Reputation: 6182
Api Gateway and Regional Custom Domain as CloudFront Origin
I want to create an API Gateway with a Regional Custom Domain and use that as a CloudFront Distribution Origin. My main motivation is to control MinimumProtocolVersion/TLS1.2
My question is if the custom domain name for the regional custom domain must match the domain name of the CloudFront distribution,- or If I can separate domain names.
My team has experienced 403 errors from CF when there is a mismatch, I'm just double checking if this is doable at all
Example:
ApiGW:
- Custom Domain Name (REGIONAL). For example www.sample.com (
- matching ACM certificate in eu-west-1
- No R53 records referencing this domain name
Cloudfront:
- ACM certificate in us-east-1
- Alias www.example.com
- Origin; www.sample.com
- R53 recrod for www.example.com, in hosted zone example.com mapped to the CF disitribution domain name
Upvotes: 0
Views: 2414
Answers (1)
Reputation: 179374
When CloudFront makes a connection to the origin, it always uses the Origin Domain Name to look up the origin's IP address... but when it negitiates TLS with the origin, it sets the SNI to the same value as the HTTP Host header it will be sending to the origin.
These two values may be the same, or they may differ, but Host/SNI are always the same as each other, and always one of two values:
- it's the Origin Domain Name (potentially modified in the custom origin parameters by a Lambda@Edge Origin Request trigger), when the Cache Behavior settings do not include whitelisting the
Hostheader (or all headers) for forwarding to the origin, or - it's the HTTP
Hostheader sent to CloudFront by the browser (potentially modified in the request headers by a Lambda@Edge Request trigger), when the Cache Behavior settings do include whitelisting theHostheader for forwarding to the origin.
So, in essence, the name needs to match if the Host header is forwarded, and must be different if it is not.
Additionally, if it is different, that hostname must actually be configured in DNS and pointing to the assigned regional API endpoint -- you can't just point to the assigned DNS alias target as Origin Domain Name.
Unfortunately, there are a few cases where CloudFront is somewhat confusing in its use of 403 errors. Sometimes this code is used for errors that would more correctly be treated as 400 or 421 errors, so the response body is important when checking into certain problems with 403. If you point a domain name to CloudFront without setting that domain as an Alternate Domain Name for the distribution, you'll get a 403 with a body that says "Bad Request" and the event won't be logged in your CloudFront logs because the missing Alternate Domain Name setting prevents CloudFront from mapping that request to your specific distribution.
Upvotes: 3
Related Questions
- Forwarding CloudFront Host Header to API Gateway
- api gateway regional custom domain is not working
- AWS: How to configure Cloudfront for Custom Domain Names
- Multiple API Gateways from different regions with the same Custom Name and different base path
- CloudFront Distribution with Custom Origin Redirects Request
- API Gateway Is it possible to set a custom domain name for API Gateway and integrate it with a new CloudFront?
- Cloudfront with custom origin and identical domain
- Regional API Gateway with CloudFront
- Integrating AWS API Gateway with Cloud Front without exposing origin
- Amazon CloudFront custom origin configuration