How can I serve CloudFront assets to a naked domain I manage with a non-AWS DNS provider?

1

Hi all!

Summary: Our DNS provider, GoDaddy, does not support apex ("A") DNS records pointing to non-static IPs. We want to serve our AWS CloudFront assets to our domain's naked domain, but CloudFront gives us a url, not a static IP.

Here's the current state of our setup:

  • We own a domain, let's call it domain.com, through GoDaddy
    • We manage the DNS for this domain through GoDaddy
  • We store our website assets in AWS S3
  • We use AWS CloudFront to serve the website assets from that S3 bucket
    • CloudFront gives us a url, like xyz123.cloudfront.net, that the assets are served from
    • CloudFront does not give us a static IP address
  • We use AWS Certificate Manager to apply an SSL certificate to both our naked domain "domain.com" and www subdomain "www.domain.com"
    • The SSL certificate is applied to the CloudFront configuration
  • We have a CNAME DNS record pointing the www subdomain to the CloudFront url
    • ie. navigating to www.domain.com properly gets served the CloudFront assets, and since we have the SSL certificate applied to this domain and the CloudFront configuration we don't encounter any SSL issues.
  • We use a feature on GoDaddy called Forwarding to redirect any http://domain.com naked domain requests to http://www.domain.com

Current issues that we would like to solve:

  • We want https://domain.com to serve the CloudFront assets.
    • This may involve serving CloudFront assets directly from that url or redirecting it to https://www.domain.com
    • We can't serve the assets directly with our current setup because GoDaddy's DNS management does not support apex records pointing to urls - it must point to an IP, and we don't get a static IP from CloudFront
    • In past iterations, we’ve used GoDaddy’s Forwarding feature to attempt to redirect https://domain.com to https://www.domain.com, or even http://www.domain.com, but GoDaddy’s Forwarding feature does not support HTTPS requests.
      • The Forwarding feature changes the A record to point to GoDaddy’s proxy server, and that proxy server does not have our SSL certificate installed, so we were getting SSL warnings.
  • We own another domain, let's call it other-domain.com, and we would like to redirect all requests to both the naked domain and the www subdomain (http and https) to https://www.domain.com.
    • We ran into a similar issue here: we can’t use GoDaddy Forwarding here to reroute https requests - it spawns an SSL warning.

We imagine the solutions may be:

  1. Get a static IP from CloudFront. Is this possible? And are there time, energy, and money costs associated with this?
  2. Use our own redirect server. We could potentially manage a simple, say, AWS EC2 instance that uses an nginx or Apache server that redirects requests to https://www.domain.com. We could point the naked domain to the IP of the EC2 instance, and have our own SSL certificate installed there. We're not crazy about this because it adds another node of complexity that we manage. We would be more interested in this option if there was some AWS service that gave us SSL-enabled redirect capabilities out of the box - does that exist?
  3. Change our DNS provider from GoDaddy to AWS Route53. As far as we can tell Route53 allows apex DNS records to point to urls instead of requiring them to point to IP addresses, which means we can just point an A record for domain.com to the CloudFront url. We're also not crazy about this because migrating DNS providers is a lift, and we have many other domains managed through GoDaddy as well.

Any and all feedback / suggestions is welcome. Thank you!

3 Answers
3
  1. You will not be able to get a static IP in a meaningful way for CloudFront. The $600 option mentioned is not for the purpose of providing a static IP, but as a way for CloudFront PoP to respond with a SSL certificate for your custom domain, and support clients do not support SNI.
  2. We do not recommend you use your own redirect servers. It will potentially cause performance and reliability issues and become a single point of failure. However, from a technical point of view, it is possible to achieve. But is lacking in reliability and availability of this critical service.
  3. DNS migration would be your best choice. You have the option to have Alias A record at your zone apex in Route 53 and has great integration with multiple AWS services. From a long term you will benefits tremendously by migrating your DNS service into R53 if AWS host most of your web services.
  4. Also a quick note you can still retain GoDaddy as your domain registar. You just need to update name servers in your GoDaddy. It does take some planning, but should not be too difficult. Documentation here.
Jason_S
answered 2 years ago
0

You can refer to blog Solving DNS zone apex challenges with third-party DNS providers using AWS for possible options.

A good option is AGA (Global Accelerator) with ALB. AGA provides 2 static IPs and now support IPv6, and you can use ACM to manage SSL cert on ALB. You can use ALB listener rules to redirect.

AWS
Mike_L
answered a year ago
0

I would also recommend to perform a DNS transfer to AWS and use Route 53 options for your naked domain name, this can be quick and no major changes.

If there are any challenges with this transfer, you can leverage Global Accelerator.

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions