21

I already have a certificate from AWS Certificate Manager (ACM) when only the 1 region was available (think the US-West-1 region?) and currently being used with Cloudfront to host a website for the Australian market.

Now that ACM is available in more regions, would using a certificate created from the Sydney region have any improvements in performance?

n00b
  • 5,843
  • 11
  • 52
  • 82

1 Answers1

40

ACM now supports multiple regions, but that doesn't have any implications for certificates for use with CloudFront.

To use an ACM certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.

https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html

The reason for this is that CloudFront, unlike most AWS services, where the regional implementation of the service is independent of all other regions, has all of its provisioning/administrative infrastructure based in us-east-1.

The operational infrastructure is globally distributed and independent, so the centralized management of CloudFront doesn't have performance implications. If you have performance issues, those should be investigated separately.

The announcement of new regions for ACM doesn't apply to CloudFront. It's applicable to the other service integrated with ACM, Elastic Load Balancer, which previously only supported ACM certificates in us-east-1 because that was the only region in which they were available, and ELB regions are fully independent of each other.

Follow-up: This answer was reviewed in May, 2018, two years after it was originally posted, and then again in the summer of 2020. It is still accurate, as written. Certificates for CloudFront (as well as for Edge-Optimized deployments in API Gateway, which have a somewhat hidden dependency on CloudFront) are always provisioned in the us-east-1 region of ACM. There is no compelling reason to expect this to change, as CloudFront's control plane runs in us-east-1.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • Interesting. Thanks Michael. For the other services like ELB, would it make any difference in performance whether the certificate was obtained from a particular region? Or is it really just a configuration convenience we gain? – n00b May 18 '16 at 23:14
  • 5
    For ELB, there is only one way to use an ACM certificate -- create the certificate in the same region as the load balancer. Until now, ELB could not use ACM certs except in us-east-1, because ACM wasn't in any other region. There's nothing performance related in ACM -- it provisions an SSL certificate for another service (CloudFront or ELB) to use, and it is out of the loop after that, except for annual certificate renewals. ACM does not handle your site's traffic at all. That's handled by the actual service you're using, exactly the same as if you were using a cert from another issuer. – Michael - sqlbot May 19 '16 at 00:51
  • @Michael-sqlbot, would you please consider reviewing this answer as the last edit was made around 2 years ago. Although you have mentioned the official link already here. Just to save some time for future viewers. – Prateek Apr 10 '20 at 06:25
  • 1
    @Prateek - it's still the same, as seen here in [AWS Docs](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingNewSubdomain.html#decide-procedure-create-subdomain) – Abdul Vajid Jul 22 '20 at 10:56
  • It also seems worth noting that the cert you use for CloudFront now can't be used for the regions for Load Balancers as you get a certificate not found error when attempting to use for an ALB. This seems like a serious problem IMHO. – PlexQ Oct 16 '20 at 10:23
  • @PlexQ if your balancer isn't in us-east-1, then this is the expected behavior unless I am misinterpreting your comment. CloudFront-accessible certs need to be in the us-east-1 region, and balancers in other regions can't see them, because ACM is a regional service. – Michael - sqlbot Oct 16 '20 at 11:02
  • I will never understand why Amazon can't implement something that will pull your certificate from wherever region it was deployed to into wherever their administrative infrastructure is. Why customers need to know about Amazon's internal infrastructure quirks and be limited by it? – TeoTN Sep 18 '22 at 14:36
  • Isn't this annoying ? If your app is deployed in eu-west-1 with ALB and if it's fronted by a AWS CloudFront, you will essentially need to configure 2 separated certs, one in us-east-1 and the other in eu-west-1 – Mandar K Jun 08 '23 at 06:10