By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How can I avoid excessive numbers of CloudFront distributions?

5

Hello. I control hundreds of domains that I need to all point to the same API Gateway. That Gateway forwards requests to a Lambda function which receives the "Host" field from the HTTP header and serves content specific to the requested domain.

I also have the following requirements:

  1. Must be able to serve content over HTTPS
  2. Must redirect HTTP to HTTPS
  3. SSL certificates cannot contain Subject Alternative Names, as the certificates are owned by different parties.

I tried adding multiple domains to API Gateway, however it doesn't satisfy requirement #2 above as API Gateway won't accept HTTP connections and so I can't redirect HTTP to HTTPS.

The only solution I was able to come up with without resorting to building my own proxy server in EC2 was to create a CloudFront Distribution that forwards requests to API Gateway. This solution works well, satifies all requirements, and I like the added bonus of a CDN, however it forces me to create 1 CloudFront distribution per domain due to requriement #3 above.

AWS imposes a limit of 200 CloudFront distributions per account, and this would not be enough for the number of domains I control. I could apply for a higher limit, but it just feels like the wrong approach, and having hundreds or thousands of CloudFront distributions feels like excessive complexity for such a simple need to have multiple domains resolve to a single endpoint.

Is there a "serverless" solution to my needs?

  • roman
    9 months ago

    I'm in the same boat. Hope this question is getting some traction. I'm currently using a CloudFront distribution per client but it seems wrong. I can only think of a solution outside AWS using a custom EC2 instance with a proxy (e.g. Traefik) which serves content based on HTTP header.

  • Sandro Volpicella
    3 months ago

    I would also be really interested in this question since I'm facing a similar solution. Is there a maximum number of CloudFront distributions available? Are there examples of really big SaaS that have built this on AWS?

  • thoop
    2 months ago

    I'm in a similar situation and decided to create a CloudFront distribution for each domain. It's been a while since you posted this question. Did you end up going with the route you described? Did you run into any issues?

Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon API GatewayAmazon CloudFront
Language
English
sg
asked a year ago1323 views
4 Answers
1

In the same situation. Gave you a thumbs up in hopes of having this answered. Best I can think of is a single distribution per client. It doesn't seem to add cost. Just does feel wrong. Also I am going to provision many in advance to save time when assigning dynamically. Following this. Please update if you figure something out 🙏❤️🌱

sven
answered a year ago
0

One possible solution to your requirements is to use AWS Lambda@Edge with CloudFront. Lambda@Edge allows you to run serverless functions in response to CloudFront events, such as when a viewer requests content from your CloudFront distribution.

You can create a single CloudFront distribution for all of your domains and configure it to route requests to your Lambda@Edge function. The Lambda function can then inspect the "Host" header in the HTTP request and dynamically determine which content to serve based on the requested domain.

To satisfy your HTTPS and HTTP redirection requirements, you can configure your CloudFront distribution to use an SSL certificate that does not contain Subject Alternative Names. You can then use CloudFront's built-in HTTP to HTTPS redirection feature to redirect HTTP requests to HTTPS.

Here is a high-level overview of the steps involved:

  1. Create a Lambda function that inspects the "Host" header in the HTTP request and determines which content to serve.

  2. Create a CloudFront distribution and configure it to use the Lambda function as a trigger for viewer request events.

  3. Configure your CloudFront distribution to use an SSL certificate that does not contain Subject Alternative Names.

  4. Enable HTTP to HTTPS redirection in your CloudFront distribution.

With this approach, you can serve multiple domains from a single CloudFront distribution, without the need for multiple CloudFront distributions or a proxy server in EC2. Additionally, the serverless nature of Lambda@Edge allows you to scale your solution automatically and only pay for the resources you actually use.

profile picture
Yasser
answered a year ago
  • sg
    a year ago

    Thank you Yasser. I appreciate you trying out ChatGPT to answer my question, however it doesn't provide a suitable solution in this case.

  • Jeremy AWS
    a year ago

    Working within the confines of CloudFront, I think your only option is to create multiple distributions. I agree that this isn't ideal, for the reasons you shared, but here are a few ideas that can hopefully make it more manageable.

    1. For the Lambda function, consider making a single function that all distributions can use. This will make controlling that logic easier, since you only need to write a single function. It should also reduce Lambda cold starts since the function will be invoked regularly by all distributions.
    2. Store everything in a CloudFormation template to make spinning a site up/down easy and consistent.

    Perhaps a future release will make this easier, or solve it altogether.

0

A redirection of a POST request from HTTP to HTTPS is actually a little bit pointless -- the data is has already been sent insecurely by the time the redirect is generated, unless the client has asked the server to inspect the request headers before the body is sent, with Expect: 100-continue.

Bottom line. Don’t support HTTP than trying to cater for if cases. I wouldn’t even allow point 2. As a requirement.

(Not written with chat gpt:-) )

profile picture
EXPERT
Gary Mclean
answered a year ago
  • sg
    a year ago

    Thanks for your reply Gary. I definitely agree with you when it comes to POST requests. In this particular case API Gateway is configured to only serve GET requests as it's basically an informational web page that is being served up.

0

Hi,

I have you looked into this to overcome crating of many distributions? https://repost.aws/knowledge-center/multiple-domains-https-cloudfront

Let me know.

profile picture
EXPERT
Antonio_Lagrotteria
answered a year ago
  • sg
    a year ago

    Hello alatech. Yes, that requires adding Subject Alternative Names to the SSL certificate since CloudFront only allows one SSL certificate to be associated. Unfortuntately I can't do this due to my requirement #3 above.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content