25

How do you setup Cloudfront in front of an EC2 instance? I'm interested in having users hit the Cloudfront url rather than the EC2 origin.

So instead of hitting ec2-52-64-xxx-xxx.ap-southeast-2.compute.amazonaws.com users would hit d111111abcdef8.cloudfront.net.

My intention is to save money on hosting by reducing the traffic and CPU load on the EC2 instance, while providing overseas users with faster load times.

Would I just point my DNS to the Cloudfront url instead of the EC2 origin?

ChrisRich
  • 8,300
  • 11
  • 48
  • 67

4 Answers4

42

Would I just point my DNS to the Cloudfront url instead of the EC2 origin?

Pretty much.

Technically, you don't point DNS to a URL, you point it to a hostname or to an IP address, which is done a little differently with CloudFront.

First, though... in the CloudFront distribution settings, you need to configure any hostnames that CloudFront should expect to see sent by the browser, in the "alternate domain names" box.

For the origin, enter the ec2-...-compute.amazonaws.com hostname.

At this point, after 10-15 minutes, visiting the CloudFront-assigned URL should take you to your server.

Next... if your DNS is hosted in Route 53, then you'd go to the hosted zone and create new "A" records for those hostnames, setting "Alias" to "Yes," which should cause the targets box to be populated with the CloudFront distribution, which you would then select, and save the record.

If your DNS isn't hosted by Route 53, you would instead create CNAME records in DNS, pointing to the hostname assigned to the CloudFront distribution, e.g. jozxyqkexample.cloudfront.net. The catch, here, is that you can't do this with the apex/root of your domain, because a CNAME isn't valid there... so www.example.com would work, but example.com will not. This is a limitation of DNS, and the only workaround is to use Route 53 for your DNS, because it has internal integration with CloudFront (hence the "Alias" records, mentioned above, which use internal lookups rather than external referrals, like a CNAME).

You may also want to configure CloudFront to forward the Host header back to the origin server; otherwise when the request arrives, the hostname presented to your server in the HTTP requests will not be your domain name, and instead will be the hostname you configured as the origin host.

Be sure, when you connect through CloudFront, that the server doesn't redirect you back to the EC2 hostname or IP (the address bar in the browser will change, if it does, and you'll want to fix your web server's config if that happens).

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • Thanks for your reply Michael. The DNS is managed by NameCheap. Pointing the URL to a hostname or IP address is simple with NameCheap. But I guess you would also have to do some config in the AWS CloudFront control panel? Like point it to a URL. So it is a two way configuration? – ChrisRich Oct 15 '15 at 05:41
  • *For the origin, enter the ec2-...-compute.amazonaws.com hostname.* That's how you configure CloudFront to hit your server. The step right above that is how you tell CloudFront that the hostname you're going to point at it should be associated with this particular distribution, when it sees that hostname sent by the browser on incoming requests. NameCheap's DNS service will work unless this site is your bare domain name (www.example.com ok, example.com not ok). – Michael - sqlbot Oct 15 '15 at 09:05
  • 2
    I am getting this error, The request could not be satisfied. CloudFront attempted to establish a connection with the origin, but either the attempt failed or the origin closed the connection. Generated by cloudfront (CloudFront) Request ID: 9FQvbTDRYQvDABh1FgbmeMdMBA5JQmcH29bQd_yLQJ90Mf3cytZilg== – byteC0de Jul 13 '17 at 08:39
  • @JihinRaju check https://stackoverflow.com/a/35258911/1695906 or https://stackoverflow.com/a/40519649/1695906 or https://stackoverflow.com/a/38725089/1695906 or https://serverfault.com/a/779723/153161. Incorrect SSL configuration of the origin is a common cause for this. – Michael - sqlbot Jul 13 '17 at 10:19
  • I have the exactly case on your **Route 53** pattern now! @Michael-sqlbot As well as the settings of Route 53, I am trying the other steps you mentioned here about **CloudFront** settings. But I can not get any statisctis from my CloudFront's monitoring after I hit my url(such as admin.mysite.com). Also, I have been set **SSL** in AWS Certification Manager. And Even I hit the url of CloudFront, 50x erros are returning. Any hint, please? – tech_me Oct 29 '19 at 03:02
  • In addition to the above you can point Namecheap to use your Route53 DNS so you can manage it from there. This will save you the most headache! Hope this helps! <3 – Callum Dempsey Leach May 01 '19 at 09:36
  • "CloudFront to forward the Host header back to the origin server" Saved my time and mind, man. Thanks. – Abdalrahman Shatou Aug 28 '21 at 20:19
  • I've done all this, and I cannot get CloudFront to forward requests to my ec2 instance. I'm using Route 53. I point one subdomain directly to the ec2 instance and the other to cloudfront with a distribution set to forward the request to the ec2 instance. The direct forward works and the cloudfront path does not. I have everything mentioned here configured correctly. Did something change in AWS? For example, I see no way to forward the Host header back to the origin server. – MidnightJava Mar 20 '23 at 22:33
  • @MidnightJava what exactly is happening? Is there an error? – Michael - sqlbot Mar 21 '23 at 01:09
  • It just never connects. It spins for a few minutes and finally says the site is not reachable. More or less acts like when a firewall is blocking the path. But the security group is properly configured to allow the traffic. ANyway, I can get to the instance directly by its public IP address or through ROute53 with an A record pointing there. BUt through CLooudfront it's a brick wall. And the same Cloudfront distribution is able to connect to an S3 buckert. – MidnightJava Mar 21 '23 at 03:52
  • I wonder, is it required to go through a Load Balancer when going from Cloud Front to ec2? This article says to do it that way. I didn't think an LB was required, but I'll give that a try. https://aws.amazon.com/cloudfront/getting-started/EC2/ – MidnightJava Mar 21 '23 at 04:27
  • Going through a load balancer makes no difference. I've followed several tutorials to the letter and I can't find any way to connect to an ec2 instance except through its public IP/DNS. Navigating to the load balancer URL directly or through a Cloud Front distribution simply does not work for me. – MidnightJava Mar 21 '23 at 18:47
  • UPDATE: Actually, I can connect to the load balancer DNS. But it fails to connect when going through a Cloud Front distribution to either the ec2 instance or to a load balancer. – MidnightJava Mar 21 '23 at 20:08
  • @MidnightJava *"It spins for a few minutes and finally says the site is not reachable."* Please quote error messages exactly, instead of paraphrasing. – Michael - sqlbot Mar 23 '23 at 01:15
  • 1
    I finally got it working. I can connect via Cloudfront to static sites in S3 buckets and a dynamic site through a load balancer or directly to an ec2 instance. I tore it all down and rebuilt it from scratch, and it worked. So it was some sort of cockpit error, and unfortunately, I didn't discover anything useful for others. But it did eventually work as expected. – MidnightJava Mar 23 '23 at 20:49
7

