Using Amazon CloudFront with AWS Lambda as origin to accelerate your web applications

In this blog, you will learn how to use the Lambda Function URL feature to define a AWS Lambda Function as origin for Amazon CloudFront. Lambda Function URL capability provides a dedicated HTTPS endpoint for your Lambda function deployed in an AWS Region.

Function URLs are a great fit for use cases where you must implement a single-function microservice with a public endpoint that doesn’t require advanced functionality, such as request validation, throttling, or custom authorizers. For example, it’s great for webhook handlers, form validators, mobile payment processing, advertisement placement, machine learning inference, and so on.

Fronting your Lambda Function URL endpoints with CloudFront allows you to cache content closer to the viewer by leveraging the globally distributed content distribution network. You could define custom domain names, turn on HTTPS delivery over TLS. Further, you could activate AWS Web Application Firewall (WAF) and AWS Shield Advanced to protect your application from malicious bots, prevent common application exploits and enhance protection from DDoS attacks.

Amazon CloudFront, our content delivery network (CDN) service accelerates content delivery and improves the overall security posture of your mission critical applications. CloudFront delivers your content through a worldwide network of edge locations. When a user requests for content through CloudFront, the request is routed to the edge location that provides the lowest latency and is delivered with optimal performance.

As more web applications adopt serverless and event driven architectures, customers use AWS Lambda as their computing service to run code in response to events and automatically manage the computing resources required. Common use cases include processing images on the fly or APIs for microservices. Until now, to create an HTTP API with a Lambda function you would front it with an Amazon API Gateway or use an Application Load Balancer. With the launch of Lambda Function URL you can create HTTP APIs for a Lambda Function quickly.

Architecture

Figure 1: Architecture – CloudFront with Lambda as origin

The architecture is simple and straight forward with CloudFront connecting to the Lambda Function URL as origin. When you create a Lambda Function URL, a unique URL endpoint is assigned in the format shown below

https://<url-id>.lambda-url.<region>.on.aws

You use this definition as origin in CloudFront and then map the origin to the appropriate CloudFront Cache Behavior.

Setup Walkthrough

First, obtain the unique Lambda Function URL endpoint.

1. Go to the AWS Lambda console in the AWS Region you want to deploy the function.
2. Create a Node.js based Lambda Function.
3. Provide the Function name and select the current Node.js runtime.
   

   Figure 2: Create Lambda Function

4. Under ‘Advanced settings’, check the ‘Enable function URL’ field. Since the Lambda function needs to be publicly accessible select ‘NONE’ for Auth type. This also create the necessary resource based policies to allow public access to the function.
   

   Figure 3: Enable Function URL

5. Click ‘Creation function’ to finish the function creation setup.
   For this walkthrough, use the default code template generated which just prints ‘Hello from Lambda!’ when invoked.
6. To get the Function URL, navigate to the ‘Configuration’ tab and select ‘Function URL – new’ as showing in following screenshot:
   

   Figure 4: Fetch the Function URL

   Note down the Function URL endpoint which is highlighted in the rectangular box. Click on the link to check the default output, ‘Hello from Lambda!’

   Note: If you have an existing Lambda Function you can enable Function URL endpoint by navigating to the ‘Configuration’ tab, selecting ‘Function URL – new’, and clicking on ‘Create function URL’ as shown highlighted in following screenshot:

Figure 5: Enable Function URL in existing Lambda Function

To learn more on Function URL capabilities, refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-urls.html

Next, create the Amazon CloudFront configuration

In this example you will deploy a CloudFormation template to set up a simple CloudFront configuration with Lambda Function as origin.

1. Launch Stack in us-east-1 AWS Region.
2. Enter the Function URL obtained earlier into the ‘Parameters’ section ‘Lambda Function Endpoint’ field as shown in below screenshot
   

   Figure 6: Setup CloudFront with Lambda Origin using CloudFormation template

   Remove https:// and trailing slash from the Function URL while providing the input.

3. Once the CloudFormation template is deployed, navigate to the ‘Outputs’ tab of the CloudFormation stack to access the default CloudFront domain name created. You should see the ‘Hello from Lambda!’ response when accessed.
   

   Figure 7: CloudFormation Output – CloudFront resource created

   The CloudFormation template creates a CloudFront distribution with the Lambda Function as origin. The origin points to the Lambda Function URL endpoint and is associated with a default cache behavior to serve all requests. The CloudFront behavior uses the ‘Managed-CachingOptimized’ cache policy and responses from origin are cached at CloudFront.

You could extend the CloudFront configuration to cache based on query strings, headers & cookies and pass them to your Lambda function by defining a new cache policy and associating it to the behavior.

As part of your origin configuration, you could set a static secret header which CloudFront inserts before making requests to your origin. This allows you to validate the presence of the header and value in your Lambda Function and ensure that requests are being routed through CloudFront. To learn more on setting custom Origin headers refer https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.html

Once you have these changes, test it by accessing the default CloudFront domain created and you should see the response sent from the Lambda Function.

Conclusion

To summarize, you learned how to set up a Lambda Function URL endpoint, then used that as an origin for your Amazon CloudFront distribution. This AWS Lambda capability along with Amazon CloudFront will accelerate your web application by caching content closer to viewers and enable you to securely deliver content to your target audience. For more information, refer to the CloudFront Developer Guide.