(CloudFront): Add coverage/support for VPC origins construct #32396
Labels
@aws-cdk/aws-cloudfront
Related to Amazon CloudFront
effort/medium
Medium work item – several days of effort
feature-request
A feature should be added or improved.
needs-cfn
This issue is waiting on changes to CloudFormation before it can be addressed.
p3
Comments
wood-brandon
added
feature-request
khushail
added
investigating
|
sounds good @wood-brandon , thanks for sharing the update from the Cloudformation coverage roadmap. Marking it as P3 as its good to have and can not be worked on till supported by Cloudformation team. |
khushail
added
p3
effort/medium
This was referenced Jan 1, 2025
|
L1s seem merged yesterday: #33272 |
3 tasks
|
Comments on closed issues and PRs are hard for our team to see. |
1 similar comment
|
Comments on closed issues and PRs are hard for our team to see. |
yashkh-amzn
pushed a commit
to yashkh-amzn/aws-cdk
that referenced
this issue
Feb 21, 2025
### Issue # (if applicable) Closes aws#32396. ### Reason for this change VPC origins has been added to CloudFront and now CloudFormation supports it. For details, see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html ### Description of changes Added an L2 construct `cloudfront.VpcOrigin` for `AWS::CloudFront::VpcOrigin`. It will be created implicitly by origin class described below. You can create it explicitly to share VPC origins between distributions. ``` ts import * as cloudfront from 'aws-cdk-lib/aws-cloudfront'; // Create a VPC origin resource const vpcOrigin = new cloudfront.VpcOrigin(this, 'VpcOrigin', { // An EC2 instance endpoint endpoint: cloudfront.VpcOriginEndpoint.fromEc2Instance(instance), // An Application Load Balancer endpoint endpoint: cloudfront.VpcOriginEndpoint.fromApplicationLoadBalancer(alb), // A Network Load Balancer endpoint endpoint: cloudfront.VpcOriginEndpoint.fromNetoworkLoadBalancer(nlb), // Endpoint from ARN, i.e. imported resource endpoint: new cloudfront.VpcOriginEndpoint({ endpointArn }), // Optional VPC origin resource configurations vpcOriginName: 'Name of the VPC origin', httpPort: 80, httpsPort: 443, protocolPolicy: cloudfront.OriginProtocolPolicy.MATCH_VIEWER, originSslProtocols: [cloudfront.OriginSslPolicy.TLSV1_2], }); ``` Added an origin class `cloudfront_origins.VpcOrigin` for distribution configuration. It can be configured with an Application Load Balancer, a Network Load Balancer, an EC2 instance, or a `cloudfront.VpcOrigin` construct. ``` ts import * as cloudfront from 'aws-cdk-lib/aws-cloudfront'; import * as origins from 'aws-cdk-lib/aws-cloudfront-origins'; // An EC2 instance as a VPC origin const ec2InstanceOrigin = origins.VpcOrigin.withEc2Instance(instance, { // Optional VPC origin configurations domainName: 'internal.example.com', // default: PrivateDnsName of the instance readTimeout: cdk.Duration.seconds(30), keepaliveTimeout: cdk.Duration.seconds(5), // Optional VPC origin resource configurations vpcOriginName: 'Name of the VPC origin', httpPort: 80, httpsPort: 443, protocolPolicy: cloudfront.OriginProtocolPolicy.MATCH_VIEWER, originSslProtocols: [cloudfront.OriginSslPolicy.TLSV1_2], // Optional origin common configurations connectionTimeout: Duration.seconds(10), connectionAttempts: 3, customHeaders: {}, originShieldRegion: 'region-name', originShieldEnabled: true, originId: 'origin-id', }); // An Application Load Balancer as a VPC origin const albOrigin = origins.VpcOrigin.withApplicationLoadBalancer(alb, { // Optional VPC origin configurations domainName: 'internal.example.com', // default: DNSName of the ALB readTimeout: cdk.Duration.seconds(30), keepaliveTimeout: cdk.Duration.seconds(5), // Optional VPC origin resource configurations // Optional origin common configurations }); // A Network Load Balancer as a VPC origin const nlbOrigin = origins.VpcOrigin.withNetworkLoadBalancer(nlb, { // Optional VPC origin configurations domainName: 'internal.example.com', // default: DNSName of the NLB readTimeout: cdk.Duration.seconds(30), keepaliveTimeout: cdk.Duration.seconds(5), // Optional VPC origin resource configurations // Optional origin common configurations }); // Use an explicit VPC origin resource const vpcOriginOrigin = origins.VpcOrigin.withVpcOrigin(vpcOrigin, { // Mandatory if the vpcOrigin is created without domainName domainName: 'internal.example.com', // Optional VPC origin configurations readTimeout: cdk.Duration.seconds(30), keepaliveTimeout: cdk.Duration.seconds(5), // Optional origin common configurations }); ``` ### Describe any new or updated permissions being added No permissions are added automatically. See README how to allow connections from VPC origins. ### Description of how you validated changes Unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Describe the feature
A new feature has been added to CloudFront, which now supports VPC origins: https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-cloudfront-virtual-private-cloud-vpc-origins-shield-your-web-applications-from-public-internet/
This is currently pending coverage from the CloudFormation roadmap: aws-cloudformation/cloudformation-coverage-roadmap#2195
After coverage is added from CloudFormation, hopefully we can review adding the related constructs to CDK.
Use Case
CloudFront VPC origins is an important security addition that increases overall security posture when used, so is highly desired.
Proposed Solution
No response
Other Information
No response
Acknowledgements
CDK version used
v2.171.1
Environment details (OS name and version, etc.)
N/A
The text was updated successfully, but these errors were encountered: