By using AWS re:Post, you agree to the AWS re:Post Terms of Use

connection issue between load balancer and cloudfront

0

I'm using frontend s3 bucket, cloudfront, load balancer, and ec2 backend instance.

By purchasing a domain, I set up a domain that starts with www for the cloud front and an api for the load balancer.

Basically, it is implemented by sending a request to the back end through a load balancer from the front end connected to the cloud front and receiving a response.

The problem here is the inbound rule of the load balancer, and for 443 ports
I set 'pl-22a6434b (com.amazonaws.global.cloudfront.original-facing)', but it doesn't work as "request timeout". Requests to the backend set by the front end are set to https by default.

On the other hand, it works fine when I open '0.0.0.0/0' for 443 ports as a temporary measure, but there are also security concerns to keep it open for all IPs.

Previously, the cloudfront did not designate the load balancer as the original, but there was no change in the problem situation when it was designated.

There are 2 questions.

  1. In the scope of the free tier, how can I make sure that requests from the cloudfront are sent to the backend well?

  2. I found that depending on the inbound IP allowed by the load balancer, the behavior of the cloudfront varies. My intention was that the request would be sent to the backend regardless of which IP you access to the cloudfront because the request starts at the cloudfront, and I found that the request times out when I access the same site from another computer. How can I fix this?

I would appreciate your help.

asked 7 months ago1.3K views
2 Answers
1

To resolve the connectivity issues between CloudFront and your load balancer, follow these steps:

Check CloudFront Origin Configuration:

Log in to the AWS Management Console and navigate to the CloudFront service. Select your CloudFront distribution. Go to the "Origins and Origin Groups" tab. Ensure that the Origin Domain Name is set to the DNS name of your load balancer and that the Origin Protocol Policy is set to "HTTPS Only" or "Match Viewer". Verify Target Group Configuration:

Navigate to the EC2 service in the AWS Management Console. Go to the "Target Groups" section. Select the target group associated with your load balancer. Ensure that the target group is correctly configured with the backend EC2 instances that should receive traffic from CloudFront. Update Load Balancer Security Group:

Go to the EC2 service in the AWS Management Console. Select the security group associated with your load balancer. Add an inbound rule to allow incoming traffic from CloudFront IP ranges on port 443 (or the port your backend is listening on). You can find the CloudFront IP ranges in the AWS documentation here.

profile picture
EXPERT
answered 7 months ago
EXPERT
reviewed 5 months ago
0
Accepted Answer

Hello.

In your case, I think the communication path is CloudFront → S3 → ALB.
Therefore, I suspect that even if you set CloudFront's prefix list to the ALB security group, it will not be allowed and will time out.
Therefore, try setting the S3 prefix list instead of the CloudFront prefix list in the ALB security group.
https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html

profile picture
EXPERT
answered 7 months ago
  • Thank you for your answer.

    As you said, I've also tried setting up the s3 prefix, but it didn't work the same way.

    I'm testing it for different situations, and it feels like it's only affected by the IP of the accessor. When I allowed the local IP of the desktop with the inbound rule of the load balancer, I get a normal response from the backend. In this state, when I access the site on my laptop, I don't get a response.

  • In that case, it seems that the S3 front end returns a response to the client and then accesses the API. I think you need to register ALB as the origin of CloudFront and make the traffic flow like CloudFront → S3 → Client → CloudFront → ALB. In this case, your front-end program will also need to point to CloudFront to access the API.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions