A basic serverless website on AWS with Auth fronting the CDN

The general pattern

The idea is to put some compute in front of your serverless website CDN that has the ability to reject requests before they hit the CDN. This has become possible via offerings like AWS Lambda@Edge and CloudFlare Workers.

While authentication and authorization could be done in this compute, this would be relatively heavy-handed; serverless compute has very limited memory and this extra processing can be computationally expensive (long execution times, so higher costs and higher latency). Alternatively, the compute can call out to one or more dedicated authentication and authorization servers, then act according to the response.

general architecture

Example with AWS

Here are some real-world building blocks:

AWS Lambda@Edge for compute.
Amazon CloudFront for theCDN.
Amazon Cognito for authentication and authorization.
Amazon S3 static-website bucket to host the static website & its assets.

The compute and CDN come together, but other than that, you can swap out any component for another equivalent (e.g. you could replace Lambda@Edge and CloudFront with CloudFlare Workers and CDN respectively).

aws architecture