Why does the HTTPS connection between my CloudFront distribution and load balancer fail?

2 minute read

I have HTTPS and HTTP listeners configured on my Classic Load Balancer or Application Load Balancer as the origin for my Amazon CloudFront distribution. The HTTPS communication between CloudFront and my load balancer fails. I want to resolve the HTTPS communication issues.


The HTTPS communication failure might be caused by issues with the associated SSL certificate, security groups, or network access control list (ACL). Be sure that your distribution and load balancer meet the following security requirements:

Note: Application Load Balancers support multiple TLS certificates with smart selection using Server Name Indication (SNI). If your CloudFront distribution caches based on the host header, then verify that the Application Load Balancer has a TLS certificate configured with the same name. Otherwise, the Application Load Balancer offers its default certificate, which might not match the SNI associated with the ClientHello message from CloudFront.

Related information

Requiring HTTPS for communication between CloudFront and your custom origin

AWS OFFICIALUpdated a year ago

Please, document how to do this using cloudformation template

The network ACLs associated with your load balancer's Amazon Virtual Private Cloud (Amazon VPC) must allow traffic from CloudFront on HTTPS ports (typically port 443).

replied 19 days ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
replied 16 days ago