Introducing cross-account support for Amazon CloudFront Virtual Private Cloud (VPC) origins

In November 2024, Amazon CloudFront introduced CloudFront Virtual Private Cloud (VPC) origins, a security feature that allowed customers to deliver content from applications hosted in private subnets. In addition, we are now introducing cross-account support for Amazon CloudFront VPC origins, enabling network traffic flow between Amazon CloudFront and Application Load Balancers (ALBs), Network Load Balancers (NLBs), or Amazon Elastic Compute Cloud (Amazon EC2) instances deployed within private subnets across different Amazon Web Services (AWS) accounts. This enhancement allows you to keep your Amazon VPC origins and CloudFront distributions in separate AWS accounts, enabling organizations with multi-account strategies to use VPC origins while maintaining their desired account structure.

Many AWS customers set up multiple AWS accounts to isolate ownership and development processes across different business functions. This approach, following modern cloud security architecture principles, typically involves creating multiple AWS Organizational Units (OUs) with dedicated network and security accounts. While CloudFront distributions, serving as global entry points for customer applications, are typically deployed in network accounts, customers have been able to link public origins from multiple accounts to a single distribution.

However, organizations wanting to enhance their security posture with VPC origins have faced limitations, as VPC origins and CloudFront distributions had to reside in the same account. This meant customers who had their origins in multiple AWS accounts, had to keep their accounts in public subnets to get the scale and performance benefits of CloudFront. Customers then had to maintain additional security controls, such as access control lists (ACL), at both the edge and within regions, rather than benefiting from the inherent security of VPC origins. Until now, these customers were unable to take advantage of the security benefits of VPC origins while maintaining their preferred multi-account architecture.

Architecture diagram

In this section we examine the key components of sharing cross-account VPC origins for CloudFront distributions, as shown in the following diagram.

Figure 1: VPC origins shared using AWS Resource Access Manager (AWS RAM) with a separate Resource Consumer account where the CloudFront distribution is located

The cross-account sharing process involves two main entities: (1) the Resource Owner (the AWS account containing the VPC origin resource and the underlying infrastructure) and (2) the Resource Consumer (the AWS account hosting the CloudFront distribution).

To share a VPC origin across two accounts, the Resource Owner first creates the (3) VPC origin in their own account. For HTTPS only, the Resource Owner may configure a custom domain with a valid (4) certificate. This is an AWS Certificate Manager (ACM) certificate for ALB/NLB. For HTTP only deployments, ACM certificates are not necessary. Then, using (5) AWS Resource Access Manager (AWS RAM), they can share the VPC origin with the desired Resource Consumer account. (6) At this stage, Resource Consumers are able to use the shared VPC origin in their CloudFront distribution, specifying the custom domain for HTTPS communication.

Prerequisites

The following instructions are for HTTPS only VPC origins setup. Before proceeding with this walkthrough, ensure you have the following resources already deployed in your Resource Owner Account: EC2 instances running your application (in our example, Apache web servers), an ALB fronting these instances, proper VPC and subnet configuration with instances deployed, a public-facing custom domain (for example api.example.com), and a certificate registered in ACM for that domain. This allows the VPC Origin to have HTTPS communication between CloudFront and the origin. These resources are necessary in order to proceed with the VPC origin setup, shown below.

Figure 2: Workflow for VPC origins sharing using AWS RAM, enabling setup with a cross-account CloudFront distribution

Getting started

This section explains the process, starting with how to set up VPC origin in the Resource Owner Account containing an ALB fronting Apache web servers on EC2 instances. Once completed, we’ll detail how to share this VPC origin with the Resource Consumer Account using AWS RAM. Next, you create a CloudFront distribution in the Resource Consumer Account using the shared origin. Finally, you will learn how to verify the setup by accessing the web content through CloudFront’s domain name.

Navigate to the Resource Owner Account.

1. Create a VPC origin exclusively in the Resource Owner Account. For our example, we’re using an ALB, so we input the ALB’s ARN as demonstrated in the following image. Under Protocol, we choose HTTPS only to make sure of a secure communication between CloudFront and the origin.

Figure 3: Create VPC origin with an ALB

2. Sharing the VPC origin with another account
   1. When the VPC origin status shows Deployed, choose the VPC origin and choose the Share VPC origin button.

Figure 4: Choose the VPC origin and share it 

1. 2. On the next screen, you can either choose an existing Resource share or choose the Create resource share button. For this example, create a new Resource share.

Figure 5: Create resource share

1. 3. On the next screen, specify the Principal type and corresponding details (either account number, Organization ARN, or Organization unit ARN). For this example, we use AWS account as the Principal type and enter an AWS account ID. For this example, the AWS account ID is for Resource Consumer Account.

