Cloudfront Multiple Distributions Automatic Directs



I have a question, I have 2 cloudfront distributions with 2 different certificates / domains that point to the same S3 Bucket # main distribution is, with alternate domain + certificate: # second distribution is, with alternate domain + certificate:

On DNS (I use cloudflare) I have a CNAME for the main distribution domain: # cname to

and I add other subdomains pointing to this other CNAME (for better management as I have many subdomains): # cname to

but I also do point subdomain from the other domain to this (again because of management and some hardcoded links, so I can't point it to it's own distribution): # cname to

On theory I would need to use cloudfront function to redirect the to it's distribution (, but it works without it and I don't know why (it shouldn't or there is some universal property of cloudfront I'm not aware about), because there is no pointing / redirect from first distribution to the second one configured, the only DNS pointing to cloudfront is from (cname to, and the certificates are different.

Is it expected? Need to be sure for not having headaches on the future with production stuff.

1 Answer
Accepted Answer

This is actually expected behaviour, but I wouldn't recommend continuing with it set up in this way.

Firstly, remember that using CNAME records in DNS doesn't change the value of the Host header used by clients when making HTTPS requests, it's simply a way of referring to another DNS record in order to ultimately get an IP address to connnect to.

DNS has no bearing on what content is returned by CloudFront - it simply returns valid IP addresses for nearby cache hosts. The actual content delivered by the cache host is determined by the value of the Host header in the request. Note that there are some exceptions to this, but for the purposes of your query, assume this to be the case.

When your clients connect to, here's what will happen:

  1. The client will make a DNS query for DNS will follow the CNAMEs and in turn query and then, and will finally return the A records associated with
  2. The client will connect to one of the IP addresses returned by the DNS query.
  3. During the TLS handshake, the client will specify the domain name that the request is for ( and CloudFront will return the associated certificate and content (SNI) for

The main problem with this is that if you ever remove, CloudFront will no longer respond to DNS requests for that address, and will stop working.

I don't really understand why you can't CNAME to - DNS is just translating names to IP addresses, so I can't work out how or why this would impact your "management and some hardcoded links"

answered 2 years ago
profile picture
reviewed 23 days ago
  • Yes, I'm aware that DNS CNAME is only the "learning path" to the destination IP, but that is why I use it to concentrate names and only point 1 DNS CNAME to real destination.

    "3. During the TLS handshake, the client will specify the domain name that the request is for ( and CloudFront will return the associated certificate and content (SNI) for"

    So cloudfront uses the same IPs for different distributions?

    Our application requires more than 1 distribution on cloudfront because we have multiple domains (and certificates), but it is transparent for clients, so they all go for the same link ( and some have lots of integrations with it) but need to "hit" different distributions on cloudfront (because the certificates), that why the example (other client) need to hit the

  • Yes, CloudFront uses SNI by default, unless you configure a dedicated IP (this incurs an additional charge) - see for details.

    If the content is different between the two distributions, I recommend you update the DNS record for to be CNAME to avoid any potential future problems. However, if the content is the same across both distributions then I recommend you use a single distribution with multiple alternate domains. You will of course need a single SSL certificate which covers all the alternate domains to do this.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions