So currently we have two ec2 instances (lets say A and B) and a cloudfront.

If the user goes to www.appdomain.com/app the user should get routed to the cloudfront SPA page. However if the user goes www.appdomain.com the user should be routed to the EC2 instance A, and if user goes to www.appdomain.com/api be routed to EC2 instance B.

All of these applications must be on the same domain.

Now we found out how to set path rules using an application load balancer, but would like to know how to set it to cloudfront as well.

Update: So in summary the question is how do we route /app to cloudfront / and /api to ec2.

  • It's pretty straight forward. You just setup multiple origins in your CloudFront distribution and configure each one with domain name and path. If you have a specific question please ask it.
    – Mark B
    Commented Jan 30, 2019 at 18:40
  • Ok just to clarify, I also need to route to two EC2 instances (one for /api and one for /) and when /app is called only I need to route to the cloudfront distribution. So I tried to setup an ALB with path rules, however I can only target EC2 instances and cannot target cloudfront. How do I do this?
    – MilindaD
    Commented Jan 30, 2019 at 18:54
  • 1
    CloudFront is a CDN that would handle all the path routing. If you are using CloudFront you don't need to also use an ALB for this.
    – Mark B
    Commented Jan 30, 2019 at 19:01

In this scenario, every request for that domain must pass through CloudFront first.

Your DNS record will need to point to CloudFront (not the ALB) and CloudFront is then responsible for routing the request to the appropriate target -- to an EC2 instance via an ALB, to an S3 bucket, to wherever you need the requests to go -- and each of these things is called a content origin.

Once the origins are specified by their individual domain name (not your site's domain name, but a domain name specifically for the resource in question), you define CloudFront path patterns to select which origin is to receive the request for each pattern (e.g. /api*).

Once your DNS is changed to point to CloudFront, all requests go there first, and are handed off to the next service, unless CloudFront has a cached copy of the requested object -- in which case, CloudFront will serve it from its cache, and nothing will be sent to the origin.

You can't route from ALB to CloudFront, but you can route from CloudFront to ALB.

You can't subdivide a domain into multiple, different path-based content origins without using a reverse proxy that is able to match the paths and fetch the content on behalf of the requester -- HTTP and DNS don't support such functionality. CloudFront, in addition to providing the CDN service, is also a reverse proxy.

ALB, of course, is also a reverse proxy, but does not support as many different types of content origins as CloudFront does -- ALB only supports EC2 instances, servers in your data center (in which case, ALB must have a VPN path in order to reach them), and Lambda functions as content origins. CloudFront can use literally anything as a content origin as long as it speaks HTTP/HTTPS and is accessible via the Internet. (To choose a somewhat random example, CloudFront can even use a service from another vendor -- like a Google Cloud Storage bucket -- as a content origin, if that was something you needed to do, for whatever reason... because these are accessible via HTTP across the public Internet.)

  • 1
    Right, thanks to this I figured stuff out. However I've come across another problem which I need assistance on. I have an angular app which uses custom routes, so I essentially set a custom error page when a 404 response is returned to redirect the user to the /app/index.html page. However the problem is if something under /api/* returns a 404 I do not want to redirect the user to an angular page. How do I use path based routing for error pages in this case. Again thanks a lot for your above input.
    – MilindaD
    Commented Feb 4, 2019 at 12:39
  • 1
    @MilindaD I think the cleanest solution there might be a Lambda@Edge origin response trigger on the default appropriate cache behavior that intercepts 404 errors and transforms the response as desired... then you can remove the custom error document from the CloudFront configuration. Alternately, S3 can support a configuration to generate redirect responses to a prefix like /#/ or /#!/ if that works for you. This seems much more semantically correct than blindly treating every 404 as valid and returning the same content. See serverfault.com/a/633571/153161. Commented Feb 4, 2019 at 13:40
  • @Michael-sqlbot What if we want to add Authorization to the flow? Can Couldfront integrate with AWS Cognito to secure the webapp? Here is a detailed question: stackoverflow.com/questions/70449251/… Commented Dec 22, 2021 at 12:48

