Can Cloudfront access resources in a VPC?

Question

I want to connect Cloudfront to an internal load balancer which is connected to my application. Inbound traffic comes from a third party application so I cannot only use the internal load balancer. The process would be:

third party app <-> cloudfront <-> internal load balacner <-> my application

However, I am not sure if Cloudfront can access the load balancer in my VPC. Any ideas how that would that be setup?

Answer 1

Unfortunately at this time there is no way to connect to private AWS resources, there are 2 types of Origin.

• S3 - A public S3 bucket, with security hardened between communication through the usage of Origin Access Identity.
• Custom Domain - Forward to a publicly resolvable and connectable domain name. This is the option you would need to use.

Just because your load balancer is public you can still enhance your security to reduce the threat of an unknown source accessing your load balancer.

You could add a custom header to your requests containing a secret. Then if you use an application load balancer attach a WAF with a default to block all requests. Finally add an allow rule to WAF to allow where the header has a value of your secret.

Answer 2

Starting from 2024/11/20, you can now use VPC Origin for CloudFront

So you can make as origin a private ALB only accessible from your CloudFront.

Why this solution is the most suitable to this situation :

• ALB can be internal, no public exposition, only through your CloudFront
• Cost saving, no regional WAF to provision
• No weird secret to manage/rotate between CloudFront and ALB

See: https://aws.amazon.com/blogs/aws/introducing-amazon-cloudfront-vpc-origins-enhanced-security-and-streamlined-operations-for-your-applications/