Introducing CloudFront Virtual Private Cloud (VPC) Origins: Shield your web applications from public internet

Starting today, Amazon CloudFront introduced CloudFront Virtual Private Cloud (VPC) Origins, a new feature that allows users to use CloudFront to deliver content from applications hosted in a VPC private subnet. VPC Origins eliminates the need for applications to be exposed on the public internet by restricting access solely through users’ CloudFront distributions. This is designed to prevent end users from discovering or bypassing CloudFront to access web applications directly. As a result, the origin servers remain hidden on the internet, reducing the attack surface and enhancing the overall security posture. At the same time, users continue to benefit from the CloudFront global scale and high-performance capabilities.

AWS users use CloudFront to secure their applications from Denial of Service (DoS) attacks and other threats, using services such as AWS WAF and AWS Shield Advanced. For applications with Amazon S3 origins, users rely on Origin Access Control (OAC) to secure their origins within private subnets. However, for VPC-based origins, users have traditionally needed to place their origins in public subnets, implementing Access Control Lists (ACLs) and other controls to restrict access effectively. Users needed to invest ongoing effort to implement and maintain these solutions, resulting in undifferentiated heavy lifting.

With CloudFront VPC Origins Groups, AWS users can build and manage web applications in any AWS commercial Regions by making sure that CloudFront is the only ingress point to the applications and all requests directed to applications must go through CloudFront. With CloudFront VPC Origins, users can host their applications in a private VPC, without requiring any direct route to the internet and make sure CloudFront is the only entry point to their applications. With CloudFront, users can accelerate their traffic using the AWS Backbone Network. When CloudFront VPC Private Origin is set up as an origin, CloudFront traffic stays on the high-throughput AWS Backbone network all the way to your AWS origin, making sure of optimized performance and low latency.

Getting started

Users can create a VPC Origin directly within the CloudFront console, or with the CloudFront APIs. Once the VPC Origin is set up, it can be seamlessly integrated with a new or existing CloudFront distribution. This allows users to request content through the VPC Origin, which can provide improved performance and availability as compared to traditional public internet-based origins.

Migrating to CloudFront VPC Origins Groups

To test VPC origins to migrate an existing public subnet application, I launched an nginx webservice using AWS Fargate for Amazon ECS and an internet-facing/public Application Load Balancer ALB.

Figure 1: Set up an internet-facing Application Load Balancer (ALB)

After launching the ALB, I created a CloudFront distribution to see if I can see the index page, as shown in the following figure.

Figure 2: Deploy a CloudFront application with a Nginx Server Integration

Now that I have an existing CloudFront distribution, I can make the ALB private by creating VPC origin and switch the existing CloudFront distribution to use new VPC Origin.

1. Create a VPC Origin for your existing public subnet application:
A. Open the CloudFront console and select VPC Origins from the left navigation, as shown in the following figure.

Figure 3: Select ‘VPC Origins’ in the CloudFront console

2. Use CloudFront’s continuous deployment to create a staging distribution:
A. Create a VPC Origin by selecting the ALB that we created previously, as shown in the following figure.

Figure 4: Create VPC Origin in the CloudFront console

Figure 5: VPC Origins

B. Now that we have a VPC origin created and deployed, we can use the VPC origin to create an origin within a CloudFront distribution.
C. Do that through a staging distribution to safely promote the switch to the newly created VPC origin.
D. Create a staging distribution, and add a new a new origin by choosing the VPC Origin created in Step 1, as shown in the following figure.

Figure 6 : Create a staging distribution with VPC Origins

E. Update the behaviors pointing to the existing origin to use the new VPC Origin, as shown in the following figure.

Figure 7: Update the origin to the new VPC origin

3. Test the VPC Origin in the staging distribution:
A. Make sure that the VPC Origin functions as expected.
B. This helps make sure that your VPC configuration is accurate.

4. Promote the staging distribution’s configuration to the primary distribution:
A. After confirming that the VPC Origin works correctly in the staging environment, you can promote the configuration to your production distribution.
B. Remove public access to your application.

This makes your application inaccessible from the public internet, but CloudFront still has private access to it through the VPC Origin.

In the previous section, we demonstrated how to migrate an existing CloudFront distribution to a VPC origin, enhancing the security posture of your applications. This approach not only strengthens security for current applications, but also allows you to deliver content from newly created private origins using VPC Origins.

At the time of this writing, both the CloudFront distribution and CloudFront VPC Origins must reside within the same AWS linked account.

Conclusion

CloudFront VPC Origins offers an easy and reliable way to limit access to their applications and reduce their applications’ attack surface. CloudFront VPC Origins builds on CloudFront’s security foundation by making sure it is the sole ingress point to applications, preventing users from circumventing it. This drastically reduces the attack surface. Operationally, VPC Origins needs minimal maintenance as compared to alternative approaches. For businesses seeking to improve application security, deliver high-performance global experiences, and streamline operations, VPC Origins integrated with CloudFront provides a compelling solution. It allows you to safeguard digital assets while positioning your business for growth. For more information, review the Amazon CloudFront VPC origins documentation.