Key Concepts
- When using public network access instead of VPC origins, CloudFront reaches the origin over the internet.
- You must explicitly allow CloudFront edge location IP ranges in the origin’s security groups.
- CloudFront edge IPs are published here: CloudFront IP List
EC2 Instance as Origin
- EC2 instance must have a public IP or be behind a public-facing endpoint.
- Security group must allow inbound traffic from CloudFront edge IP ranges.
ALB as Origin
- Application Load Balancer must be public.
- Security group for the ALB must allow traffic from CloudFront edge IP ranges.
- EC2 instances behind the ALB can remain private.
- Instance security groups must allow inbound traffic from the ALB’s security group.
Summary
Using the public network simplifies setup but requires careful security group rules to ensure only CloudFront edge locations can access the origin. This prevents direct exposure of the backend to the wider internet.