Secure Access to Web Applications Delivered with Amazon Web Services (AWS) CloudFront Content Delivery Network (CDN) via Secure Access Cloud (SAC)
Secure Access Cloud
Amazon Web Services
Amazon CloudFront is a web service that speeds up the distribution of static and dynamic web content, such as .html, .css, .js, and image files, to users. CloudFront delivers content through a worldwide network of data centers called edge locations. CloudFront distribution can be configured to access the origin of data via Secure Access Cloud (SAC), resulting in the following architecture:
In this architecture, end-users access the published Web Application using an external URL defined in the CloudFront Web Distribution. The DNS query points the browsers at the closest Edge Location (that may contain cached versions of static files). CloudFront will use the Origin Domain (that needs to specify the External Domain defined in the SAC Management Portal) to access the data.
Special Considerations for using Custom Domain (instead of Cloudfront.net)
When providing access to Web Applications / Site that use a custom domain (such as myapp.companydomain.com), special considerations need to be applied when configuring the solution.
The overall architecture is described in the below diagram:
Maintaining the domain for an application can be an important thing for various reasons, supporting existing SAML / OIDC SSO configurations is among them.
In order to provide access to an application via CloudFront and SAC to a custom application domain, app.mycompany.com, the following configuration steps should be applied:
Create the application in Secure Access Cloud as a standard custom domain application (that will be the only configuration on Secure Access Cloud, as all others need to be done at AWS CloudFront):
Create a CloudFront Distribution in AWS with the following settings:
Place the CNAME Value from the Section above into the Origin Domain Name & choose the Origin Protocol policy as "Match Viewer"
Enable forwarding Cookies and Query String & caching
Configure the Cache Based with the White List and add the "Host" into it:
Configure the Alternate Domain Name (the domain name end customer is using) & update it with appropriate SSL Certificate:
Update the HTTP version support to the option “HTTP/1.1, HTTP/1.0”
Update DNS with the name resolution in the way, Alternate Domain (External name end customer use) is resolved to the *****.cloudfront.net domain:
Please consider the following things when configuring the solution:
Please configure your CloudFront Distribution not to accept HTTP Traffic (or to redirect to HTTPS)
The SAC logs will container an IP Address of the AWS Edge Location, rather than that of an end-user in Source IP logs. This limitation will be handled in the future by dedicated logging for special headers.
Subscribing will provide email updates when this Article is updated. Login is required.