How do I use AWS CloudFront with EC2 Client VPN?
In this guide, we will set up AWS CloudFront to deliver content and configure an EC2 Client VPN to provide secure access to resources within a VPC. We will create a CloudFront distribution, an EC2 Client VPN endpoint, and associate the VPN with a subnet in the VPC.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Create an S3 bucket to serve as the origin for CloudFront
const bucket = new aws.s3.Bucket("contentBucket");
// Create a CloudFront distribution
const distribution = new aws.cloudfront.Distribution("myDistribution", {
enabled: true,
origins: [{
originId: bucket.arn,
domainName: bucket.bucketRegionalDomainName,
s3OriginConfig: {
originAccessIdentity: "",
},
}],
defaultCacheBehavior: {
targetOriginId: bucket.arn,
viewerProtocolPolicy: "redirect-to-https",
allowedMethods: ["GET", "HEAD"],
cachedMethods: ["GET", "HEAD"],
forwardedValues: {
queryString: false,
cookies: {
forward: "none",
},
},
minTtl: 0,
defaultTtl: 3600,
maxTtl: 86400,
},
priceClass: "PriceClass_100",
restrictions: {
geoRestriction: {
restrictionType: "none",
},
},
viewerCertificate: {
cloudfrontDefaultCertificate: true,
},
});
// Create a VPC
const vpc = new aws.ec2.Vpc("myVpc", {
cidrBlock: "10.0.0.0/16",
});
// Create a subnet
const subnet = new aws.ec2.Subnet("mySubnet", {
vpcId: vpc.id,
cidrBlock: "10.0.1.0/24",
availabilityZone: "us-west-2a",
});
// Create a security group for the Client VPN
const securityGroup = new aws.ec2.SecurityGroup("mySecurityGroup", {
vpcId: vpc.id,
ingress: [{
protocol: "tcp",
fromPort: 443,
toPort: 443,
cidrBlocks: ["0.0.0.0/0"],
}],
egress: [{
protocol: "-1",
fromPort: 0,
toPort: 0,
cidrBlocks: ["0.0.0.0/0"],
}],
});
// Create a Client VPN endpoint
const clientVpnEndpoint = new aws.ec2clientvpn.Endpoint("myClientVpnEndpoint", {
vpcId: vpc.id,
clientCidrBlock: "10.0.2.0/24",
serverCertificateArn: "arn:aws:acm:us-west-2:123456789012:certificate/abcd1234-5678-90ab-cdef-1234567890ab",
authenticationOptions: [{
type: "certificate-authentication",
rootCertificateChainArn: "arn:aws:acm:us-west-2:123456789012:certificate/abcd1234-5678-90ab-cdef-1234567890ab",
}],
connectionLogOptions: {
enabled: true,
cloudwatchLogGroup: "my-log-group",
cloudwatchLogStream: "my-log-stream",
},
dnsServers: ["8.8.8.8"],
transportProtocol: "udp",
securityGroupIds: [securityGroup.id],
});
// Associate the Client VPN with the subnet
const vpnNetworkAssociation = new aws.ec2clientvpn.NetworkAssociation("myVpnNetworkAssociation", {
clientVpnEndpointId: clientVpnEndpoint.id,
subnetId: subnet.id,
});
// Export the CloudFront distribution domain name
export const cloudFrontUrl = distribution.domainName;
Key Points
- S3 Bucket: Serves as the origin for the CloudFront distribution.
- CloudFront Distribution: Distributes content from the S3 bucket with caching and HTTPS support.
- VPC and Subnet: Provides a network environment for the Client VPN.
- Security Group: Manages inbound and outbound traffic rules for the VPN.
- Client VPN Endpoint: Establishes a secure VPN connection to the VPC.
- VPN Network Association: Associates the VPN endpoint with the subnet.
Summary
We have set up an AWS CloudFront distribution to deliver content from an S3 bucket, and configured an EC2 Client VPN for secure access to resources within a VPC. This setup ensures secure and efficient content delivery and access.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.