4
votes

I am hosting one web application on the private subnet instances as the application is for the organisation's internal users across different geo location. This application needs AWS CloudFront support for delivering static contents more efficiently. Problem is - I need internet facing load balancer (with instances in public subnets) as the origin for a CloudFront distribution.

I don't want internet facing ELB and resulting instances in public subnet.

Any way I can leverage AWS CloudFront to connect to internal ELB?

1

1 Answers

8
votes

I need internet facing load balancer (with instances in public subnets) as the origin for a CloudFront distribution.

Part of this is incorrect.

CloudFront does require that the origin server be internet accessible, so that part is correct.

But an Internet-facing load balancer does not require that the instances behind the balancer be on public subnets or have their own public IP addresses.

Not only are they not required, but for an internet-facing ELB Classic or ALB, the best practice is actually to have neither.

Issue I want to create a public internet-facing load balancer and attach backend Amazon EC2 instances that are not publicly reachable; for example, instances that are in a private subnet. How can I do this?

Short Description You must create public subnets in the same Availability Zones as the private subnets that are used by your private instances. Then associate these public subnets to the internet-facing load balancer.

https://aws.amazon.com/premiumsupport/knowledge-center/public-load-balancer-private-ec2/

That's applicable to both Classic and Application balancers, but not Network Load Balancers; however, NLB is not really needed behind CloudFront since ALB has a 100% compatibility overlap what with CloudFront can do.

There is no performance impact from having a balancer on different subnets from the instances.

CloudFront only works with Internet-accessible resources. It does not support private connections to VPCs (including Lambda@Edge functions, which do not run in your VPC).