Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Is it possible to implement multi tenant architecture with content based routing without terminating TLS at CloudFront?

0

Hi,

We have a SaaS application with a multi-tenant architecture. The app is deployed across several instances, with each instance accessible via subdomain-based routing. For example, the first instance is available at use1.example.com, another at euc1.example.com, and so on. Each app instance serves its own clients and users.

We are planning to transition to content-based routing. Under this model, all users will access the service via example.com—the only domain they will ever see. After logging in, users will still see example.com, but their requests will be routed to the appropriate load balancer for their assigned app instance.

AWS provides several resources and use cases [1,2] describing this scenario. However, in each example, Lambda@Edge is used to parse requests and make routing decisions, which requires TLS termination at CloudFront.

We are wondering if it is possible to maintain a fully secure (end-to-end encrypted) connection between the client and the relevant app instance. In this case, routing decisions could still be made based on SNI or by other means.

Topics
Internet of Things (IoT)Architecture StrategyNetworking & Content Delivery
Tags
Transport Layer Security (TLS)Amazon CloudFrontArchitecture Strategy
Language
English
asked 7 months ago180 views
1 Answer
0

Amazon CloudFront SaaS Manager provides capabilities for multi-tenant architectures, but the content-based routing scenario you're describing would indeed require TLS termination at CloudFront.

When implementing data-driven routing with CloudFront, the service needs to inspect the request content (such as headers, cookies, or JWT tokens) to make routing decisions. This inspection requires TLS termination at the CloudFront edge. Lambda@Edge functions, which are commonly used for this purpose, can only access the request content after CloudFront has terminated the TLS connection.

CloudFront SaaS Manager allows you to create multi-tenant distributions that define shared settings across multiple domains, with distribution tenants inheriting configurations while maintaining tenant-specific customizations. However, even with this approach, CloudFront needs to decrypt the traffic to perform content-based routing.

If maintaining end-to-end encryption without TLS termination at CloudFront is an absolute requirement, you might need to consider alternative approaches:

  1. Continue using subdomain-based routing where each tenant has a unique hostname
  2. Use a different service architecture where routing decisions are made after the initial TLS termination point

It's worth noting that CloudFront does re-encrypt the traffic when forwarding it to your origin, so the data remains encrypted in transit throughout the entire journey. While this isn't technically end-to-end encryption in the strictest sense, it does maintain security throughout the request path.
Sources
Scale your SaaS application at the edge with the new Amazon CloudFront SaaS Manager | Networking & Content Delivery
Tenant routing strategies for SaaS applications on AWS | Networking & Content Delivery
Reduce your operational overhead today with Amazon CloudFront SaaS Manager | AWS News Blog
Understand how multi-tenant distributions work - Amazon CloudFront

answered 7 months ago
AWS
SUPPORT ENGINEER
reviewed 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content