How to use CloudFront with ALB

AwsHow-ToBeginner · 4 min read

How to Use AWS CloudFront with Application Load Balancer (ALB)

To use CloudFront with an Application Load Balancer (ALB), create a CloudFront distribution and set the ALB's DNS name as the origin. Configure behaviors and SSL settings to route requests through CloudFront, which caches content and improves global delivery.

📐

Syntax

When setting up CloudFront with ALB, the key parts are:

Origin Domain Name: Use the ALB DNS name (e.g., my-alb-123456.us-east-1.elb.amazonaws.com).
Origin Protocol Policy: Choose HTTPS Only or Match Viewer to secure traffic.
Cache Behavior: Define how CloudFront handles requests, including allowed HTTP methods and caching policies.
SSL Certificate: Attach an SSL certificate to CloudFront for HTTPS support.

aws

Origin Domain Name: my-alb-123456.us-east-1.elb.amazonaws.com
Origin Protocol Policy: HTTPS Only
Cache Behavior: GET, HEAD allowed; Forward Headers: Host, Authorization
SSL Certificate: ACM certificate ARN attached to CloudFront

💻

Example

This example shows how to create a CloudFront distribution with an ALB origin using AWS CLI commands. It sets the ALB DNS as origin, enables HTTPS, and configures caching behavior.

bash

aws cloudfront create-distribution --distribution-config '{
  "CallerReference": "unique-string-123",
  "Origins": {
    "Quantity": 1,
    "Items": [{
      "Id": "ALBOrigin",
      "DomainName": "my-alb-123456.us-east-1.elb.amazonaws.com",
      "OriginProtocolPolicy": "https-only"
    }]
  },
  "DefaultCacheBehavior": {
    "TargetOriginId": "ALBOrigin",
    "ViewerProtocolPolicy": "redirect-to-https",
    "AllowedMethods": {
      "Quantity": 2,
      "Items": ["GET", "HEAD"]
    },
    "ForwardedValues": {
      "QueryString": false,
      "Cookies": {"Forward": "none"}
    }
  },
  "Enabled": true,
  "ViewerCertificate": {
    "ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd-1234-efgh-5678",
    "SSLSupportMethod": "sni-only"
  }
}'

Output

{ "Distribution": { "Id": "E1A2B3C4D5E6F7", "Status": "InProgress", "DomainName": "d1234abcdef8.cloudfront.net" }, "Location": "https://cloudfront.amazonaws.com/2020-05-31/distribution/E1A2B3C4D5E6F7/config" }

⚠️

Common Pitfalls

Using HTTP instead of HTTPS: ALB often requires HTTPS for secure traffic; setting CloudFront origin protocol to HTTP can cause failures.
Not forwarding required headers: Missing headers like Host or Authorization can break authentication or routing.
Incorrect SSL certificate region: CloudFront requires ACM certificates in us-east-1 region.
ALB security group blocking CloudFront IPs: Ensure ALB allows inbound traffic from CloudFront IP ranges.

json

Wrong origin protocol policy:
"OriginProtocolPolicy": "http-only"

Right origin protocol policy:
"OriginProtocolPolicy": "https-only"

📊

Quick Reference

Tips for using CloudFront with ALB:

Always use HTTPS between CloudFront and ALB for security.
Use ACM certificates in us-east-1 for CloudFront SSL.
Forward necessary headers to ALB for proper request handling.
Update ALB security groups to allow CloudFront IP ranges.
Test distribution after deployment to confirm correct routing and caching.

✅

Key Takeaways

Set the ALB DNS name as the origin domain in CloudFront distribution.

Use HTTPS protocol between CloudFront and ALB for secure communication.

Attach an ACM SSL certificate in us-east-1 to CloudFront for HTTPS support.

Forward required headers like Host and Authorization to ALB.

Ensure ALB security groups allow inbound traffic from CloudFront IP ranges.