Category: Technical How-to

The Kubernetes SIG Network and Security Response Committee has announced that Ingress NGINX will be retired in March 2026. If your organization runs workloads on Kubernetes — whether on Amazon Elastic Kubernetes Service (Amazon EKS), self-managed clusters on EC2, or hybrid environments — this upcoming change requires immediate planning and attention. This change impacts approximately […]

Introduction This post demonstrates how to migrate your Amazon CloudFront public origins to Amazon Virtual Private Cloud (Amazon VPC) origins using different strategies. You can also use VPC origins with cross-accounts to support security-first architectures. When designing network architecture for CloudFront workloads, organizations must choose between centralized or distributed models. In a centralized architecture, a […]

In November 2025, Amazon CloudFront introduced cross-account support for Virtual Private Cloud (VPC) origins, which allows you to keep Amazon VPC origins and CloudFront distributions in separate Amazon Web Services (AWS) accounts. In turn, organizations with multi-account strategies can use VPC origins while maintaining their desired account structure. This enables a new architectural pattern for […]

Imagine receiving an unexpected $1,200 Data Transfer Out (DTO) charge on your Amazon Web Services (AWS) bill. You know something generated significant outbound traffic, but you’re left wondering: which resource caused it? Where was the data sent? Was it legitimate application traffic or a security incident? This common challenge faces FinOps professionals, DevOps engineers, and […]

As organizations scale globally, balancing user experience with operational costs becomes increasingly complex. Integrating Amazon CloudFront with Application Load Balancer (ALB) addresses this challenge by reducing latency by serving content from over 750 edge locations worldwide and maintaining persistent TCP connections between CloudFront and ALB origins while reducing Data Transfer Out (DTO) expenses through the […]

Starting today, Amazon CloudFront extends its mutual TLS (mTLS) capabilities to customer origins, which enables true end-to-end authentication throughout the entire connection path—from the viewers to the customer origins. CloudFront has supported viewer mTLS between viewers and CloudFront, so that customers can strongly authenticate clients before traffic ever enters their perimeter. With this launch, that […]

Security teams managing multi-account Amazon Web Services (AWS) environments face significant operational challenges when implementing consistent access controls. Traditional approaches necessitate duplicating VPN infrastructure, managing separate bastion hosts in each account, and maintaining fragmented security policies across multiple applications. This operational overhead increases infrastructure costs and attack surfaces. This post walks you through implementing AWS […]

In this post, we examine the ability for Amazon VPC IP Address Manager (IPAM) to automate prefix lists updates with prefix list resolver. This new feature uses the IPAM database to generate groups of IP addresses based on connectivity requirements and automates connectivity configurations by propagating IP addresses to Amazon Web Services (AWS) resources, such […]

It’s 2 AM when your phone alerts you to failing customer transactions in the North Virginia Region. As a network operator managing an Imaging platform on Amazon Web Services (AWS), you’re faced with troubleshooting an architecture that spans multiple Amazon Virtual Private Cloud (Amazon VPC), uses AWS Transit Gateway for interconnectivity, and runs many microservices. […]

Geo-restriction is a critical security control for blocking traffic from high-risk regions. Learn how to implement geographic filtering using Amazon CloudFront, Route 53, AWS WAF, and AWS Network Firewall—and discover when to use each service for your specific architecture needs.