Specify ALB as the origin of CloudFront

TOC

Specify ALB as the origin of CloudFront

The following pages cover the basics of CloudFront.

In the above page, the CloudFront origin server was an EC2 instance.

This page introduces a configuration in which ALB is specified as the CloudFront origin.

Environment

Diagram of specifying ALB as the origin of CloudFront.

Create an ALB.
Place two EC2 instances in the target group.

The EC2 instance’s operating system is the latest version of Amazon Linux 2.
In both instances, Apache is installed and runs as a web server.

Create a CloudFront distribution.
Specify ALB as the origin server.

CloudFormation template files

The above configuration is built with CloudFormation.
The CloudFormation template files are located at the following URL

https://github.com/awstut-an-r/awstut-saa/tree/main/02/011

Explanation of key points of template files

(Reference) EC2

Resources:
  Instance1:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: !Ref ImageId
      InstanceType: !Ref InstanceType
      NetworkInterfaces:
        - DeviceIndex: 0
          SubnetId: !Ref PrivateSubnet1
          GroupSet:
            - !Ref InstanceSecurityGroup
      UserData: !Ref UserData
Code language: YAML (yaml)

Define two instances.
Only instance 1 will be taken up, since both have exactly the same settings.

Define the initialization process for the instance using the user data.

#!/bin/bash -xe
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
ec2-metadata -i > /var/www/html/index.html
Code language: Bash (bash)

Install Apache, write the instance ID in the index file and place it in the root.

For more information on user data, please see the following page.

(Reference) ALB

Resources:
  ALB:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: !Sub "${Prefix}-ALB"
      Scheme: internet-facing
      SecurityGroups:
        - !Ref ALBSecurityGroup
      Subnets:
        - !Ref PublicSubnet1
        - !Ref PublicSubnet2
      Type: application

  ALBTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      VpcId: !Ref VPC
      Name: !Sub "${Prefix}-ALBTargetGroup"
      Protocol: HTTP
      Port: !Ref HTTPPort
      HealthCheckProtocol: HTTP
      HealthCheckPath: /
      HealthCheckPort: traffic-port
      HealthyThresholdCount: !Ref HealthyThresholdCount
      UnhealthyThresholdCount: !Ref UnhealthyThresholdCount
      HealthCheckTimeoutSeconds: !Ref HealthCheckTimeoutSeconds
      HealthCheckIntervalSeconds: !Ref HealthCheckIntervalSeconds
      Matcher:
        HttpCode: !Ref HttpCode
      Targets:
        - Id: !Ref Instance1
        - Id: !Ref Instance2

  ALBListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      DefaultActions:
        - TargetGroupArn: !Ref ALBTargetGroup
          Type: forward
      LoadBalancerArn: !Ref ALB
      Port: !Ref HTTPPort
      Protocol: HTTP
Code language: YAML (yaml)

Specify the aforementioned EC2 instance as the ALB target group.

For more information on ALB, please see the following pages

CloudFront

Resources:
  Distribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
          CachedMethods:
            - GET
            - HEAD
          Compress: true
          ForwardedValues:
            Cookies:
              Forward: none
            QueryString: false
          TargetOriginId: !Ref ALBDNSName
          ViewerProtocolPolicy: allow-all
          DefaultTTL: !Ref CacheTTL
          MaxTTL: !Ref CacheTTL
          MinTTL: !Ref CacheTTL
        Enabled: true
        Origins:
          - CustomOriginConfig:
              OriginProtocolPolicy: http-only
            DomainName: !Ref ALBDNSName
            Id: !Ref ALBDNSName
        PriceClass: PriceClass_All
Code language: YAML (yaml)

Define the CloudFront distribution.

For basic information on CloudFront, please refer to the following pages.

The key point is the setting regarding the origin.
Specify the DNS name of the aforementioned ALB in the DomainName property.

The TTL of the cache is set to 0.
This is to immediately check access to instances under the ALB.

Architecting

Use CloudFormation to build this environment and check its actual behavior.

Create CloudFormation stacks and check the resources in the stack

Create CloudFormation stacks.
For information on how to create stacks and check each stack, please see the following page.

After reviewing the resources in each stack, information on the main resources created in this case is as follows

Instance 1: i-02cd16bf6c9c34cdc
Instance 2: i-0672f0350d8976a57
DNS name for ALB: saa-02-011-ALB-570513604.ap-northeast-1.elb.amazonaws.com
DNS name of CloudFront distribution: dl2r8lkbxkxkr.cloudfront.net

The AWS Management Console also checks the status of resource creation.

Check ALB.

The ALB is successfully created.
If you look at the target group of the ALB, you will see that two instances have been registered.

Check CloudFront.

The CloudFront distribution has been successfully created.
The aforementioned ALB is specified as the origin of the distribution.

Operation Check

Now that you are ready, access CloudFront.

$ curl https://dl2r8lkbxkxkr.cloudfront.net
instance-id: i-0672f0350d8976a57

$ curl https://dl2r8lkbxkxkr.cloudfront.net
instance-id: i-02cd16bf6c9c34cdc
Code language: Bash (bash)

Response.
Two instances under ALB are accessible.

Incidentally, you can also access the ALB directly.

$ curl http://saa-02-011-ALB-570513604.ap-northeast-1.elb.amazonaws.com
instance-id: i-02cd16bf6c9c34cdc

$ curl http://saa-02-011-ALB-570513604.ap-northeast-1.elb.amazonaws.com
instance-id: i-0672f0350d8976a57
Code language: Bash (bash)

Even if ALB is specified as the origin of CloudFront, it means that direct access to ALB is still possible.

Summary

We have shown you how to specify ALB as the origin of CloudFront.