|   Trend Micro™ Cloud One
Open menu

Enable Origin Failover for CloudFront Distributions

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Reliability
Risk level: Medium (should be achieved)

Ensure that Origin Failover feature is enabled for your Amazon CloudFront web distributions in order to improve the availability of the content delivered to your end users. To implement Origin Failover, you have to create an origin group to provide rerouting during a failover event. Then you can associate an origin group with a cache behavior (using only GET, HEAD and OPTIONS methods) to have requests routed from a primary origin to a secondary origin as a failover strategy. Before you can create an origin group, you must have two origins configured for your CloudFront web distribution.

With Origin Failover capability, you can setup two origins for your CloudFront web distributions: primary and secondary. In the event of primary origin failure, your content is automatically served from the secondary origin, maintaining the distribution's high reliability.

Audit

To determine if your AWS CloudFront distributions are using Origin Failover, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudFront dashboard at https://console.aws.amazon.com/cloudfront/.

03 In the left navigation panel, click Distributions to access the existing distributions.

04 On CloudFront Distribution page, under the main menu, select Web and Enabled from Viewing dropdown menus to list all active web distributions available in your AWS account.

05 Select the CloudFront distribution that you want to examine.

06 Click the Distribution Settings button from the dashboard top menu to access the resource configuration page.

07 Choose the Origins and Origin Groups tab to access the selected distribution origins.

08 Check for any origin groups defined within the Origin Groups section. If there are no origin groups available, instead the following messages is displayed: "You don't have any origin groups. To create one, choose Create Origin Group.", the selected Amazon CloudFront web distribution does not have an origin group configured, therefore the Origin Failover feature is not currently enabled.

09 Repeat steps no. 5 – 8 to determine the Origin Failover configuration status for other Amazon CloudFront CDN distributions provisioned in your AWS account.

Using AWS CLI

01 Run list-distributions command (OSX/Linux/UNIX) using custom query filters to list the IDs of all CloudFront distributions available within your AWS account:

aws cloudfront list-distributions
    --output table
    --query 'DistributionList.Items[*].Id'

02 The command output should return a table with the requested distribution IDs:

--------------------
|ListDistributions |
+------------------+
|  AAAABBBBCCCCDD  |
|  ABCDABCDABCDAB  |
|  AABBCCDDAABBCC  |
+------------------+

03 Run get-distribution command (OSX/Linux/UNIX) using the ID of the distribution that you want to examine as identifier and custom query filters to return the number of origin groups configured for the selected CloudFront distribution:

aws cloudfront get-distribution
    --region us-east-1
    --id AAAABBBBCCCCDD
    --query 'Distribution.DistributionConfig.OriginGroups.Quantity'

04 The command output should return the number of origin groups available:

0

If get-distribution command output returns 0 (zero), as shown in the example above, the web distribution does not have any origin groups defined, therefore the Origin Failover feature is not enabled for the selected Amazon CloudFront CDN distribution.

05 Repeat step no. 3 and 4 to determine the Origin Failover configuration status for other Amazon CloudFront web distributions available within your AWS account.

Remediation / Resolution

To enable and configure Origin Failover for your Amazon CloudFront CDN distributions, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudFront dashboard at https://console.aws.amazon.com/cloudfront/.

03 In the left navigation panel, click Distributions to access the existing distributions.

04 On CloudFront Distribution page, under the main menu, select Web and Enabled from Viewing dropdown menus to list all active web distributions available in your AWS account.

05 Select the CloudFront distribution that you want to reconfigure (see Audit section part I to identify the right resource).

