- Newest
- Most votes
- Most comments
The recommended design would be to continue using CloudFront over the public internet, but to associate a Web Application Firewall (WAFv2) web ACL to the distribution only allowing requests from the internet-facing public IP addresses of the internal networks. Traffic would continue to run over the internet, but TLS encryption and the source IP address restriction would make it reasonably well protected.
The static website functionalities of S3 are not available over VPC endpoints. As you observed already, only the REST APIs are available. If you have a third-party web server, like Nginx, you can send the paths you want to it with the ALB's listener rules: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#rule-condition-types.
If appropriate for your needs, you can also use the ALB's built-in features to return static responses or redirects: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#rule-action-types. For more specific custom functionalities, you can use a Lambda function as a target: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/lambda-functions.html.
Relevant content
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago