Presenting the Amazon CloudFront VPC Origin: Enhanced security and more effective app use.
I'm pleased to notify you of the debut of the Amazon CloudFront Virtual Private Cloud (VPC) origins, a new feature that enables companies to serve content from apps located within their Amazon VPC's private subnets. This simplifies web app security, allowing you to focus on growing your business while maintaining high performance and global scalability with CloudFront.
When providing content via Amazon Simple Storage service (Amazon S3), AWS Elemental Services, and AWS Lambda Function URLs, Origin Access Control is a managed solution that enables users to protect their origins and make CloudFront the exclusive front-door to your application. This was more difficult to do for apps that use load balancers or are hosted on Amazon Elastic Compute Cloud (Amazon EC2) as you had to devise your own technique to get the same result. You would need to use a number of tactics, such as keeping an eye on firewall rules, utilizing logic like header validation, and utilizing access control lists (ACLs), to ensure that the endpoint remained unique to CloudFront.
CloudFront VPC origins removes the need for this kind of undifferentiated effort by offering a managed solution that can be used to deliver CloudFront distributions to EC2 instances, Network Load Balancers (NLBs), or Application Load Balancers (ALBs) inside your private subnets. This ensures that CloudFront will be the only point of entry for those resources that require the least amount of configuration effort, improving performance and potentially saving you money because it also eliminates the requirement for public IP addresses.
Configuring the Origin of CloudFront VPC
Because CloudFront VPC origins is free, it may be used by any AWS customer. It may be connected to both new and current CloudFront distributions via the Amazon CloudFront dashboard or the AWS Command Line Interface (AWS CLI).Imagine that an ALB is in charge of your private AWS Fargate application for Amazon ECS. Let's create a CloudFront distribution using the ALB located immediately within the private subnet.
To get started, choose the recently added VPC origins menu item in the CloudFront dashboard.
Creating a new VPC origin is simple. There aren't many alternatives available to you. You have two options: look for resources hosted on private subnets or enter the Origin ARN directly. You choose the desired resources, name your VPC origin, configure a few security parameters, and then verify. Please be aware that the VPC origin resource has to be in the same AWS Account as the CloudFront distribution at launch, even though support for resources across all accounts is coming.
Once the creation process is complete, your VPC origin will be deployed and functioning! You may view its current status on the VPC origins page.
In doing so, it has created a CloudFront distribution that can deliver content directly from a resource housed on a private subnet with a few clicks! After your VPC origin has been constructed, you can add the VPC origin to your Distribution by copying and pasting the ARN into your Distribution window or selecting it from the dropdown menu.
Remember that you should still use services like AWS Web Application Firewall (WAF) to defend against web vulnerabilities, AWS Shield for managed DDoS protection, and others to layer your application's security in order to achieve full-spectrum protection.
0 Comments