his post explains how to deliver content from an Internal Application Load Balancer (ALB) using Amazon CloudFront and VPC origins. VPC origins are the key to this implementation, which provides the following benefits:

• Security: We can enhance CloudFront security by using the CloudFront distribution as the single access point to our applications, while keeping the ALB and compute layer private. Effective access controls can be implemented to secure communications further.

• Management: VPC origins allow us to keep the CloudFront origins in private subnets, reducing the overhead of implementing ACLs and other mechanisms to secure públic endpoints.By managing network traffic efficiently, we can optimize the application’s performance.

• Scalability and performance: Using CloudFront as the entry point for our systems improves the high availability and global scalability while securing the application. Using edge locations, on the other hand, helps improve response times for both static and dynamic content.

The following diagram is an example of an infrastructure using VPC origin and a private ALB.

The ALB targets in this example are two EC2 instances, however, we can use any target type available for ALBs. Check this documentation for further information.

Prerequisites

• A VPC (Virtual Private Cloud) in the same AWS account as the CloudFront distribution and in a Region with support for VPC origin (check here).

• An Internet Gateway is required in the VPC to receive traffic from the Internet.

• At least two private subnets in different Availability Zones to host the ALB.

Implementation Steps

Create the ALB

This step consists of deploying a new Internal load balancer in the private subnets of your VPC, there must be at least two.

We have to attach a Security Group that allows inbound traffic from the Cloudfront managed prefix list.

In this case, I only allowed HTTPS port (443/TCP) because my ALB only has an HTTPS listener.

If you use different listeners, consider updating the security group rule to provide the proper access. Also, you can attach more than one security group, for example, if you want to provide internal access to the ALB.

Create a VPC origin and the CloudFront distribution

Now we have to create a new VPC origin to provide access to the internal ALB from your CloudFront distribution.

1. Go to the CloudFront console.

2. Choose VPC origins, Create VPC origin.

3. Fill out the required fields. For Origin ALB, select the ARN of the ALB created in the previous step. This is also possible for Network Load Balancers (NLB) and EC2 instances.

4. Click Create VPC origin.

I chose HTTPS only in Protocol because it is the only listener I have configured in the ALB.

5. In the CloudFront console, choose Distributions, Create distribution.

6. From the Origin domain, select the VPC origin just created.

Be aware of choosing the VPC origin here and not the Elastic Load Balancer, because it won’t work for an internal ALB.

I am not providing further configuration for the CloudFront distribution in this post because it is the same as for any Origin.

Once the CloudFront distribution is deployed, you can test the access using the default domain name associated with it (or any alternate name you have created).

Use cases for this implementation

Redirect HTTP request to HTTPS in the CloudFront distribution

With this implementation, you can redirect HTTP to HTTPS directly in the CloudFront distribution and have only an HTTPS listener in the ALB. All traffic between the CloudFront distribution and the ALB is HTTPS and over the AWS private link.

Implement DNS Split horizon

Route53 allows you to have public and private hosted zones. While you use your public zone to resolve the CloudFront distribution endpoint (for example, with an Alias record) from the Internet, the internal endpoint of the ALB can be resolved from your private hosted zone (with a different Alias record). The domain names in the private hosted zones can only be resolved from inside the VPC.

Enhance security using WAF and Shield

Although not mentioned here, the AWS Web Application Firewall can be integrated with both ALB and CloudFront to protect your web applications using managed and custom rules. At the same time, Amazon Shield Standard is enabled by default to protect your CloudFront distribution against DDoS attacks (it doesn’t have direct integration with ALB).

Sources

Restrict access with VPC origins

Ignacio Rubio

Cloud Engineer

Teracloud