Cloudfront Multiple Distributions Automatic Directs

0

Hello,

I have a question, I have 2 cloudfront distributions with 2 different certificates / domains that point to the same S3 Bucket # main distribution is 123456789.cloudfront.net, with alternate domain + certificate: main.mydomain.com # second distribution is 987654321.cloudfront.net, with alternate domain + certificate: sub1.otherdomain.com

On DNS (I use cloudflare) I have a CNAME for the main distribution domain: # main.mydomain.com cname to 123456789.cloudfront.net

and I add other subdomains pointing to this other CNAME (for better management as I have many subdomains): # sub1.mydomain.com cname to main.mydomain.com

but I also do point subdomain from the other domain to this (again because of management and some hardcoded links, so I can't point it to it's own distribution): # sub1.otherdomain.com cname to main.mydomain.com

On theory I would need to use cloudfront function to redirect the sub1.otherdomain.com to it's distribution (987654321.cloudfront.net), but it works without it and I don't know why (it shouldn't or there is some universal property of cloudfront I'm not aware about), because there is no pointing / redirect from first distribution to the second one configured, the only DNS pointing to cloudfront is from main.mydomain.com (cname to 123456789.cloudfront.net), and the certificates are different.

Is it expected? Need to be sure for not having headaches on the future with production stuff.

1 Answer
2
Accepted Answer

This is actually expected behaviour, but I wouldn't recommend continuing with it set up in this way.

Firstly, remember that using CNAME records in DNS doesn't change the value of the Host header used by clients when making HTTPS requests, it's simply a way of referring to another DNS record in order to ultimately get an IP address to connnect to.

DNS has no bearing on what content is returned by CloudFront - it simply returns valid IP addresses for nearby cache hosts. The actual content delivered by the cache host is determined by the value of the Host header in the request. Note that there are some exceptions to this, but for the purposes of your query, assume this to be the case.

When your clients connect to sub1.otherdomain.com, here's what will happen:

  1. The client will make a DNS query for sub1.otherdomain.com. DNS will follow the CNAMEs and in turn query main.mydomain.com and then 123456789.cloudfront.net, and will finally return the A records associated with 123456789.cloudfront.net
  2. The client will connect to one of the IP addresses returned by the DNS query.
  3. During the TLS handshake, the client will specify the domain name that the request is for (sub1.otherdomain.com) and CloudFront will return the associated certificate and content (SNI) for sub1.otherdomain.com.

The main problem with this is that if you ever remove 123456789.cloudfront.net, CloudFront will no longer respond to DNS requests for that address, and sub1.otherdomain.com will stop working.

I don't really understand why you can't CNAME sub1.otherdomain.com to 987654321.cloudfront.net - DNS is just translating names to IP addresses, so I can't work out how or why this would impact your "management and some hardcoded links"

AWS
EXPERT
Paul_L
answered 2 years ago
profile picture
EXPERT
reviewed 23 days ago
  • Yes, I'm aware that DNS CNAME is only the "learning path" to the destination IP, but that is why I use it to concentrate names and only point 1 DNS CNAME to real destination.

    "3. During the TLS handshake, the client will specify the domain name that the request is for (sub1.otherdomain.com) and CloudFront will return the associated certificate and content (SNI) for sub1.otherdomain.com."
    

    So cloudfront uses the same IPs for different distributions?

    Our application requires more than 1 distribution on cloudfront because we have multiple domains (and certificates), but it is transparent for clients, so they all go for the same link (main.mydomain.com and some have lots of integrations with it) but need to "hit" different distributions on cloudfront (because the certificates), that why the example sub1.otherdomain.com (other client) need to hit the main.mydomain.com.

  • Yes, CloudFront uses SNI by default, unless you configure a dedicated IP (this incurs an additional charge) - see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-https-dedicated-ip-or-sni.html for details.

    If the content is different between the two distributions, I recommend you update the DNS record for sub1.otherdomain.com to be CNAME d987654321.cloudfront.net to avoid any potential future problems. However, if the content is the same across both distributions then I recommend you use a single distribution with multiple alternate domains. You will of course need a single SSL certificate which covers all the alternate domains to do this.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions