AWS Cloud Front DNS Configuration?

CnicNV used Ask the Experts™

I am trying to get my head around how one would configure CloudFront to serve up dynamic content from an EC2 backed origin, while using a custom SSL certificate.  

But my, I suppose bigger question is how CloudFront and DNS actually works.  Obviously the EC2 origin has it's own publicly routable IP and DNS (whether it be automatically, or manually assigned).  But how does the distribution work?  As far as I understand, the distribution is an abstraction, or logical unit of settings that are pushed out to the edge datacenters, which there are a bunch of, and each one needing its own publicly routable IP and DNS addresses.  

The DNS that Amazon generates for the distributions is something like  But how can this be served up to all of the edge locations?  IE one DNS can't resolve to multiple different IP addresses, can it?  I know you can have have many DNS's point to the same IP.  Also, if my above premise is correct, how do all these different edge datacenters have the same IP address?  

Ugghh, I am wondering all this so I know how to point some of our DNS records (that are not hosted by Route53) at a distribution and, to boot, use SSL.  I know there is documentation on this, but I have not been able to get it to work and I would like to know, logically how all this stuff ties together.

Thanks for any insight that you can offer.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
So let's get some terminology straight.
A DNS is not a name pointing to an IP address, but the service/server that does the pointing.
Route 53 is a DNS. NSone is a DNS. Godaddy has a DNS.
A DNS hosts zones. For simplicity's sake, a zone is equivalent to a domain.
Inside a zone there are records of different types. A records, CNAME records, MX records, TXT records etc. I think that records are what you call DNS.

A single record can resolve to multiple addresses.
An A record can return multiple answers.
A CNAME must return exactly one answer.
Some DNS can return answers based on criteria like geo location of the querying client, availability of the endpoint, or perceived latency from the client to the endpoints.
Cloudfront is a CDN. All CDN services will return different answers based at least on geo location and availability, so if you run nslookup to a cloudfront distribution from Los Angeles and from Istanbul you will get different answers.

So in your case, let's assume that you want to serve "" out of Cloudfront.
Step 1.
You associate "" with a cloudfront distribution, go to your DNS wherever that is, and create a CNAME from "" to the Cloudfront distribution name.
Congratulations, is now active and working.

Step 2.
Your distribution is already set up to serve secure content if you use the distribution name, but you want your own. You go and buy a certificate for "" , install it on Cloudfront and associate with your distribution.  I will not cover in detail the way to order a certificate, as this is not the subject here. Technically what happens is that the certificate you uploaded is replicated to all Cloudfront pops.
Congratulations, - secure is now active and working.


Ok thanks a lot for this useful information :-)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial