AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
Why does the HTTPS connection between my CloudFront distribution and load balancer fail?
I configured HTTPS and HTTP listeners on my Classic Load Balancer or Application Load Balancer as the origin for my Amazon CloudFront distribution. However, the HTTPS communication between CloudFront and my load balancer fails.
Resolution
Issues with the associated SSL/TLS certificate, security groups, or network access control list (network ACL) cause HTTPS communication failures. Make sure that your distribution and load balancer meet the following security requirements:
- You must have a valid SSL/TLS certificate installed on the load balancer. If you still get HTTPS errors after you install the SSL/TLS certificate, then troubleshoot the SSL/TLS connection between CloudFront and the custom origin server.
- To connect the distribution to your load balancer on port 443, the load balancer security groups must allow port 443 traffic from CloudFront IP addresses. For more information, see Configure security groups for your Classic Load Balancer or Security groups for your Application Load Balancer.
- To allow only CloudFront IP addresses in the security group attached to your distribution, use the AWS managed prefix list. This list contains all CloudFront IP addresses and automatically updates with any changes. For more information, see Limit access to your origins using the AWS managed prefix list for Amazon CloudFront.
- The network ACLs associated with your load balancer's Amazon Virtual Private Cloud (Amazon VPC) must allow traffic from CloudFront on HTTPS ports. Typically, this is port 443.
- If you created an internal Application Load Balancer, then CloudFront can't route requests to it unless you add it as a VPC origin.
Note: You can use Server Name Indication (SNI) to add multiple SSL/TLS certificates with smart selection to your Application Load Balancer. If your distribution caches based on the host header, then configure an SSL/TLS certificate with the same name on the Application Load Balancer. Otherwise, the Application Load Balancer uses the default certificate, which might not match the SNI associated with the ClientHello message from CloudFront.
Related information
Require HTTPS for communication between CloudFront and your custom origin
- Language
- English
Please, document how to do this using cloudformation template
The network ACLs associated with your load balancer's Amazon Virtual Private Cloud (Amazon VPC) must allow traffic from CloudFront on HTTPS ports (typically port 443).
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 2 years ago
- asked a month ago