Use the below step to route the ec2-52-64-xxx-xxx.ap-southeast-2.compute.amazonaws.com to d111111abcdef8.cloudfront.net.

Follow below steps:

  1. Login into your aws console and search CloudFront

  2. Go to CloudFront: Create Distribution(please select Web distribution)

  3. Under Origin Settings : Select the Origin Domain Name (you can assign the Public DNS of your instance, e.g. ec2-52-64-xxx-xxx.ap-southeast-2.compute.amazonaws.com)
  4. Under Default Cache Behavior Settings : Select Viewer Protocol Policy: Redirect HTTP to HTTPS
  5. Under Object Caching: opt customize (Remain default setting in Minimum TTL , Maximum TTL and Default TTL)
  6. Forward Cookies : All
  7. Query String Forwarding and Caching : All
  8. Distribution Settings : Select Price Class: (Use All Edge Locations (Best Performance)).
  9. Alternate Domain Names (CNAMEs)s: add your domain URL name if there is any
  10. SSL Certificate : Under SSL you can opt default or your custom certificate that depends upon your requirement.(Opt default.)

Note : For Custom SSL Certificate (certificate should be in in us-east-1 region).

  1. It can took 10 to 15 minutes
Lavande
  • 744
  • 8
  • 20
Anoop Kumar
  • 845
  • 1
  • 8
  • 19
3

IP in Origin would give error: com.amazonaws.services.cloudfront.model.InvalidArgumentException: The parameter origin name cannot be an IP address. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidArgument;

Even though AWS Documentation says you can use IP.

Public DNS (IPv4) as Origin gives '504 error The request could not be satisfied'
I've had that when Origin was S3 and if S3 has limited permissions. But EC2 has no permissions control. it is public.

Manly Electronics
  • 41
  • 1
  • 6
  • @ Manly how did you get this issue resolved? – sumanth shetty Feb 18 '21 at 11:36
  • @ Manly how did you get this issue resolved? – sumanth shetty Feb 18 '21 at 11:36
  • 1
    Use Public IPv4 DNS name as Origin. Copy it from EC2 panel - Instance -Details tab. it looks like ec2-XX-XX-xxx-***compute.amazonaws.com Make sure it is publicly available (loading in the browser) first. I just pointing that IP address won't work, contrary to AWS Docs and someone suggestion above. Interesting, ec2 Public IPv4 DNS won't popup as S3 adress do in the Origin edit field. – Manly Electronics Jun 18 '21 at 10:00
  • I’ve had 504 errors when EC2 was not public, for example when VPC Network interfaces and subnets are not configured. That is a different big question though. – Manly Electronics Jun 18 '21 at 10:12
0

Leaving this answer for those, who also faced error

502 ERROR The request could not be satisfied. CloudFront wasn't able to connect to the origin. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner. If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.

If you are 100% sure that your origin has 443 port opened and the certificate on the origin is valid, you can test your Cloudfront distribution without creating a Route 53 record.

Let's say, you own "mywebiste.com" which is running on your EC2 and your Cloudfront DistributionID is a1b2c3d4e5.

Try this:

curl https://a1b2c3d4e5.cloudfront.net -H 'host: mywebiste.com' -I

That's all about host header. It must match with one from your origin SSL certificate.

Tarasovych
  • 2,228
  • 3
  • 19
  • 51
  • how did you solve this issue? i have react app running on ec2 that's all – sumanth shetty Feb 18 '21 at 11:38
  • I faced with issue and couldn't troubleshoot . How to solv this issue? – Himal Acharya May 02 '22 at 19:19
  • For those still looking for an answer here, look at the origin settings in cloudfront, if your app or server is not set to run on https/443 then change the cloudfront origin setting to HTTP only, to route all traffic hitting yout cloudfront distro to port 80 on your server or app. – diegeelvis_SA Jun 21 '23 at 09:29