How do you add CloudFront in front of API Gateway

by

Until API Gateway (APIG) supports edge caching via its internal use of CloudFront (CF), I have come up with a workaround.

You can indeed put CF dist in front of APIG, the trick is to force HTTPS only “Viewer Protocol Policy” AND to NOT forward the HOST header because APIG needs SNI.

I setup my CF “Default Cache Behavior Settings” to not forward any headers, and forced “Viewer Protocol Policy” to “HTTPS Only” and it works. Hope this helps others.

Here is a CloudFormation resource object that has all the required configuration (Note: I use the convention <stage>--<app name> for StackName):

CloudFront:  
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: true
        IPV6Enabled: true
        HttpVersion: http2
        Comment: !Join [ '--', [!Ref 'AWS::StackName', ' Cloud Front']]
        Aliases: [!Ref CloudFrontCname]
        ViewerCertificate:
          AcmCertificateArn: !Ref AcmCertificateArn
          SslSupportMethod: sni-only
          MinimumProtocolVersion: TLSv1.1_2016
        Origins:
        - Id: APIGOrigin
          DomainName: !Sub
            - ${apigId}.execute-api.${AWS::Region}.amazonaws.com
            - { apigId: !Ref ApiGatewayLambdaProxy }
          OriginPath: !Sub
            - /${Stage}
            - { Stage: !Select [ "0", !Split [ '--', !Ref 'AWS::StackName' ] ] }
          CustomOriginConfig:
            # HTTPPort: 80
            HTTPSPort: 443
            OriginProtocolPolicy: https-only
          OriginCustomHeaders:
            - HeaderName: 'Verify-From-Cf'
              HeaderValue: !Ref VerifyFromCfHeaderVal
        DefaultCacheBehavior:
          AllowedMethods: ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
          CachedMethods: ["GET", "HEAD", "OPTIONS"]
          ForwardedValues:
            Headers:
            - Access-Control-Request-Headers
            - Access-Control-Request-Method
            - Origin
            - Authorization
            # - Host APIG needs to use SNI
            QueryString: true
          TargetOriginId: APIGOrigin
          ViewerProtocolPolicy: https-only
          Compress: true
          DefaultTTL: 0
        CustomErrorResponses:
        - ErrorCachingMinTTL: 0
          ErrorCode: 400
        - ErrorCachingMinTTL: 1
          ErrorCode: 403
        - ErrorCachingMinTTL: 5
          ErrorCode: 500
  DNSARecord:    
    Type: AWS::Route53::RecordSet
    Properties:
      Comment: !Ref 'AWS::StackName'
      Name: !Ref CloudFrontCname
      Type: A
      HostedZoneName: !Join ['.', [ !Select [1, !Split ['.', !Ref CloudFrontCname]], !Select [2, !Split ['.', !Ref CloudFrontCname]], '']]
      AliasTarget:
        HostedZoneId: !Ref Route53HostedZoneId
        DNSName: !GetAtt CloudFront.DomainName
  DNSAAAARecord:    
    Type: AWS::Route53::RecordSet
    Properties:
      Comment: !Ref 'AWS::StackName'
      Name: !Ref CloudFrontCname
      Type: AAAA
      HostedZoneName: !Join ['.', [ !Select [1, !Split ['.', !Ref CloudFrontCname]], !Select [2, !Split ['.', !Ref CloudFrontCname]], '']]
      AliasTarget:
        HostedZoneId: !Ref Route53HostedZoneId
        DNSName: !GetAtt CloudFront.DomainName

Late 2018 updates

  • CloudFormation finally supports setting SSL proto ver: MinimumProtocolVersion: TLSv1.1_2016
  • I’ve baked this (and many other) best practices into an OSS project: aws-blueprint

More Related Contents:

  1. Supporting HTTPS URL redirection with a single CloudFront distribution
  2. Amazon CloudFront Latency
  3. How to pass a querystring or route parameter to AWS Lambda from Amazon API Gateway
  4. CloudFront + S3 Website: “The specified key does not exist” when an implicit index document should be displayed
  5. API Gateway – POST multipart/form-data
  6. Is there a way to change the http status codes returned by Amazon API Gateway?
  7. Font from origin has been blocked from loading by Cross-Origin Resource Sharing policy
  8. Getting json body in aws Lambda via API gateway
  9. Missing Authentication Token while accessing API Gateway?
  10. Multiple Cloudfront Origins with Behavior Path Redirection
  11. Signature expired: is now earlier than error : InvalidSignatureException
  12. getting message: forbidden reply from AWS API gateway
  13. AWS CloudFront: Font from origin has been blocked from loading by Cross-Origin Resource Sharing policy
  14. AWS API Gateway base64Decode produces garbled binary?
  15. How to access HTTP headers for request to AWS API Gateway using Lambda?
  16. How to integrate API Gateway with internal ALB
  17. AWS CloudFront redirecting to S3 bucket
  18. Setting http response header from AWS lambda
  19. Cloudfront and EC2
  20. Why do we need private subnet in VPC?
  21. Amazon AWS Route 53 Hosted Zone does not work
  22. How to submit Spark jobs to EMR cluster from Airflow?
  23. How long should I wait after applying an AWS IAM policy before it is valid?
  24. Deploying react-redux app in AWS S3
  25. How to change permission recursively to folder with AWS s3 or AWS s3api
  26. Difference between upload() and putObject() for uploading a file to S3?
  27. Adding AWS Lambda with VPC configuration causes timeout when accessing S3
  28. How do I delete a versioned bucket in AWS S3 using the CLI?
  29. connect to AWS IoT using web socket with Cognito authenticated users
  30. Get last modified object from S3 using AWS CLI

Leave a Comment