Search code examples
amazon-web-servicesamazon-cloudfront

How Associate Alias working for AWS CloudFront?

Let's say that I have two CloudFront distributions:

  • id: ABCD1234, domain: abcd1234.cloudfront.net (directed to abcd S3 bucket)
  • id: DEFG4321, domain: defg4321.cloudfront.net (directed to defg S3 bucket)

I set two records in Route53:

example.domain.com CNAME abcd1234.cloudfront.net
_example.domain.com TXT defg4321.cloudfront.net

And create associate alias for DEFG4321 distribution:

aws cloudfront associate-alias --target-distribution-id DEFG4321 --alias example.domain.com

When I accessing example.domain.com by browser I can see response from defg. And that is looks okay.

After that I changing my CNAME record to

example.domain.com CNAME google.com

example.domain.com redirecting me to google.com and I don't able to access defg4321.cloudfront.net anymore...

So if my understanding is correct looks like browser access flow is:

request example.domain.com DNS record → get abcd1234.cloudfront.net response → access to abcd1234.cloudfront.net → automatically redirect to defg4321.cloudfront.net by CloudFront internal mechanisms → access to defg4321.cloudfront.net → redirect to defg bucket contents.

Probably my thoughts is correct but:

  1. This feature looking pretty weird and non-intuitive
  2. CNAME and TXT records are logically duplicate each other but has different values, is it possible to use only TXT record?
  3. Is it possible to use any CloudFront distribution as abcd1234.cloudfront.net-like provider to correct distribution? so CNAME may be any random CloudFront distribution?
  4. IS it possible to set some default (dummy) CNAME entrypoint that will be always redirect me to real TXT record distribution ID?

PS Yes I understand that it is possible to set same distribution ID to CNAME and TXT records, but I need to periodically switch between distributions and changing both records is double-work, in other way changing of only TXT record may cause problems with understanding what distribution is active in current time (also inactive distribution can't be deleted or disabled without changing both records). Or maybe my understanding of associate alias using is not correct?

Solution

  • After doing some research I've got that TXT record is needed only to be able associate CloudFront distribution with exact domain name.

    So,

    1. we have to create TXT record like _subdomain.domain.comdistribuitionId.cloudfront.net
    2. now we able to run command aws cloudfront associate-alias --target-distribution-id distribuitionId --alias subdomain.domain.com
    3. TXT record may be deleted. It is not necessary anymore
    4. CNAME record may point to any CloudFront distribution because it will be redirected to target distribution inside CloudFront anyway. However, it will be more correct to set CNAME record like subdomain.domain.com CNAME distribuitionId.cloudfront.net to be sure that exact distribution exists.

    So, TXT record has only validation purpose when alias is creating.