Thursday, June 20, 2013

Using AWS Custom SSL Domain Names for CloudFront

AWS recently announced the limited availability of Custom SSL Domain Names for CloudFront.  You have to request an invitation in order to start using it but I am guessing it won't be long until it has been rolled out to all customers.

We've been asking/waiting for Custom SSL on CloudFront for years and were excited when it finally came out.  The sign up was easy and we were approved a day or two later.

Existing Setup

Our main use case for Custom SSL on CloudFront involves replacing a service that proxies secure requests to our non-secure CloudFront distro.  We proxy secure requests because we didn't want the secure CloudFront domain leaking out to our customers for various reasons including:

  • We wanted to be able to point the domain elsewhere if we needed to
  • We wanted to keep our branding consistent on domains.  
It basically looks like the following diagram:


The problem with having a proxy is two fold:

  1. We have to operate that proxy which goes against our general rule to "never operate services when AWS can do it for you"
  2. We get subpar performance relative since requests are no longer served from a distributed geo-located CDN.
But we needed the flexibility and branding mentioned above so we dealt with it.  Not anymore...

Migrating to Custom SSL Domain Names for CloudFront

Once we got approval for custom SSL, the migration was pretty straightforward.  I am not going to regurgitate the detailed documentation but will summarize the process.
  1. Upload your SSL cert and make sure path starts with "/cloudfront" (This was annoying because we couldn't reuse our existing certificates that we were already using for ELBs)
  2. Update your CF distro (I did so via the AWS Console): 
    1. add the domain name you want to support (e.g. secure-example.bizographics.com from above)
    2. choose the SSL cert that you uploaded in the first step
    3. Save
  3. Wait for the CF distro to redeploy the configuration change
  4. Update your Route53 DNS to point at the CF CNAME rather than the ELB endpoint
  5. Wait for DNS to Update
  6. Shut down ELB of Proxy
As you can see this was pretty easy.  Most of the time was spent waiting for the CF distro the re-deploy (10s of minutes max) and DNS to update (which can take several days).  

All-in-all, the minor annoyance of having two copies of the same SSL cert was worth the win of not having to operate the proxy and getting better performance for our customers.  Check out the graph below showing the improved performance:

Note on Cost

The cost of custom SSL on CF seems ok but could be better and the wording is not totally clear: "You pay $600 per month for each custom SSL certificate associated with one or more CloudFront distributions."  We have the same cert setup for multiple CF distros but I am not sure if we will be charged $600 for each disto using the cert or $600 for each cert regardless of how many distros are using it.  (Will try to get clarification...)  AWS claims the pricing is comparable to other similar offerings.  That doesn't seem to jive with their usual practice of driving costs much lower but is livable for now.