Is there a way to not have 2 CloudFront Distributions for the 1 website (www & base domains)


fundamentally this is about www and base domain routing it considers S3, CloudFront, WAF ACLs, Route 53, and certs are connected (certs are no issue yet)

Requirement: Have a Dynamic API Connected Website hosted primarily on S3 with traffic coming in via Route 53 & CloudFront. both www subdomain ( and base domain ( should go to either www or base domain (i don't care which but it must be 1 or other , prefer base domain www is ugly)

I this working technically with a bucket for the www and the base domain 1 of them redirecting, both have a cloudfront distribution each and both cloudfront distribtuions have an A record each.

This means I get billed twice for each Web ACL WAF rule: AWS-AWSManagedRulesAmazonIpReputationList, AWS-AWSManagedRulesCommonRuleSet, AWS-AWSManagedRulesKnownBadInputsRuleSet I do not want to be double billed for every RUle I create just because I have to have 2 CloudFront distributions because of www and base domain, that is stupid.

How can I configured this situation so that I can turn off the duplicate rules on 1 CloudFront instances or have only 1 CloudFront instance.

Here is my technical setup for clarity: (this works but is not ideal from a $$$ perspective) Route53 | Cloudfront Dist | S3 A record --> d1wxyz | --> 1. | 1. Hosting type Redirect request at www. A record --> d21xyz | --> 2. | 2. public stores assets

What I have tried: 1x S3 1x CloudF dist, 1x A record, 1 x CName - this works except I then essentially have 2 domains running instead of the 1 domain, which is also not ideal. I considered htaccess rule but that seemingly is not an option. I tried URL rewrite CloudF JS function (denied due to an CloudF error denied to rewrite the HOST)

Is there a way I can have the WAF ACL rules only once or not have the second CloudFront distribution at all?

I have seen this answer but it does not solve the underlying issue of Double Billing

Hopefully I have properly expressed both the X Problem and the Y Problem too.

1 Answer

In general, I see two options to solve this:

  • Use multiple domains on one CloudFront distribution
  • Define one domain as the "main domain", and redirect the other to this one

Using multiple domains on one distribution requires the setup of CNAMEs, you can find a short HOWTO here.

The second option will return an HTTP 301 whenever a request on the secondary domain is recorded. You can do this on S3, or with an Edge function (which is probably easier to achieve). You can find details about this solution here.

In general, I recommend not setting up two distributions. As you have mentioned, it has a cost impact, but more importantly it will double your maintenance work - which is not optimal.

The links provided assume that you are hosting a website, which then makes use of the dynamic API. In that case, redirecting works smoothly. If you have an API only, redirecting will be more difficult since RESTful APIs in general don't support this type of redirects. For API only setups, I recommend configuring the target domain directly within your application (please note that you might need CORS settings in this case, i.e. when your application is served from one domain and uses an API endpoint on another domain).

profile pictureAWS
answered a year ago
  • I have already done the multiple domains on a single distribution. this of course works but ends up as 2 separate domains which is not ideal. I have tried an edge function in CloudFront, but it it does not allow URL rewrite.

    I am just looking for an obvious piece of documentation that explains this, I find it strange that AWS does not consider this a scenario and have it as part of the setup process. Support agents offered different advice to you, they said I need 2 CloudFronts, which is actually what it looks like based on the limitations of the techstack.

  • If you follow the link provided by Michael above to set up a single distribution to cover both domain names, you could then use a CloudFront Function to redirect requests based on the host header. eg. if the host header includes www, send a 301 response to redirect them to the domain apex. Make sure to append the URI to the redirect. There's an example here that you could use as a starting point:

  • Exactly, thank you Paul. Rewriting the URL in the request does not solve the issue here, because the client would still use the old / original URL in subsequent requests. You want to tell the correct domain to the client, not to the origin.

    If a request arrives on the www-domain, use the edge function to directly send a response without passing the request to the CloudFront origin. The HTTP 301 instructs the browser to send the request to the non-www domain.

    If you haven't hard-coded the target domain in the application, the browser should then use the non-www domain for all subsequent requests.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions