How to setup Canary Release for two CloudFront in AWS?

Question

Our web is just a web app. So we used CloudFront and S3 to host it. Now I want to use the canary release to redirect 5% users to a new version for some testing first. But I find that it seems AWS can't approach that I can't figure out how to approach that.

For example, in the screenshot, I need an SSL certificate bind to CloudFront A. But one certificate can only bind to one CloudFront, which is a limitation of AWS. It means that the certificate can't bind to CloudFront B.

I have no idea how to resolve the problem. I am not sure if I misunderstand AWS service or my solution is totally wrong.

Any comment will be much appreciated.

p.s. One solution I think about is to write a proxy or APIGateway/lambda function to accept the request and redirect by percentage.

Answer 1

The term canary release does not fit front-end development, it relates to your backing services, and should only be done at the API REST service level. Because in a canary configuration it isn't that a user always hits the canary release or the normal release, instead each request has a chance of hitting either release, one request could hit the canary, and then the next could hit the old release.

In regards to front-end, you may wish to have users turn on beta-features, or have an entirely different hosted site located at www.beta.yoursite.com, which the DNS resolves to your bucket with snapshot releases, while www.yoursite.com.resolves to the normal site. Then you can have what are beta users who will be chosen at random and receive an email suggesting they try out the new site at its beta location. In your application, you can mark these users as having beta-credentials to enforce that only beta-users have access to the beta site if you wish.

Note that even if you could do what you are proposing (I think there is a way with CloudFront) it would be a bad user-experience as a user may use 2 different devices when accessing your site and then have 2 different experiences but not know what is going on.

EDIT: Comment Answer - Like I say, I really don't think you want to do that, but anyway what you would do is resolve your domain to a apigateway/proxy/loadbalancer instead of a bucket, which would then route traffic based on the authenticated user to either the beta site or the old site. That way they won't see a different domain. AFAIK there is no way to do DNS resolution based on the logged in user in Route53 but also DNS in general. I could be wrong somebody correct me if so. Probably API gateway would be the simplest and use a lambda to route the traffic to the correct site.

Answer 2

Although CloudFront doesn't support this natively, you can implement Canary Release using AWS Lambda@Edge which runs at CloudFront Edge Locations. You might need to code the routing logic to forward a certain percentage to specific buckets.