Easier way how to put AWS ALB behind Cloudfront with TLS?

Question

I have this flow:

user => Cloudfront with TLS => ALB with TLS => ECS

I encrypted connection between Cloudfront and ALB.

• Cloudfront has domain MAIN.DOMAIN.NET + TLS cert configured.
• ALB has also domain WEB.DOMAIN.NET + TLS cert (it seems that for ALB HTTPS listener one also needs TLS cert with valid domain name, that's why I added domain also for ALB).
• there is S3 Cloudfront origin for static files, let's say FILES.DOMAIN.NET.

I want Cloudfront in front of ALB, and everything seems to work well. But do I really need custom domain for ALB or did I miss something? It seems overly complex to me (it gets harder to use Cloudformation with my current domain provider).

Answer 1

I ended up using custom domain + TLS for ALB (one of pros is, cert rotates automatically). I don't think it's possible to do it otherwise.

• when configuring ALB https listener, tls cert is required field
• it's impossible to use ACM to generate certificate for aws-managed domains
• when using imported certificate in ACM, FQDN is required
• it seems that for a https alb listener, self-signed cert can't be used. It is totally possible to generate certificate with FQDN like *.eu-east-1.alb.aws.com, but cloudfront returns 502.

Answer 2

• I tested today after getting stuck a lot of time with cloudfront 502 error code. Indeed Cloudfront needs a valid certificate on its origin here the ALB.

• On ALB side, you cannot change the DNS name, so it will create a name with suffix domain amazonaws.com and you cannot create certificates for this domain that you don't own (I have tested in ACM, it fails).

• I think it is possible to put a DNS CNAME record with your owned domain name pointing to the ALB DNS name, then insert the custom cert in the ALB listeners, and finally use the cname name in cloudfront origin DNS name. I Guess that cloudfront will connect to the origin using the CNAME name, cert should be okay (without warning), and should allow the traffic. I will test this in next days, I will post the result.

Answer 3

You do not need a custom domain for the origin domain. For example the CloudFront documentation uses

Elastic Load Balancing load balancer – example-load-balancer-1234567890.us-west-2.elb.amazonaws.com

as an example origin.

Answer 4

According to the below blog entry it should be possible to use the same TLS certificate for your ALB and Cloudfront. I was not able to test yet but analysing for the exact same scenario for our project. Basically having single domain name Main.dmain.net pointing to cloudfront, and using the tls certificate of it for both ALB and Cloudfront would be ok. Just a note ALB will not be accessible from outside world. But cloudfront probably keeps the host header while communicating to ALB so theoritically it can access ALB.

https://www.stormit.cloud/blog/cloudfront-distribution-for-amazon-ec2-alb/

Answer 5

1. Considering that the communication between CloudFront and it's Origin is routed through Amazon's global backbone (in effect AWS proprietary network), are you really concerned about establishing a TLS communication channel between them ? IMHO,Since it's AWS's own private network,it's expected to be highly secure. Considering that the network traffic for VPC endpoints and DirectConnect connections is also routed through this private network, I believe it's quite acceptable to rely on the security aspects of the network.Hence,any cloudfront traffic routed through the network does not have to be absolutely TLS secured. Of course, for meeting compliance and regulatory guidelines you may have to employ TLS certificates even if they are not technically 'mandatory' to ensure confidentiality/Integrity of the traffic.

2. Even if you have to deploy a TLS certificate for both, the cloudfront domain and the ALB domain, Is it not possible for you to generate a wildcard certificate (*.domain.net) and then use subdomains as you have mentioned in your question.