Figure 6: Choose an AWS account ID and create resource share

1. 4. After completion, return to the VPC origin screen where a green banner confirms the successful creation of the resource share.

Figure 7: VPC origin shared successfully

1. 5. Although we created the resource share for VPC origin through the CloudFront console, you can also create it from the AWS RAM console. If you want to observe the share that was created, then you can navigate to the AWS RAM console.

Navigate to the Resource Consumer Account.

3. If you are using an already existing resource share, then you can skip this step. Otherwise, when you are in the Resource Consumer Account, in the AWS RAM console, go to Shared with me, choose Resource shares, choose the name of the resource share, and choose Accept resource share.

Figure 8: Accept the resource share

4. Create a CloudFront distribution.
   1. Input the Distribution name and choose Next.

Figure 9: Create a CloudFront distribution

1. 2. On the next screen, choose VPC origin under Origin type. In the Origin section, choose Browse VPC origins to open a popup window. Choose the origin and select Choose. Under VPC origin endpoint, enter your custom domain (api.example.com is used as an example, but this should be your own public domain name that you own) because we are using HTTPS only and need the domain that matches your ACM certificate. Then, choose Next.

Figure 10: Choose the shared VPC origin

1. 3. On the next screen, select Do not enable security protections and choose Next. Although we have decided not to use AWS WAF for this specific example, we recommend implementing it to secure your distribution.

Figure 11: Choose the security settings for the distribution

1. 4. On the next screen, review the details, scroll down, and choose Create distribution. You are taken to a screen where you should see the distribution in the Deploying state, which takes a few minutes to complete.

Figure 12: Review and create the distribution

5. After the distribution is created, copy its Distribution domain name.

Figure 13: CloudFront distribution created successfully

6. Access the copied domain name using a web browser. You should see that you can successfully reach the shared VPC origin from the Resource Owner Account through the CloudFront distribution in the Resource Consumer Account.

Figure 14: Access the URL for the CloudFront distribution created using shared VPC origin

This example demonstrates how you can maintain a secure and organized infrastructure within your organization by keeping the VPC origin in one account (Resource Owner Account) while hosting the CloudFront distribution in another account (Resource Consumer Account). This setup allows for centralized management of VPC resources while enabling other accounts to securely access and distribute content through CloudFront.

Considerations

1. Resource sharing and deletion flow
   1. If the Resource Owner Account stops sharing the VPC origin with the Resource Consumer Account, then the existing traffic continues to function.
   2. Shared VPC origin deletion needs a specific sequence:
      1. Disable CloudFront distribution in Resource Consumer Account
      2. Unshare Shared VPC origin in Resource Owner Account
      3. Delete Shared VPC origin in Resource Owner Account
2. Resource sharing options
   1. VPC origin can be shared through two methods:
      1. Directly from the CloudFront console
      2. Through the AWS RAM console in the use-east-1 (N. Virginia) AWS Region
      3. Both methods achieve the same result, providing flexibility in management.
   2. To view and accept the resource share for the VPC origin in the Resource Consumer account, set your AWS Region to us-east-1 (N. Virginia), because global resources such as VPC origins are visible only in this Region.
3. Resource sharing characteristics
   1. VPC origins are marked as “(shared)” in Resource Consumer Account
   2. Resource Consumer Account cannot re-share received VPC origins
   3. One-way sharing: Resource Owner Account → Resource Consumer Account only
4. Permission configuration
   1. AWS RAM uses the managed permission: AWSRAMDefaultPermissionCloudfrontVpcOrigin
   2. This permission specifically allows sharing of the Resource type: cloudfront:Vpcorigin
   3. No additional permission configurations needed for basic sharing functionality
5. VPC origin endpoint requirements
   1. For HTTP only origin setup:
      1. Internal DNS name or origin domain
   2. For HTTPS origin setup:
      1. The Resource Owner Account can configure a custom domain (for example api.example.com) with a valid ACM certificate for their origin.
      2. The Resource Consumer Account must use this custom domain as the VPC origin endpoint in their CloudFront distribution configuration.
      3. This makes sure of proper SSL/TLS certificate validation between CloudFront and the origin.

Conclusion

Cross-account support for Amazon CloudFront VPC origins eliminates the previous constraints that required origins and distributions reside in the same account. Using AWS RAM, organizations can now share VPC origins across account boundaries while maintaining their multi-account structures. With this innovation, development teams are now able to manage applications in private VPC subnets within their own accounts, while content delivery teams can reference these origins from CloudFront distributions in separate accounts.

Get started today by using CloudFront VPC origins with cross account support.

About the Authors