VPC @ Edge is an important and missing AWS Feature

What would make AWS even better: #7 in my countdown from 10

This is item #7 in my count-down of items on my 2022 re:invent wishlist. You can find item #8 here.

A customer wants to deploy globally accessible website with minimal latency, caching of resources at the edge, and server side rendering at the edge.

AWS: “Not a problem. Just use CloudFront with CloudFront Functions and Lambda@Edge.”

A customer wants to deploy the same solution, but privately without allowing traffic to enter or leave their VPC. Maybe for a customer with compliance requirements, or maybe for a development environment.

AWS: “Do you absolutely require server side rendering at the edge? You’re probably going to have to make some tradeoffs here.”

“What about my origin?” asks the customer, “does that have to be exposed over the internet?”

AWS: “Why yes, yes it does.”

AWS doesn’t actually say these things, but people have been asking about VPC support from CloudFront in various forms for many many years.

I’m not optimistic we’ll be getting support for this feature because the question seems to get pushed aside with questions like:

1. If you’re already inside a VPC why do you need CloudFront? Just hit the origin directly.

2. Why don’t you just add a WAF in front of your CloudFront distribution and whitelist it by IP address?

But CloudFront is a lot more than a cache. It is a reverse proxy solution that is highly configurable with Lambda@Edge and CloudFront and can group together disparate backends to provide a unified experience.

Here is what I want from CloudFront that I don’t yet have:

1. Let me place VPC endpoints in each target VPC and associating these with my CloudFront distribution origin configurations. Let me configure security group rules for each of these VPC endpoints.

   1. If these origin domain names are resolved using the DHCP options of the VPC to allow me to use private domain names.

   2. If you want to make me really happy, let me target internal network load balancers with Global Accelerator too.

2. Let me restrict access to CloudFront by source VPC endpoint or source VPC using a resource policy similar to the way API gateway does.

I am a huge fan of using CloudFront distributions as reverse proxies to minimize the surface area for attack. I run into VPC issues every time I want to deploy internal only development accounts. Plus, it would be really nice to not having to worry about rotating shared secrets regularly to protect public load balancer origins.