1

Where the custom origin server for an AWS CloudFront distribution is an EC2 instance accessible with a public DNS record, do CloudFront edge locations talk to it over the open Internet — as opposed to AWS-only network?

If they use AWS-only networks to talk to origins, then I would dispense with installing HTTPS on the origin as there can't be any man-in-the-middle apart from AWS. But if edge locations talk to origins by whatever networks are available then sure, installing HTTPS on the origin makes perfect sense.

So, which one applies?

Marcel
  • 3,494
  • 1
  • 18
  • 35
Greendrake
  • 669
  • 1
  • 8
  • 17

2 Answers2

1

From the AWS documentation:

CloudFront Edge locations are connected to the AWS Regions through the AWS network backbone - fully redundant, multiple 100GbE parallel fiber that circles the globe and links with tens of thousands of networks for improved origin fetches and dynamic content acceleration

So it appears indeed connectivity from the cloudfront Edge Locations (POP) to the origin that host your resources (presumably a VPC in one of the AWS Regions) would transverse over the AWS network backbone and not the internet.

That said, I wouldn't dispense of TLS in any case.

keithRozario
  • 3,571
  • 2
  • 12
  • 24
0

An EC2 instance, by definition, will be on AWS network infrastructure, which means origin fetches from CloudFront will occur only traverse AWS networks.

I'm not sure that's sufficient reason not to encrypt traffic at the origin,as there might be malicious actors or threats on AWS just as their might be on networks outside AWS.

Rodrigo Murillo
  • 1,927
  • 11
  • 17
  • I think it doesn't necessarily follow that two independent AWS services would necessarily use AWS networks to connect to each other. This of course would have been the case if the CloudFront origin was pointed to a private VPC address, but it's public. I'm therefore not sure if an edge in say Australia will use AWS network pipes (e.g. their system-wide VPN or similar) to connect to an origin in the US addressed by a public DNS record. – Greendrake Jul 11 '22 at 05:32
  • "Every data center, AZ, and AWS Region is **interconnected** via a purpose-built, highly available, and low-latency private global network infrastructure. The network is built on a global, fully redundant, parallel 100 GbE metro fiber network that is linked via trans-oceanic cables across the Atlantic, Pacific, and Indian Oceans, as well as the Mediterranean, Red Sea, and South China Seas." My understanding is that all AWS traffic runs on AWS global network infrastructure. https://aws.amazon.com/about-aws/global-infrastructure/global_network/ – Rodrigo Murillo Jul 11 '22 at 05:51
  • That's exactly what I want to know for sure. The mere fact that all AWS services are globally interconnected does not necessarily mean that this connection will be used at all times. Indeed, there _are_ use cases where using it is necessary e.g. a VPC spanning resources across the globe, but CF edges talking to CF origins does not seem to be one of them. – Greendrake Jul 11 '22 at 06:22