all of these efficiency-related decisions were suboptimal, that many of them actively damaged efficiency, and that some of them were bad for security.

但目前標準是往 NIST P-256、NIST P-384 與 NIST P-521 靠攏 (主要是受到 CA/Browser Forum 的限制),要其他 curve 的 certificate 也沒辦法生,目前可能還是繼續觀望...

CloudFront 的印度與亞太區降價

AWS 宣佈 CloudFront 在印度與亞太區降價:「Amazon CloudFront announces price cuts in India and Asia Pacific regions」,回朔至這個月月初生效:

Amazon CloudFront announces price cuts of up to 36% in India and up to 20% in the Asia Pacific region (Hong Kong, Indonesia, Philippines, Singapore, South Korea, Taiwan, & Thailand) for Regional Data Transfer Out to Internet rates. The new CloudFront prices in these regions are effective May 1st, 2021.

比了一下現在的「Amazon CloudFront Pricing」與 Internet Archive 上的「Amazon CloudFront Pricing」,看起來 First 10TB、Next 40TB、Next 100TB 與 Next 350TB 的部份都有降,更多的部份則是維持原價。

對一般簡單用的人來說,主要是落在 First 10TB 這個區間,亞太區的每 GB 單價從 USD$0.14 降到 USD$0.12,不無小補,而有夠大的量的單位應該都去談 commit & discount 了...

CloudFront 把本來的 Lambda@Edge 產品線拆細,推出 CloudFront Functions

Amazon CloudFront 本來的 Lambda@Edge 產品線拆細,多出一個 CloudFront Functions:「Introducing CloudFront Functions – Run Your Code at the Edge with Low Latency at Any Scale」。

就產品面的角度就是限制比 Lambda@Edge 多,但價錢變便宜很多。

先看價錢的部份,CloudFront Functions 的價錢只有 request:

Invocation pricing is $0.10 per 1 million invocations ($0.0000001 per request).

而 Lambda@Edge 則是兩筆費用,光是 request 費用就是六倍:

Request pricing is $0.60 per 1 million requests ($0.0000006 per request).

Duration is calculated from the time your code begins executing until it returns or otherwise terminates. You are charged $0.00005001 for every GB-second used.

當然,CloudFront Functions 便宜帶來的限制也不少,最主要的限制可以從最大執行時間只有 1ms,以及記憶體只能用 2MB 就可以看出來:

但這對於輕量的操作來說已經夠用了,主要就是對 HTTP header 的操作...

另外比較表上看到個有趣的點「JavaScript (ECMAScript 5.1 compliant)」,這樣應該就不會是 Node.js (V8 engine),而是其他的 JS engine?

AWS 推出 Amazon Elastic Container Registry Public (公開版的 ECR)

算是延伸產品線,把 Amazon ECR 變成可以公開使用:「Amazon Elastic Container Registry Public: A New Public Container Registry」。

這篇稍微有趣的地方是,文章裡面的上面這張圖有把 path 模糊化,但下面那張沒有遮,後面的文字也直接有提到 path (這是要給使用者玩的...):

ECR Public 會自動同步到兩個 region,但設定的頁面上好像沒寫會怎麼挑... 另外前面會放 CloudFront 加速。

ECR Public automatically replicates container images across two AWS Regions to reduce download times and improve availability. Therefore, using public images directly from ECR Public may simplify your build process if you were previously creating and managing local copies. ECR Public caches image layers in Amazon CloudFront, to improve pull performance for a global audience, especially for popular images.


Amazon CloudFront 增加墨西哥與紐西蘭的點

Amazon CloudFront 新增加了四個點,兩個在墨西哥,兩個在紐西蘭:「Amazon CloudFront launches in two new countries - Mexico and New Zealand」。

比較特別的是墨西哥的點仍然是被併入北美區的價錢,也就是 CloudFront 裡面最低的那組價錢:

In Mexico, our two new edge locations in Querétaro will provide viewers as much as a 30% reduction in p90 latency measures. These new edge locations are priced within CloudFront’s North America geographic region.


CloudFront 宣佈支援 Brotli

CloudFront 宣佈支援 Brotli:「Amazon CloudFront announces support for Brotli compression」。

官方的說明發現 Gzip 可以好 24%:

CloudFront's Brotli edge compression delivers up to 24% smaller file sizes as compared to Gzip.

Akamai 在「Understanding Brotli's Potential」這邊提到的測試數字稍微做了分類,可以看到在 html 下 Brotli 帶來的改善是最多的。

以前在 CloudFront 上還是可以支援 Brotli,主要是透過後端支援 Brotli 的方式傳回不同的資料,再加上 Vary: Accept-Encoding 的設定讓 CloudFront 針對不同的 Accept-Encoding 分開 cache。

這次的支援等於是讓 CloudFront 理解 Brotli,就可以提昇 hit rate 並且降低後端的壓力:

Prior to today, you could enable Brotli compression at the origin by whitelisting the 'Accept-Encoding' header. Now CloudFront includes 'br' in the normalized 'Accept-Encoding' header before forwarding it to your origin. You no longer need to whitelist the 'Accept-Encoding' header to enable Brotli origin compression, improving your overall cache hit ratio. Additionally, if your origin sends uncompressed content to CloudFront, CloudFront can now automatically compress cacheable responses at the edge using Brotli.


