CloudFront needs an origin — the source location where the original content resides. Each distribution can have one or more origins, and the choice of origin type depends on the application architecture and security requirements.
S3 Bucket Origin
- Commonly used for static content distribution such as images, CSS, JavaScript, or downloadable files.
- CloudFront caches these files at edge locations, reducing latency and load on S3.
- Supports Origin Access Control (OAC) to securely serve content only through CloudFront, preventing direct public access to the bucket.
- Can also be used for file uploads through CloudFront (less common, requires PUT/POST configuration).
- When using S3 as an origin for static hosting, you can choose:
- S3 REST API endpoint (recommended for security with OAC)
- S3 website endpoint (only if you need static website hosting features, such as redirects or custom error pages — this becomes a Custom Origin scenario).
VPC Origin
- Used for applications hosted inside a VPC, often private subnets.
- The origin can be:
- Application Load Balancer (ALB)
- Network Load Balancer (NLB)
- EC2 instances directly (via public IP or Elastic IP)
- Typically fronted by a load balancer for high availability and scaling.
- When using private resources, you often combine CloudFront with:
- AWS Global Accelerator for consistent IP addresses and low-latency routing.
- PrivateLink or secure networking for controlled access.
Custom Origin (HTTP)
- Any publicly accessible HTTP or HTTPS backend that follows standard web protocols.
- Examples:
- S3 Website Endpoint (must first enable “Static Website Hosting” in S3 properties).
- On-premises servers exposed via the internet.
- Third-party hosting services.
- Requires configuration of:
- Origin Protocol Policy (HTTP only, HTTPS only, or match viewer).
- Custom headers for authentication if needed.