CDN & DNS
Accelerate delivery with CloudFront, manage DNS with Route 53, and secure traffic with ACM certificates.
What You'll Build
Make your app production-ready by adding a CDN for global delivery, DNS for a custom domain, and SSL certificates for HTTPS โ all through the AWS Console.
Module 3 โ Resource Checklist
0/4 (0%)- โRoute 53 Hosted Zone
yourdomain.com - โACM Certificate
yourdomain.com + *.yourdomain.com - โCloudFront Distribution
Origin: your ALB - โRoute 53 A Record
Alias to CloudFront
Requires a domain name. If you don't have one, you can register a cheap one (.click, .link โ $3/year) in Route 53, or skip this module entirely โ your app works fine via the ALB DNS name.
| Azure | AWS | Notes |
|---|---|---|
Azure Front Door | CloudFront | Both are global CDNs; Front Door has more routing features |
Azure CDN | CloudFront | CloudFront is more full-featured |
Azure DNS | Route 53 | Route 53 also does domain registration |
App Service Certs | ACM | ACM is free and auto-renewing! |
Step 1: Route 53 โ Domain & DNS
Route 53 is AWS's DNS service. It translates domain names to AWS resources. You can register a new domain or bring your own.
Option A โ Register a domain in Route 53
Console: Route 53 โ Registered domains โ Register domains
| Setting | Value |
|---|---|
| Domain name | Search for a domain (try .click or .link โ $3/year) |
| Auto-renew | Your choice |
Complete registration. A Hosted Zone is automatically created for you.
Option B โ Use an existing domain
Console: Route 53 โ Hosted zones โ Create hosted zone
| Setting | Value |
|---|---|
| Domain name | yourdomain.com |
| Type | Public hosted zone |
Click Create hosted zone.
Then update your registrar:
- Copy the 4 NS records shown in the hosted zone
- Go to your domain registrar (GoDaddy, Namecheap, etc.)
- Update the nameservers to the 4 Route 53 NS values
- Wait for DNS propagation (up to 48 hours, usually faster)
Alias vs CNAME Records
๐ CNAME
Standard DNS. Costs per query. Can't be used at zone apex (e.g., example.com).
โก Alias
AWS-specific. Free. Works at zone apex. Auto-resolves to the correct IP. Always prefer this.
Step 2: ACM โ Free SSL Certificate
AWS Certificate Manager (ACM) provides free, auto-renewing SSL/TLS certificates. No renewal headaches, no cost.
Critical rule: ACM certificates for CloudFront must be created in us-east-1, regardless of where your other resources are. Switch your region to US East (N. Virginia) before starting!
Console: Switch to us-east-1 โ Certificate Manager โ Request a certificate
| Setting | Value |
|---|---|
| Certificate type | Public |
| Domain name | yourdomain.com |
| Add another name | *.yourdomain.com |
| Validation method | DNS validation |
| Key algorithm | RSA 2048 |
Click Request.
Validate the certificate:
- On the certificate details page, click Create records in Route 53
- Click Create records (adds a CNAME for validation automatically)
- Wait for status to change to Issued (5-30 minutes)
Step 3: CloudFront โ Global CDN
CloudFront caches your content at 400+ edge locations worldwide. Users hit the nearest edge instead of your ALB directly. Even for dynamic APIs, CloudFront adds HTTPS termination and DDoS protection.
How It Works
User visits https://yourdomain.com
โ
Route 53 resolves to CloudFront edge
โ
CloudFront checks its cache
โ
Cache miss โ CloudFront fetches from your ALB (origin)
โ
Response returned to user (and cached if applicable)Azure Front Door works similarly but includes built-in WAF and advanced routing. CloudFront requires a separate AWS WAF service.
Console: CloudFront โ Create distribution
Origin:
| Setting | Value |
|---|---|
| Origin domain | Select your ALB: sandbox-alb-xxxx.elb.amazonaws.com |
| Protocol | HTTP only |
| HTTP port | 80 |
Default cache behavior:
| Setting | Value |
|---|---|
| Viewer protocol policy | Redirect HTTP to HTTPS |
| Allowed HTTP methods | GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE |
| Cache policy | CachingDisabled (for API endpoints) |
| Origin request policy | AllViewer |
Settings:
| Setting | Value |
|---|---|
| Alternate domain name (CNAME) | yourdomain.com |
| Custom SSL certificate | Select your ACM cert from dropdown |
| Default root object | (leave empty) |
Click Create distribution. Wait 10-15 minutes for deployment.
Copy the Distribution domain name (e.g., d1234567.cloudfront.net).
Step 4: Point Your Domain to CloudFront
Create a Route 53 Alias record that points your domain to the CloudFront distribution. Alias records are free and auto-update.
Console: Route 53 โ Hosted zones โ your domain โ Create record
| Setting | Value |
|---|---|
| Record name | (leave empty for root domain) |
| Record type | A |
| Alias | โ Yes |
| Route traffic to | Alias to CloudFront distribution |
| Distribution | Select your distribution |
Click Create records.
๐งช Test the Full HTTPS Flow
Your app is now accessible via your custom domain with HTTPS:
# Test HTTPS
curl https://yourdomain.com/health
curl https://yourdomain.com/api/tasks
# Check CloudFront headers
curl -I https://yourdomain.com/health
# Look for: X-Cache: Hit from cloudfront (on second request)
# Verify SSL certificate
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | \
openssl x509 -noout -subject -datesKey Takeaways
- ACM certificates are free and auto-renew โ always use them
- ACM certs for CloudFront must be in us-east-1
- CloudFront adds HTTPS, caching, and DDoS protection in one service
- Use Alias records in Route 53 (free, works at zone apex)
- This module is optional โ your app works fine via the ALB DNS without a custom domain