Search code examples
amazon-web-servicesaws-api-gatewayamazon-cloudfront

Api Gateway and Regional Custom Domain as CloudFront Origin

I want to create an API Gateway with a Regional Custom Domain and use that as a CloudFront Distribution Origin. My main motivation is to control MinimumProtocolVersion/TLS1.2

My question is if the custom domain name for the regional custom domain must match the domain name of the CloudFront distribution,- or If I can separate domain names.

My team has experienced 403 errors from CF when there is a mismatch, I'm just double checking if this is doable at all

Example: 

ApiGW: 
  - Custom Domain Name (REGIONAL). For example www.sample.com (
  - matching ACM certificate in eu-west-1
  - No R53 records referencing this domain name

Cloudfront:
  -  ACM certificate in us-east-1
  -  Alias www.example.com
  -  Origin; www.sample.com
  -  R53 recrod for www.example.com, in hosted zone example.com mapped to the CF disitribution domain name
Solution

  • When CloudFront makes a connection to the origin, it always uses the Origin Domain Name to look up the origin's IP address... but when it negitiates TLS with the origin, it sets the SNI to the same value as the HTTP Host header it will be sending to the origin.

    These two values may be the same, or they may differ, but Host/SNI are always the same as each other, and always one of two values:

    • it's the Origin Domain Name (potentially modified in the custom origin parameters by a Lambda@Edge Origin Request trigger), when the Cache Behavior settings do not include whitelisting the Host header (or all headers) for forwarding to the origin, or
    • it's the HTTP Host header sent to CloudFront by the browser (potentially modified in the request headers by a Lambda@Edge Request trigger), when the Cache Behavior settings do include whitelisting the Host header for forwarding to the origin.

    So, in essence, the name needs to match if the Host header is forwarded, and must be different if it is not.

    Additionally, if it is different, that hostname must actually be configured in DNS and pointing to the assigned regional API endpoint -- you can't just point to the assigned DNS alias target as Origin Domain Name.

    Unfortunately, there are a few cases where CloudFront is somewhat confusing in its use of 403 errors. Sometimes this code is used for errors that would more correctly be treated as 400 or 421 errors, so the response body is important when checking into certain problems with 403. If you point a domain name to CloudFront without setting that domain as an Alternate Domain Name for the distribution, you'll get a 403 with a body that says "Bad Request" and the event won't be logged in your CloudFront logs because the missing Alternate Domain Name setting prevents CloudFront from mapping that request to your specific distribution.