I’m excited to announce the release of Amazon CloudFront Virtual Private Cloud (VPC) origins in November 2024, a powerful new feature that revolutionizes how you can deliver content from applications hosted in private subnets within your Amazon VPC. This innovation allows you to enhance security while maintaining the high performance and global scalability that CloudFront is known for.
The Challenge of Private Origin Security
Until now, securing web application origins has varied in complexity depending on your infrastructure. If you were serving content from Amazon S3, AWS Elemental Services, or AWS Lambda Function URLs, you could easily implement Origin Access Control as a managed solution to secure these origins and make CloudFront your application’s single entry point.
However, for applications hosted on Amazon EC2 instances or behind load balancers, creating this secure setup was considerably more complex. You needed to implement your own custom solution using various techniques like:
- Configuring access control lists (ACLs)
- Managing complex firewall rules
- Implementing header validation logic
- Employing other custom security methods
This undifferentiated heavy lifting took valuable time away from focusing on your core business.
Introducing CloudFront VPC Origins
CloudFront VPC origins eliminates this complexity by providing a streamlined, managed solution. Now you can point CloudFront distributions directly to resources inside your private subnets, including:
- Application Load Balancers (ALBs)
- Network Load Balancers (NLBs)
- EC2 instances
With minimal configuration, CloudFront becomes the exclusive ingress point for these resources, providing multiple benefits:
- Enhanced security through simplified architecture
- Improved performance through CloudFront’s global network
- Cost savings by eliminating the need for public IP addresses
Setting Up CloudFront VPC Origins
The best part? CloudFront VPC origins is available at no additional cost to all AWS customers. You can integrate it with new or existing CloudFront distributions using either the Amazon CloudFront console or the AWS CLI.
For example, if you have an application running on AWS Fargate for Amazon ECS behind an ALB in a private subnet, you can create a CloudFront distribution that connects directly to this private ALB by simply navigating to the CloudFront console and selecting the new “VPC origins” menu option.
