VPC Origins in Amazon Cloudfront: A new Security Layer for AWS LoadBalancers

Amazon CloudFront (the AWS CDN service) has introduced Virtual Private Cloud (VPC) Origins, a feature that enables users to deliver content from applications hosted within a VPC’s private subnet.

This enhancement allows applications to remain unexposed to the public internet by ensuring that access is exclusively through CloudFront distributions.

Such a configuration prevents end users from directly accessing web applications, thereby concealing origin servers from public view, reducing the attack surface, and bolstering overall security. Simultaneously, users benefit from CloudFront’s global reach and high-performance capabilities.

Traditionally, securing VPC-based origins required placing them in public subnets and implementing measures like Access Control Lists (ACLs) to restrict access.

When securing load balancers also, it required several layers of security configuration from the Network Access Control Lists (NACL) configurations, to the Security Groups and Web Application Firewall (WAF) all configured with the Load Balancer.

This approach demanded continuous effort to maintain effective security. With the introduction of CloudFront VPC Origins, users can now host applications in private VPC subnets without direct internet routes, ensuring that CloudFront serves as the sole entry point. This setup not only enhances security but also leverages the AWS Backbone Network for optimized performance and reduced latency.

Getting Started with CloudFront VPC Origins

Users can create a VPC Origin directly through the CloudFront console or via CloudFront APIs. Once established, this origin can be integrated seamlessly with new or existing CloudFront distributions, facilitating content requests through the VPC Origin and potentially improving performance and availability compared to traditional public internet-based origins. Here are the pre-requisites to creating VPC Origins

• Create a VPC in the same AWS account as your CloudFront distribution, ensuring it’s located in a Region that supports VPC origins; for guidance on creating a VPC, refer to the Amazon VPC User Guide.
• Public VPC Subnet: Include an internet gateway to enable your VPC to receive internet traffic—note that this gateway isn’t used for routing traffic to origins within the subnet, so no routing policy updates are needed—and a private subnet with at least one available private IPv4 address, which is necessary for CloudFront to create an elastic network interface (ENI) when you define your private origin resource.
• Private VPC Subnet: ​In your VPC’s private subnet, deploy an Application Load Balancer, a Network Load Balancer (ensuring it has an attached security group and is neither dual-stack nor configured with TLS listeners), or an EC2 instance as your origin; ensure the resource is fully deployed and in Active status before use.
• To restrict traffic to your VPC origin, update its security group to allow inbound traffic from the CloudFront managed prefix list; after the VPC origin is created, you can further tighten security by updating the allowed traffic source to the CloudFront Distribution via managed prefix list.

It is important to note that Load Balancers supported by VPC origins are

• Application Load Balancer
• Network Load Balancer

Currently, Gateway Load Balancers are not supported as VPC origins in Amazon CloudFront.To utilize CloudFront VPC Origins, you will need to migrate your existing load balancers to either Application Load Balancers or Network Load Balancers.

How to Create a VPC Origin (for a new Cloudfront Distribution)

Open the CloudFront Console and navigate to the CloudFront console.​

Create a VPC Origin:

• In the navigation pane, select VPC origins, then choose Create VPC origin.​
• Complete the required fields. For Origin ARN, select the ARN of your Application Load Balancer, Network Load Balancer, or EC2 instance. If the ARN isn’t listed, you can manually enter it.​
• Click Create VPC origin.​
• Wait for the VPC origin status to change to Deployed, which may take up to 15 minutes.​

Create a CloudFront Distribution:

• After the VPC origin is deployed, go to the Distributions section and choose Create distribution.​
• For Origin domain, select your VPC origin from the dropdown list.​
• If your VPC origin is an EC2 instance, enter the Private IP DNS name of the instance into the Origin domain field.​
• Complete the remaining distribution settings as needed.​
• Choose Create distribution.​

For detailed guidance on creating a CloudFront distribution, refer to the Amazon CloudFront Developer Guide.

How to Create a VPC Origin (for an existing Cloudfront Distribution)

To create a Virtual Private Cloud (VPC) origin for your existing Amazon CloudFront distribution, follow these steps:

Access the CloudFront Console:

• Sign in to the AWS Management Console.
• Navigate to the CloudFront console.

Create a VPC Origin:

• In the navigation pane, select VPC origins.
• Click on Create VPC origin.
• Complete the required fields:
• Origin ARN: Choose the Amazon Resource Name (ARN) of your Application Load Balancer, Network Load Balancer, or EC2 instance. If the ARN isn’t listed, manually enter it.
• Click Create VPC origin.
• Wait for the VPC origin status to change to Deployed. This process may take up to 15 minutes.

Update the Security Group for the VPC Origin:

• Modify the security group associated with your VPC origin to explicitly allow traffic from the CloudFront managed prefix list. This step restricts access to your origin.
• For detailed instructions, refer to Use the CloudFront managed prefix list.

Modify Your Existing CloudFront Distribution:

• In the CloudFront console’s navigation pane, select Distributions.
• Click on the ID of your existing distribution.
• Navigate to the Origins tab.
• Click on Create origin.
• In the Origin domain dropdown menu, select your newly created VPC origin.
• If your VPC origin is an EC2 instance, enter its Private IP DNS name in the Origin domain field.
• Configure other origin settings as needed.
• Click Create origin.

Test the VPC Origin:

• Ensure that your CloudFront distribution correctly routes requests to the new VPC origin and that content is served as expected.

Testing the Distribution:

• For availability purposes, the VPC origin can be tested on a staging Cloudfront distribution deployment. On the General tab, under Continuous deployment, choose Create staging distribution. For more information, see Use CloudFront continuous deployment to safely test CDN configuration changes.

Restrict Public Access to Your VPC Origin:

• After confirming that CloudFront can access your VPC origin, remove public access by making the subnet private. This action ensures the origin isn’t accessible directly from the internet but remains accessible through CloudFront.
• For guidance, see Associate or disassociate a subnet with a route table in the Amazon VPC User Guide.

By following these steps, you can integrate a VPC origin into your existing CloudFront distribution, enhancing the security and availability of your applications.

Conclusion

CloudFront VPC Origins provides an efficient and reliable method to restrict access to applications, thereby reducing their attack surface. By ensuring CloudFront serves as the sole ingress point, it prevents users from bypassing it, significantly enhancing security. Operationally, VPC Origins requires minimal maintenance compared to alternative approaches. For businesses aiming to improve application security, deliver high-performance global experiences, and streamline operations, integrating VPC Origins with CloudFront offers a compelling solution, safeguarding digital assets while supporting business growth. For more information, refer to the Amazon CloudFront VPC origins documentation.