06 Click the Distribution Settings button from the dashboard top menu to access the resource configuration page.

07 Choose the Origins and Origin Groups tab to access the selected distribution origins.

08 Within Origins section, click Create Origin to set up the secondary origin for your distribution.

09 On Create Origin page, perform the following:

  1. Click inside the Origin Domain Name box and specify the domain name for your secondary origin. This can be an S3 bucket, an ELB, a MediaPackage channel endpoint, a MediaStoreContainer endpoint or a web server from which you want Amazon CloudFront service to get your web content.
  2. In the Origin ID box enter a description for the new origin.
  3. From Origin SSL Protocols choose which SSL protocols are allowed to be used when establishing an HTTPS connection to your secondary origin.
  4. From Origin Protocol Policy, select whether you want Amazon CloudFront to connect to your new origin using only HTTP, only HTTPS or to connect by matching the protocol used by the viewer.
  5. In the Origin Response Timeout box, set the amount of time that CloudFront waits for a response from the new origin.
  6. For Origin Keep-alive Timeout, set the amount of time that CloudFront maintains an idle connection with the secondary origin server before closing the connection.
  7. For HTTP Port and HTTPs Port fields, provide the HTTP and HTTPS ports that the new origin listens on.
  8. For Origin Custom Headers, provide the custom header keys and values to be included in every request to the secondary origin.
  9. Click Create to create the distribution origin.

10 Within Origin Groups section, click Create Origin Group to set up the necessary origin group.

11 On Create Origin Group page, perform the following:

  1. Add the primary and the secondary origin from the Origins dropdown list.
  2. From Failover criteria, select one or more status codes (i.e. 4xx and 4xx status codes) to use as the failover criteria. When the codes that you select are returned by your primary origin, requests are rerouted to the secondary origin.
  3. In the Origin Group ID box, provide a unique name for your new origin group.
  4. Click Create to save the origin group. This action will enable the Origin Failover feature for the selected Amazon CloudFront web distribution. From now on CloudFront can automatically switch to the secondary origin when the primary origin returns the HTTP status code(s) configured within the origin group.

12 Repeat steps no. 5 – 11 to enable Origin Failover for other Amazon CloudFront CDN distributions available within your AWS account.

Using AWS CLI

01 Run get-distribution-config command (OSX/Linux/UNIX) to extract the configuration information from the Amazon CloudFront web distribution that you want to reconfigure (see Audit section part II to identify the right resource):

aws cloudfront get-distribution-config
    --region us-east-1
    --id AAAABBBBCCCCDD

02 The command output should return the requested configuration information:

{
    "ETag": "ABCDABCDABCDA",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "IsIPV6Enabled": false,
        "Logging": {
            "Bucket": "",
            "Prefix": "",
            "Enabled": false,
            "IncludeCookies": false
        },
        "WebACLId": "",

        ...

        "CallerReference": "123456789012",
        "ViewerCertificate": {
            "CloudFrontDefaultCertificate": true,
            "MinimumProtocolVersion": "TLSv1",
            "CertificateSource": "cloudfront"
        },
        "HttpVersion": "http2",
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        },
        "Aliases": {
            "Quantity": 0
        }
    }
}

03 Modify the configuration metadata returned at the previous step to enable Origin Failover feature by adding a secondary origin to the selected distribution and creating an origin group (as highlighted in the example below). Save the new distribution configuration in a JSON document named "enable-origin-failover.json". Make sure that you update the following configuration file according to your own distribution configuration settings:

