In this lecture, we'll discuss ELB integration with Amazon CloudFront and AWS Web Application Firewall (WAF). ACME has customers around the globe. Recently, they have been getting complaints from customers in the USA stating that when placing orders from their website,  it is slow. ACME does not want to deploy more web servers in the USA region, but they are willing to have their content distributed close to their customers to reduce latency and therefore increased performance. To that end, they have decided to integrate their current solution with Amazon CloudFront, a news CloudFront to cache content on AWS edge locations close to the customers that need access to it. 

Security is also a concern for ACME. So, as part of this integration, they have decided to use AWS Web Application Firewall (WAF) to provide protection from common web exploits and box. To integrate CloudFront with their solution and take advantage of CloudFront caching of content and this reduced latency, ACME will create a CloudFront distribution and then adjust the Alias records in route 53 to route traffic to the distribution instead of the ELB. When configuring a CloudFront distribution, you select one of more origins and origin is where your content can be found and where CloudFront will fetch content from when one of your customers requests it. 

In our example, the origin will be set to ACME's ELB. Select the protocols to be used to connect the origin and the protocols customers can use to connect the distribution, choose cache time to lives, and select certificate to be used for HTTPS traffic. We could also set a pricing class. The pricing class controls groupings of edge locations that our content can be cached on. The three price classes are: Use all edge locations, this is the most expensive class. Use only North America and Europe, this is the cheapest price in class. And use North America, Europe, Asia, Middle East, and Africa. It is the ACME customers in the USA that have complained about slow response times. So, to keep costs down, ACME might decide to use the only North America and Europe price class for their distribution. Once the distribution is created, you are given a CloudFront domain name. 

It will have a cloudfront.net suffix and can be used to connect the distribution and retrieve content. Most customers using CloudFront will want to use their own domain names. ACME might want its customers to use www.acme.com for example. For this to happen, you must add an alternate domain name to your CloudFront distribution, add a digital certificate to your CloudFront distribution. The certificate must include the alternate domain name you added in step one and update the Alias record in route 53 to route users to the CloudFront distribution instead of the elastic load balancer. For more information on creating CloudFront distributions, please see the Cloud Academy course Amazon CloudFront design patterns. AWS Web Application Firewall (WAF) lets you monitor HTTP and HTTPS requests that are sent to selected AWS services and lets you control access to your content. 

To use WAF, you create a WAF access control list that contains rules. A WAF ACL can contain a single rule or a group of rules known as a rule group. You can create your own rule group or use the rule groups provided by AWS. There are even rule groups available to purchase through the Amazon Marketplace. Rules have logic that can inspect traffic and then either allow traffic, deny traffic, count traffic. Count traffic is useful if you wish test the rule or if you want to deny traffic, but only after a certain threshold is met. WAF ACLs can be regional or global. Regional ACLs can be associated with an inspect traffic for: Application Load Balancers, AppSync, and API Gateways. Global ACLs can be associated with an inspect traffic for: CloudFront distributions. ACME could have used AWS WAF directly with its Application Load Balancer, but now they have an integration with CloudFront, they will create an ACL for use with their CloudFront distribution. In the following demonstration, we will create a WAF ACL and associate it with a CloudFront distribution.