tls aws cdn: Updated Sat, 01 Oct 2022 23:20:26 GMT

Do CloudFront edges talk to custom origins over open (non-AWS) networks?

Where the custom origin server for an AWS CloudFront distribution is an EC2 instance accessible with a public DNS record, do CloudFront edge locations talk to it over the open Internet as opposed to AWS-only network?

If they use AWS-only networks to talk to origins, then I would dispense with installing HTTPS on the origin as there can't be any man-in-the-middle apart from AWS. But if edge locations talk to origins by whatever networks are available then sure, installing HTTPS on the origin makes perfect sense.

So, which one applies?

Solution

From the AWS documentation:

CloudFront Edge locations are connected to the AWS Regions through the AWS network backbone - fully redundant, multiple 100GbE parallel fiber that circles the globe and links with tens of thousands of networks for improved origin fetches and dynamic content acceleration

So it appears indeed connectivity from the cloudfront Edge Locations (POP) to the origin that host your resources (presumably a VPC in one of the AWS Regions) would transverse over the AWS network backbone and not the internet.

That said, I wouldn't dispense of TLS in any case.

External Links

External links referenced by this document:

References

https://security.stackexchange.com/questions/263256