AWS CloudFront — CDN for your ALB

Prerequisites

Before you begin, ensure you have the following:

• An AWS account with access to CloudFront, Route 53, and your ALB.
• An ALB already serving traffic for your domain (DNS in Route 53 pointed at the load balancer or a stable hostname you can reference as the origin).
• For custom domain names (alternate domain names / CNAMEs) on CloudFront with ACM, public certificates must be requested in the US East (N. Virginia) us-east-1 Region, per AWS requirements for CloudFront.

Create a CloudFront distribution

Follow these steps in the AWS console.

1. Open the AWS Management Console and go to CloudFront.

2. Choose Create distribution.

   

3. Under Origin, set Origin domain to your Application Load Balancer. Set the Origin protocol policy to match how viewers reach CloudFront (commonly HTTPS only or Match viewer, depending on your TLS setup).

   

4. Set Minimum origin SSL protocol to at least TLS 1.2 (avoid deprecated protocols for origins).

   

5. Under Default cache behavior, choose Viewer protocol policy (for example redirect HTTP to HTTPS) and Allowed HTTP methods appropriate for your app (GET/HEAD or all methods if you need APIs).

   

6. Under Cache key and origin requests, use the console recommended settings or pick a cache policy and origin request policy that match how much of the request should affect the cache key (query strings, headers, cookies).

   

7. Under Web Application Firewall (WAF), enable protections if you want AWS WAF in front of this distribution (optional; may add cost and requires a web ACL).

   

8. Under Settings, choose Price class (for example all edge locations or a smaller set), add Alternate domain name (CNAME) if needed, and attach a custom SSL certificate from ACM in us-east-1 when using a custom domain on CloudFront.

   

9. Review Supported HTTP versions and remaining defaults, then choose Create distribution.

   

10. When deployment completes, your distribution appears as Deployed in the console.

    

Monitor and configure CloudFront

1. Return to the CloudFront console and open your distribution.
2. Review Monitoring metrics (requests, error rates, cache hit ratio) and enable standard logging or real-time logs if you need deeper analysis.
3. Adjust cache behaviours, TTLs, compression, and origin settings as your traffic and content change.

Update DNS records in Route 53

If the apex or hostname still points at the ALB directly, point traffic at CloudFront instead. With Route 53, an alias A (and AAAA if you use IPv6) to the CloudFront distribution is the usual approach.

1. Open Route 53 and select your hosted zone.
2. Edit the record for your site so the alias target is your CloudFront distribution (distribution domain name), not the ALB DNS name.

3. Save the change and allow DNS TTL to expire for clients.

   

Invalidate cache (optional)

After you deploy new assets or HTML, you may need to clear cached objects so viewers see updates immediately.

1. Open the CloudFront console and select your distribution.
2. Open the Invalidations tab.

3. Choose Create invalidation and enter paths (for example /index.html or /*). Use broad paths sparingly; invalidations have service limits and cost considerations.

   

Related in this series