{
    "ETag": "ABCDABCDABCDA",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "IsIPV6Enabled": false,
        "Logging": {
            "Bucket": "",
            "Prefix": "",
            "Enabled": false,
            "IncludeCookies": false
        },
        "WebACLId": "",
        "Origins": {
            "Items": [
                {
                    "OriginPath": "",
                    "CustomOriginConfig": {
                        "OriginSslProtocols": {
                            "Items": [
                                "TLSv1.2"
                            ],
                            "Quantity": 1
                        },
                        "OriginProtocolPolicy": "http-only",
                        "OriginReadTimeout": 30,
                        "HTTPPort": 80,
                        "HTTPSPort": 443,
                        "OriginKeepaliveTimeout": 5
                    },
                    "CustomHeaders": {
                        "Quantity": 0
                    },
                    "Id": "custom-cloudconformity.com",
                    "DomainName": "cloudconformity.com"
                },
                {
                    "OriginPath": "",
                    "CustomOriginConfig": {
                        "OriginSslProtocols": {
                            "Items": [
                                "TLSv1.2"
                            ],
                            "Quantity": 1
                        },
                        "OriginProtocolPolicy": "http-only",
                        "OriginReadTimeout": 30,
                        "HTTPPort": 80,
                        "HTTPSPort": 443,
                        "OriginKeepaliveTimeout": 5
                    },
                    "CustomHeaders": {
                        "Quantity": 0
                    },
                    "Id": "custom-cloudconformity1.com",
                    "DomainName": "cloudconformity1.com"
                }
            ],
            "Quantity": 2
        },
        "DefaultRootObject": "",
        "PriceClass": "PriceClass_100",
        "Enabled": true,
        "DefaultCacheBehavior": {
            "FieldLevelEncryptionId": "",
            "TrustedSigners": {
                "Enabled": false,
                "Quantity": 0
            },
            "LambdaFunctionAssociations": {
                "Quantity": 0
            },
            "TargetOriginId": "custom-cloudconformity.com",
            "ViewerProtocolPolicy": "allow-all",
            "ForwardedValues": {
                "Headers": {
                    "Quantity": 0
                },
                "Cookies": {
                    "Forward": "none"
                },
                "QueryStringCacheKeys": {
                    "Quantity": 0
                },
                "QueryString": false
            },
            "MaxTTL": 31536000,
            "SmoothStreaming": false,
            "DefaultTTL": 86400,
            "AllowedMethods": {
                "Items": [
                    "HEAD",
                    "GET"
                ],
                "CachedMethods": {
                    "Items": [
                        "HEAD",
                        "GET"
                    ],
                    "Quantity": 2
                },
                "Quantity": 2
            },
            "MinTTL": 0,
            "Compress": false
        },
        "CallerReference": "123456789012",
        "ViewerCertificate": {
            "CloudFrontDefaultCertificate": true,
            "MinimumProtocolVersion": "TLSv1",
            "CertificateSource": "cloudfront"
        },
        "CustomErrorResponses": {
            "Quantity": 0
        },
        "OriginGroups": {
            "Items": [
                {
                    "Id": "cc-cloudconformity.com-origin-group",
                    "Members": {
                        "Items": [
                            {
                                "OriginId": "custom-cloudconformity.com"
                            },
                            {
                                "OriginId": "custom-cloudconformity1.com"
                            }
                        ],
                        "Quantity": 2
                    },
                    "FailoverCriteria": {
                        "StatusCodes": {
                            "Items": [
                                500
                            ],
                            "Quantity": 1
                        }
                    }
                }
            ],
            "Quantity": 1
        },
        "HttpVersion": "http2",
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        },
        "Aliases": {
            "Quantity": 0
        }
    }
}

04 Run update-distribution command (OSX/Linux/UNIX) to update the configuration for the selected Amazon CloudFront CDN distribution (see Audit section part II to identify the right distribution) in order to enable Origin Failover. The following command example updates the specified CloudFront web distribution using the JSON configuration document defined at the previous step, i.e "enable-origin-failover.json". --if-match parameter value represents the ID of the ETag header that you received when retrieving your web distribution's configuration:

aws cloudfront update-distribution
    --id AAAABBBBCCCCDD
    --distribution-config file://enable-origin-failover.json
    --if-match ABCDABCDABCDA

05 The command output should return the metadata for the modified CloudFront distribution. Once the distribution configuration changes are deployed, CloudFront can automatically switch to the secondary origin when the primary origin returns the HTTP status code(s) configured within the origin group:

{
    "Distribution": {
        "Status": "InProgress",

            ...

            "DefaultCacheBehavior": {
            "TrustedSigners": {
                "Enabled": false,
                "Quantity": 0
            },
            "LambdaFunctionAssociations": {
                "Quantity": 0
            },
            "TargetOriginId": "custom-cloudconformity.com",
            "ViewerProtocolPolicy": "allow-all",
            "ForwardedValues": {
                "Headers": {
                    "Quantity": 0
                },
                "Cookies": {
                    "Forward": "none"
                },
                "QueryStringCacheKeys": {
                    "Quantity": 0
                },
                "QueryString": false
            },
            "MaxTTL": 31536000,
            "SmoothStreaming": false,
            "DefaultTTL": 86400,
            "AllowedMethods": {
                "Items": [
                    "HEAD",
                    "GET"
                ],
                "CachedMethods": {
                    "Items": [
                        "HEAD",
                        "GET"
                    ],
                    "Quantity": 2
                },
                "Quantity": 2
            },
            "MinTTL": 0,
            "Compress": false
        },

        ...

    "ETag": "ABCDABCDABCDA"
}

06 Repeat steps no. 1 – 5 to enable Origin Failover for other Amazon CloudFront web distributions available in your AWS account.

References

Publication date Jan 27, 2019

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to