AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
OriginDnsError from CloudFront VPC Origin when WebSocket is used
I have migrated from Internet-facing Application Load Balancer to internal Application Load Balancer + CloudFront VPC origin. My issue is that average http requests are working, and I am getting “WebSocket connection to <path> failed” error. I have setup CloudWatch logging on the CloudFront distribution, and found that OriginDnsError is raised when wss protocol is requested by web browser. Following are two log entries on CloudWatch in each of respective cases:
OK
{ "date": "2025-02-13", "time": "07:07:43", "x-edge-location": "ICN55-C1", "sc-bytes": "574", "c-ip": "59.6.104.201", "cs-method": "POST", "cs(Host)": "d2qabfmghnmh9l.cloudfront.net", "cs-uri-stem": "/spawn", "sc-status": "200", "cs(Referer)": "https://d33pxtdicwnfxx.cloudfront.net/", "cs(User-Agent)": "Mozilla/5.0%20(X11;%20CrOS%20x86_64%2014541.0.0)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/133.0.0.0%20Safari/537.36", "cs-uri-query": "-", "cs(Cookie)": "-", "x-edge-result-type": "Miss", "x-edge-request-id": "djV7P-KgL73i4-YqasGCTagrf59IByNlin3F2kC68QnktFi0-tabiA==", "x-host-header": "d2qabfmghnmh9l.cloudfront.net", "cs-protocol": "https", "cs-bytes": "1082", "time-taken": "0.365", "x-forwarded-for": "-", "ssl-protocol": "TLSv1.3", "ssl-cipher": "TLS_AES_128_GCM_SHA256", "x-edge-response-result-type": "Miss", "cs-protocol-version": "HTTP/2.0", "fle-status": "-", "fle-encrypted-fields": "-", "c-port": "55028", "time-to-first-byte": "0.365", "x-edge-detailed-result-type": "Miss", "sc-content-type": "text/plain", "sc-content-len": "-", "sc-range-start": "-", "sc-range-end": "-", "timestamp(ms)": "1739430463775", "origin-fbl": "0.320", "origin-lbl": "0.320", "asn": "4766", "c-country": "KR", "cache-behavior-path-pattern": "*" }
OriginDnsError on wss
{ "date": "2025-02-13", "time": "07:05:42", "x-edge-location": "ICN55-C1", "sc-bytes": "1308", "c-ip": "59.6.104.201", "cs-method": "GET", "cs(Host)": "d2qabfmghnmh9l.cloudfront.net", "cs-uri-stem": "/ttyd/ws", "sc-status": "502", "cs(Referer)": "-", "cs(User-Agent)": "Mozilla/5.0%20(X11;%20CrOS%20x86_64%2014541.0.0)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/133.0.0.0%20Safari/537.36", "cs-uri-query": "user_id=27c4da48-d0e1-704d-65bb-7ff9c3492284&token=40aad847ec4e423d8b9d2124b048130e", "cs(Cookie)": "-", "x-edge-result-type": "Error", "x-edge-request-id": "C6-i5QL5pD4W0VvXs63sc927HHjxIksnm3bsgZXQxCLTb94xY_EOEw==", "x-host-header": "d2qabfmghnmh9l.cloudfront.net", "cs-protocol": "wss", "cs-bytes": "644", "time-taken": "0.005", "x-forwarded-for": "-", "ssl-protocol": "TLSv1.3", "ssl-cipher": "TLS_AES_128_GCM_SHA256", "x-edge-response-result-type": "Error", "cs-protocol-version": "HTTP/1.1", "fle-status": "-", "fle-encrypted-fields": "-", "c-port": "60768", "time-to-first-byte": "0.005", "x-edge-detailed-result-type": "OriginDnsError", "sc-content-type": "text/html", "sc-content-len": "960", "sc-range-start": "-", "sc-range-end": "-", "timestamp(ms)": "1739430342146", "origin-fbl": "-", "origin-lbl": "-", "asn": "4766", "c-country": "KR", "cache-behavior-path-pattern": "*" }
My CloudFront origin conf:
I am wondering if this is a bug on CloudFront side since VPC origin is a new feature, or I misconfigured something. OriginDnsError is last thing I can expect when I am requesting the same origin, just in two different protocol. Thank you.
- Newest
- Most votes
- Most comments
Based on the information provided, it appears that you're experiencing an issue with WebSocket connections through CloudFront to your internal Application Load Balancer (ALB) using a VPC origin. The OriginDnsError you're seeing for WebSocket (wss) requests suggests that CloudFront is having trouble resolving the DNS for your origin when handling WebSocket connections.
This issue is likely not a bug in CloudFront, but rather a configuration problem. Here are a few things to check and consider:
-
Ensure that your CloudFront distribution is properly configured to handle WebSocket connections. This includes:
- Setting the "Allowed HTTP Methods" to include all methods (especially GET and OPTIONS for WebSocket handshake)
- Configuring the distribution to forward all headers to the origin
- Setting appropriate timeout values for origin response and connection
-
Verify that your VPC origin configuration in CloudFront is correct:
- The VPC ID, subnet IDs, and security group IDs should be accurately specified
- The origin domain name should be set to your internal ALB's DNS name
-
Check that your internal ALB is properly configured to handle WebSocket connections:
- Ensure that the appropriate target group is set up for WebSocket traffic
- Verify that the security groups allow the necessary inbound traffic from CloudFront
-
Review your VPC DNS settings:
- Make sure DNS hostnames and DNS resolution are enabled for your VPC
- Check if there are any custom DNS settings that might interfere with name resolution
-
Examine your ALB and target group health checks to ensure they're passing and that the targets are healthy
-
Consider using CloudFront's origin shield feature, which can help with origin connection issues in some cases
-
Review your WebSocket application code to ensure it's properly handling the connection and any potential errors
If after checking these items the issue persists, you may want to engage AWS support for further investigation, as there could be subtle networking or configuration issues that are difficult to diagnose without deeper access to the infrastructure.
Remember that while regular HTTP requests are working, WebSocket connections have different requirements and may be more sensitive to certain configuration issues. The fact that you're seeing an OriginDnsError specifically for WebSocket connections suggests that there might be a problem with how CloudFront is attempting to establish these connections to your internal ALB.
Sources
Requests can't be served when sending requests to cloudfront alternate domain name | AWS re:Post
Requests can't be served when sending requests to cloudfront alternate domain name | AWS re:Post
502 errors while accessing CloudFront distribution that's connected to a load balancer | AWS re:Post
Use real-time logs - Amazon CloudFront
Standard logging reference - Amazon CloudFront
Most of this answer isn't relevant given that the question specifies that typical HTTP requests are working.
Facing a similar issue, the above answer doesn't help
Relevant content
- asked 3 years ago
- asked a year ago
Also have the same problem with VPC origin + ALB + Websocket. Tried a variety of configurations, no luck.
same problem with VPC origin + websocket.
Same here with CloudFront + VPC origin + Private ALB with websocket, giving OriginDnsError. Works fine with other HTTP requests (no websocket). Also, using a VPN to access the private ALB directly to bypass CloudFront, then websocket works.
Having the same issue: currently the only available solution is to convert our ALB from internal to internet-facing, and rollback CloudFront to classic ELB Origin instead of CloudFront VPC Origin...
Ok, to follow up. I have received confirmation from AWS that Cloudfront simply does not support web sockets + VPC origins at the moment. This is also stated on the docs here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html#vpc-origin-prerequisites