CloudFront 支援 TLS 1.3

看到 AWS 的公告,宣佈 CloudFront 支援 TLS 1.3:「Amazon CloudFront announces support for TLSv1.3 for viewer connections」。


TLSv1.3 is available today and enabled by default across all Amazon CloudFront security policies options. No additional changes are required to your CloudFront configuration to benefit from the security and performance improvements of TLSv1.3 for your viewer connections.

對使用者最大的差異應該還是改善 first byte 的時間 (主要是因為 handshake 時間縮短),這點 AWS 的人也有提到在內部測試時,美國區的改善情況:

In our own internal tests in the US region as an example, first byte latency for new negotiated connections saw reductions of up to 33% for TLSv1.3 compared to previous versions of TLS.

在 latency 更高的地區應該也會有大幅改善...

Amazon Lightsail 也推出 CDN 服務了...

Amazon Lightsail 也推出 CDN 服務了:「Amazon Lightsail now offers CDN distributions to accelerate content delivery」。

這個服務是用 CloudFront 為底:

This native service, called Lightsail CDN, is backed by Amazon CloudFront, Amazon Web Services’ CDN platform that uses a global network of servers in over 200 locations across 42 countries to store and deliver your content throughout the world. Lightsail CDN distributions can be created and configured with just a few clicks for a low, predictable monthly price, and you can get started for free.

看了一下價錢,免費方案可以有 50GB/month,一般自己架個 WordPress 之類的 blog 應該是可以涵蓋在內。

付費方案中,USD$10/month 可以給 200GB,但 USD$35/month 只能給 500GB?這邊是用愈多愈貴,沒看懂這個定價方式啊...

但看起來是有不少機會比 CloudFront 便宜 (如果非歐美的流量不少的話),再來就是 Lightsail CDN 這邊沒有列出每個 request 的費用,所以應該是不算這塊?這樣小檔案很多的話應該也是個選擇?

Amazon Lightsail 一直拿 AWS 自家東西出來市場上打架,現有的 VPS 不知道會怎麼提供類似的方案,搭 Cloudflare 嗎?或是找 Fastly 這些服務搭?(不過話說回來,Fastly 的牌價好貴 XD)

CloudFront 在印度的第六個區域:加爾各答

查了一下資料才發現,印度應該是僅次於北美的單一國家 CloudFront 最多點的地區:「Amazon CloudFront announces its first Edge locations in Kolkata and Hamburg」。

以「Amazon CloudFront Key Features」這頁列出的資料可以看到印度有第六個區域了:

Edge locations: Bangalore, India (3); Chennai, India (2); Hong Kong, China (3); Hyderabad, India (4); Kolkata, India; Kuala Lumpur, Malaysia (2); Mumbai, India (3); Manila, Philippines; New Delhi, India (4); Osaka, Japan; Seoul, South Korea (4); Singapore (4); Taipei, Taiwan(3); Tokyo, Japan (16)

不過如果以節點總數來說的話,印度與日本都是 17 個 (德國是 16 個),而且光東京這區就 16 個,這又更感覺得出網路重鎮的味道...

CloudFront 的新拓點...

Amazon CloudFront 這次公告增加了新的節點,都是該地區的第一個點,可以大幅降低 latency:「Amazon CloudFront launches in five new countries - Bulgaria, Greece, Hungary, Kenya, and Romania」。

這種點就是拿來認地名的,這波算是比較熟悉的... 保加利亞、希臘、匈牙利、肯亞、羅馬尼亞,拉維基百科的資料:

保加利亞共和國(保加利亞語:Република България) 通稱保加利亞,是位於歐洲東南部巴爾幹半島上的一個國家。它與羅馬尼亞、塞爾維亞、北馬其頓、希臘和土耳其接壤,東部濱臨黑海。

希臘共和國(希臘語:Ελληνική Δημοκρατία,希臘語發音:[eliniˈci ðimokraˈti.a])[8][9],通稱希臘(希臘語:Ελλάδα,希臘語發音:[eˈlaða]),是位於歐洲東南部的跨大洲國家。2019年其人口為1,080萬。雅典為希臘首都及最大城市,塞薩洛尼基為第二大城市。


肯亞共和國(斯瓦希里語:Jamhuri ya Kenya,英語:Republic of Kenya,/ˈkɛnjə/,或/ˈkiːnjə/) 通稱肯亞,是位於東非,瀕臨印度洋,與索馬利亞、衣索比亞、南蘇丹、烏干達、坦尚尼亞接壤,面積約58萬平方公里[2]。肯亞人口約5051萬,一共有42個民族[8],分成班圖、尼羅和庫施特三大語系[9],官方語言是英語和斯瓦希里語。全國分為47個縣市[2],首都為奈洛比[10]。