Resolution
----------

Use Application Load Balancers, Network Load Balancers, and Amazon Elastic Compute Cloud (Amazon EC2) instances in private subnets as [VPC origins](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html).

### VPC prerequisites

Before you create a VPC origin for your CloudFront distribution, complete the following requirements:

*   Use Amazon Virtual Private Cloud (Amazon VPC) to [create a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html#create-vpc-and-other-resources) in the same AWS account as your CloudFront distribution and in a [supported AWS Region for VPC origins](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html#vpc-origins-supported-regions).
*   Include an inbound and outbound rule in your network access control list (network ACL) configuration.
*   Make sure that your VPC has an internet gateway.
*   Your VPC must include at least one available IPv4 address in your private subnet.  
    **Note:** You can use a private IPv4 address with no additional cost. VPC origins doesn't support IPv6 addresses.
*   Update your security groups to explicitly allow the [CloudFront managed prefix list](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html#managed-prefix-list).
*   You have access to the [AWSServiceRoleForCloudFrontVPCOrigin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-service-linked-roles.html#slr-permissions) service-linked role.

For more information, see [Prerequisites](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html#vpc-origin-prerequisites).

### Create a VPC origin

Use the CloudFront console to [create a VPC origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html#new-vpc-origin). You can also use the [CreateVpcOrigin](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateVpcOrigin.html) and [CreateDistribution](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateDistribution.html) API actions.

For more information, see [Introducing Amazon CloudFront VPC origins: Enhanced security and streamlined operations for your applications](https://aws.amazon.com/blogs/aws/introducing-amazon-cloudfront-vpc-origins-enhanced-security-and-streamlined-operations-for-your-applications/).

I want to use virtual private cloud (VPC) origins to host my Amazon CloudFront applications in a private subnet to restrict access for more security.

Use CloudFront VPC origins to secure applications

How do I use CloudFront VPC origins to secure my applications in a private subnet?

Networking & Content Delivery

How to Preserve Original Client IP Addresses When Using Application Load Balancer with EC2 Instances?

Why does the HTTPS connection between my CloudFront distribution and load balancer fail?

How do I restrict direct traffic to an Application Load Balancer and only allow traffic through CloudFront?

How do I use an Application Load Balancer or a Network Load Balancer to invoke an API Gateway private API?

Why does my application fail on CloudFront when I can use the application from a custom origin?

Will CloudFront to Internal ALB (via VPC Origin) Trigger `region-Requests-HTTP-Proxy` Charges?

CDK. Cloudfront distribution pointing to a private loadbalancer on a VPC

CloudFront - Internal ELB Origin

Cloudfront timeout to Application Load Balancer

Cloudfront eu-south-1 limitations origin domain

How do I use CloudFront VPC origins to secure my applications in a private subnet?

Resolution

VPC prerequisites

Create a VPC origin

Relevant content