Facing issue with any website using Cloud Front from my internal network

The domain name isn't associated with an alternate domain name (CNAME) on a distribution If you create a Domain Name System (DNS) but don't add a CNAME in your CloudFront distribution configuration, then CloudFront returns a 403 error. This occurs even if the CNAME is redirected towards CloudFront at the DNS level.

To use a CNAME instead of the default CloudFront URL, follow the instructions for Adding an alternate domain name.

For more information, see Using custom URLs by adding alternate domain names (CNAMEs).

CloudFront geographic restrictions were configured on the distribution CloudFront geographic restrictions can prevent users in specific countries from accessing your content. If geographic restrictions cause the error, then the 403 response contains a message similar to: "The Amazon CloudFront distribution is configured to block access from your country." Also, the response header Server: CloudFront is present. The corresponding CloudFront access log entry contains ClientGeoBlocked as the value for x-edge-detailed-result-type.

For more information, see Restricting the geographic distribution of your content.

AWS WAF is configured on the CloudFront distribution and is blocking the request If you use AWS WAF to monitor forwarded requests and the requested content doesn't match the specified conditions, then the content is blocked by WAF. You receive a 403 error. In this case, the error contains a message similar to: "Request blocked. We can't connect to the server for this app or website at this time." The Server response header contains CloudFront as the value. The corresponding access log entry has Error as the value for x-edge-detailed-result-type.

The same error message and a response header value of Cloudfront might be present when the reason the request is blocked isn't AWS WAF. To confirm that the request is blocked by AWS WAF and identify the rule that blocked it, check the AWS WAF logs for the blocked request. Or, check the AWS WAF CloudFront metrics for the relevant WebACL. Then, check the WebACL to see the rules that are blocked. For more information, see Testing and tuning your AWS WAF protections.

An Amazon S3 origin is returning a 403 error Based on your Amazon Simple Storage Service (Amazon S3) as origin configuration, see the following for troubleshooting:

I’m using an S3 website endpoint as the origin of my CloudFront distribution. Why am I getting 403 Access Denied errors?

I’m using an S3 REST API endpoint as the origin of my CloudFront distribution. Why am I getting 403 Access Denied errors?

A custom origin is returning the 403 error A 403 error can be returned by an origin due to an application firewall or other reason at the custom origin. If the response contains a Server header without the value CloudFront, then the error might be returned from the custom origin.

To determine if the error is returned from the custom origin, check the origin HTTP access logs.

If you're not able to check the origin HTTP access logs, use the following troubleshooting methods:

Check CloudFront access logs. If the time-taken field for the blocked request is significantly lesser than the average of the time-taken field, then the response might not have come from the origin. A low value in the time-taken field indicates that a response was sent from edge location. Make the request directly to the origin. If you can replicate the error without going through CloudFront, then the origin might be returning the 403 error. The error is caused by a signed URL or signed cookies configuration If you have Restrict viewer access turned on for your CloudFront’s behavior configuration, then requests made without using signed cookies or URL result in a 403 error.

For more information about configuring signed cookies and signed URLs, see Serving private content with signed URLs and signed cookies.

For troubleshooting steps, see How do I troubleshoot issues related to a signed URL or signed cookies in CloudFront?

The distribution with viewer protocol policy not configured for HTTP and HTTPS If the HTTP request is sent to a distribution with Viewer Protocol Policy setting of HTTPS only, then the request can return a 403 error.

=>It sounds like you're experiencing a 403 error when accessing websites hosted on AWS CloudFront from your internal network. This could be due to several reasons:

=>IP Access Control or IP filtering: Check if your CloudFront distribution is configured to allow access only from specific IP addresses and ensure that your internal network's IP address is whitelisted.

=>Origin Server Permissions: Verify that the origin server (where CloudFront fetches content from) allows requests from your internal network's IP address.

=>CloudFront Cache: Sometimes, cached responses can cause issues. Try clearing your browser cache or configuring CloudFront to bypass caching for certain requests.

=>Security Groups and Network ACLs: Ensure that your security groups and network ACLs allow outbound traffic from your internal network to the CloudFront distribution.

=>DNS Resolution: Confirm that DNS resolution is working correctly for your internal network, and that the CloudFront distribution's domain name resolves to the correct IP address.

=>By checking these factors, you may be able to identify and resolve the issue with accessing CloudFront-hosted websites from your internal network.