How to add cloudfront without downtime?

[ssyberg]

I'm wondering if there's a feasible workflow with copilot to add cloudfront in front of a ALB without incurring downtime? I think this would require a manifest that (temporarily) allowed for traffic hitting ALB or CDN directly so that while DNS propagates both endpoints can serve traffic.

[ssyberg]

I tried doing this by setting cdn.terminate_tls to false and attaching the certificates to both cdn and http, maybe I need to set http.public.ingress.cdn to false?

[behdad088]

Hi @ssyberg

To add CloudFront in front of an ALB in AWS without causing any downtime, you’ll need to take a few steps to ensure a smooth transition. The idea is to configure your AWS Copilot app so that traffic can be routed to both the ALB and CloudFront temporarily while DNS propagates. Here’s a straightforward workflow:

1. Set Up CloudFront

• Create a CloudFront Distribution with your ALB as the origin. The ALB will still handle the traffic, but it will now go through CloudFront.
• In CloudFront:
  • Origin: Set it to your ALB’s DNS name.
  • Cache Behavior: Set the path pattern to /* to forward all traffic.
  • SSL: Make sure SSL is configured in CloudFront using ACM for your domain.

2. Update Copilot Manifest to Support Both ALB and CloudFront

• In your Copilot manifest.yml, you’ll want to temporarily allow traffic from both the ALB and CloudFront. This way, during DNS propagation, requests can hit either endpoint.

Update your manifest to allow traffic from both sources:

http:
  path: "/"
  targetContainer: "my-service"
  healthcheck:
    path: "/health"
  allowed_source_ips:
    - "ALB_IP_RANGE"         # Allow ALB traffic
    - "CLOUDFRONT_IP_RANGE"  # Allow CloudFront traffic

This ensures that both CloudFront and the ALB can serve requests during the transition.

3. Update DNS Record

• Update your DNS (Route 53) to point to CloudFront’s domain (e.g., d123.cloudfront.net).
• Set a low TTL (like 60 seconds) before making the change so that DNS propagates faster.

4. Monitor Traffic

• While DNS is propagating, traffic will be routed to both CloudFront and the ALB directly, based on the DNS TTL.
• Use CloudWatch to monitor traffic and ensure that both CloudFront and the ALB are handling requests as expected.

5. Remove Direct ALB Access (Optional)

• Once DNS has fully propagated and all traffic is going through CloudFront, you can lock down direct access to the ALB by removing its public IP access.
• Adjust the ALB’s security group to only allow traffic from CloudFront if you want to ensure all requests go through the CDN.

By setting it up this way, you ensure that there’s no downtime while DNS changes propagate. Let me know if you need help with any specific part of this!