We’re excited about a new CDN feature announced by AWS just ahead of Re:Invent 2024.
It is now possible to connect Amazon Cloud Front directly into an application load balancer within a VPC. The ALB can be in a public or private subnet, meaning that you can use Cloud Front to serve HTTP content, without opening holes in your VPC or putting anything on a public subnet. This means you no longer have to manage complex routing rules, security groups and NACLs. Everything can be done centrally via Cloud Front, and the attack surface is reduced.
The new feature is called “CloudFront VPC Origins”, and it’s straightforward to set up. The feature complies with Amazon’s Block Public Access (BPA) features in quite a nice, intuitive way. It simply looks at whether your VPC has an Internet Gateway attached (and it doesn’t matter if that IG is actually routable). If there is an Internet Gateway, then CloudFront VPC Origins should be available for that VPC. The feature current only works for CloudFront distributions and VPCs that are in the same AWS account.
You can take advantage of AWS Web Application Firewall (WAF) easily, by adding this into your CloudFront distribution. You can force all access to your web endpoint, to go via CloudFront and therefore the WAF; meaning all incoming traffic is filtered, with no possibility of direct access into your private subnets, including the underlying EC2 instances, containers, or whatever other resources you have behind the load balancer.
This is particular exciting for many of our clients in the Financial Services Industry, where it’s often not an option to open anything up directly to the Internet. By forcing traffic through the WAF, security teams get a much smaller attack surface and much easier, centralised, control.
To do something similar previously, you’d have had to have had resources (such as an ALB) on a public subnet. You could then use CloudFront’s published prefix lists to set up security groups to restrict traffic only to CloudFront, and you could also enable custom headers on CloudFront, blocking access to any request that did not contain CloudFront headers. However, this was clunky, vulnerable to human error, and hard to maintain.
The new solution is more robust, requires little maintenance, and is also significantly simpler. There are performance improvements, too. From the moment they hit a nearby CloudFront edge location, requests are routed through the AWS backbone, connecting transparently into the ALB within your private subnet. There’s no extra hops, firewalls or latency - everything’s routed as efficiently as possible. And the firewalls are handled at the CloudFront end
So it’s a win-win, and for many companies this will be a fairly easy migration, with several advantages and no downsides..
At Cloud Bridge, we’re already helping our customers migrate to the new CloudFront VPC Origins. If you’d like to chat to us about any of this, do reach out - we’d love to hear about your use-case and get you up and running with your own VPC Origins. We’re always keen to talk to anyone considering CloudFront — it’s possible to save significant amounts of money on data transfer, and we’re experts at helping companies navigate this.