When Amazon first launched CloudFront, it only supported S3 buckets as origin servers. With recent updates, you can now use any HTTP server including EC2 instances as origins. This opens up new possibilities for dynamic content delivery.
Here's how to set up an EC2 instance as your CloudFront origin:
aws cloudfront create-distribution \
--distribution-config '{
"CallerReference": "my-ec2-distribution",
"Aliases": {
"Quantity": 0
},
"DefaultRootObject": "",
"Origins": {
"Quantity": 1,
"Items": [
{
"Id": "EC2-Origin-1",
"DomainName": "ec2-xx-xxx-xxx-xx.compute-1.amazonaws.com",
"CustomOriginConfig": {
"HTTPPort": 80,
"HTTPSPort": 443,
"OriginProtocolPolicy": "http-only"
}
}
]
},
"DefaultCacheBehavior": {
"TargetOriginId": "EC2-Origin-1",
"ForwardedValues": {
"QueryString": true,
"Cookies": {
"Forward": "all"
},
"Headers": {
"Quantity": 0
}
},
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"ViewerProtocolPolicy": "allow-all",
"MinTTL": 3600
},
"Comment": "EC2 Origin Distribution",
"Enabled": true
}'When using EC2 as origin:
- Always configure security groups to only allow CloudFront IP ranges
- Consider using Origin Shield for additional caching layer
- Implement proper health checks for your EC2 instances
To maximize performance:
# Configure proper cache headers from EC2
response.headers['Cache-Control'] = 'public, max-age=86400'
response.headers['Edge-Cache-Tag'] = 'product-123'If you encounter 502 errors:
- Verify your EC2 instance is running and accessible
- Check security group rules
- Confirm the Origin Protocol Policy matches your EC2 configuration
AWS CloudFront now supports EC2 instances as origin servers, expanding beyond the previous S3-only restriction. This enables developers to leverage compute resources while benefiting from CloudFront's global CDN capabilities.
- AWS CLI configured with proper permissions (CloudFrontFullAccess and EC2ReadOnly recommended)
- Running EC2 instance with web server (Apache/Nginx) installed
- Public DNS name or Elastic IP assigned to your EC2 instance
Here's the complete AWS CLI command to create a CloudFront distribution with EC2 origin:
aws cloudfront create-distribution \
--distribution-config \
'{
"CallerReference": "ec2-origin-'"$(date +%s)"'",
"Origins": {
"Quantity": 1,
"Items": [
{
"Id": "EC2-Origin-1",
"DomainName": "ec2-12-34-56-78.compute-1.amazonaws.com",
"CustomOriginConfig": {
"HTTPPort": 80,
"HTTPSPort": 443,
"OriginProtocolPolicy": "http-only",
"OriginSslProtocols": {
"Quantity": 1,
"Items": ["TLSv1.2"]
},
"OriginReadTimeout": 30,
"OriginKeepaliveTimeout": 5
}
}
]
},
"DefaultCacheBehavior": {
"TargetOriginId": "EC2-Origin-1",
"ForwardedValues": {
"QueryString": true,
"Cookies": {"Forward": "all"},
"Headers": {"Quantity": 0},
"QueryStringCacheKeys": {"Quantity": 0}
},
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"ViewerProtocolPolicy": "allow-all",
"MinTTL": 3600,
"AllowedMethods": {
"Quantity": 7,
"Items": ["GET", "HEAD", "POST", "PUT", "PATCH", "OPTIONS", "DELETE"],
"CachedMethods": {
"Quantity": 2,
"Items": ["GET", "HEAD"]
}
}
},
"Comment": "EC2 Origin Distribution",
"Enabled": true
}'
When using EC2 as origin:
- Implement security groups to restrict access only to CloudFront IP ranges
- Consider using Origin Shield for additional caching layer
- Enable AWS WAF for protection against common web exploits
To maximize performance:
# Sample Nginx configuration for CloudFront origin
server {
listen 80;
server_name ec2-instance.example.com;
# CloudFront specific optimizations
add_header X-Cache $upstream_cache_status;
client_max_body_size 20M;
location / {
proxy_cache_valid 200 302 10m;
proxy_cache_key "$scheme$request_method$host$request_uri";
add_header Cache-Control "public, max-age=3600";
}
}
Key troubleshooting commands:
# Check distribution status aws cloudfront get-distribution --id EDFDVBD6EXAMPLE # Verify origin connectivity curl -v http://your-ec2-public-dns # Check CloudFront logs aws cloudfront get-distribution-config --id EDFDVBD6EXAMPLE
For more complex setups:
- Multiple EC2 origins with failover routing
- Lambda@Edge for request/response manipulation
- Custom SSL certificates for both CloudFront and EC2 origin