How to Set Up CloudFront for an ALB?
To set up CloudFront for an Application Load Balancer (ALB) using Pulumi in TypeScript, we will follow these steps:
- Create an ALB in a VPC.
- Create a CloudFront distribution that points to the ALB as the origin.
- Configure the necessary security groups and IAM roles.
- Output the CloudFront distribution URL.
We will use the AWS provider for Pulumi to accomplish this. The key services involved are Amazon CloudFront, which is a content delivery network (CDN) service, and an Application Load Balancer (ALB), which is a part of the Elastic Load Balancing service that automatically distributes incoming application traffic across multiple targets.
Full Code Example
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Create a VPC
const vpc = new aws.ec2.Vpc("my-vpc", {
cidrBlock: "10.0.0.0/16",
enableDnsSupport: true,
enableDnsHostnames: true,
});
// Create Subnets
const subnet1 = new aws.ec2.Subnet("subnet1", {
vpcId: vpc.id,
cidrBlock: "10.0.1.0/24",
availabilityZone: "us-west-2a",
});
const subnet2 = new aws.ec2.Subnet("subnet2", {
vpcId: vpc.id,
cidrBlock: "10.0.2.0/24",
availabilityZone: "us-west-2b",
});
// Create a Security Group for the ALB
const albSecurityGroup = new aws.ec2.SecurityGroup("alb-sg", {
vpcId: vpc.id,
ingress: [
{ protocol: "tcp", fromPort: 80, toPort: 80, cidrBlocks: ["0.0.0.0/0"] },
{ protocol: "tcp", fromPort: 443, toPort: 443, cidrBlocks: ["0.0.0.0/0"] }
],
egress: [
{ protocol: "-1", fromPort: 0, toPort: 0, cidrBlocks: ["0.0.0.0/0"] }
]
});
// Create an ALB
const alb = new aws.alb.LoadBalancer("my-alb", {
securityGroups: [albSecurityGroup.id],
subnets: [subnet1.id, subnet2.id],
loadBalancerType: "application",
});
// Create a Target Group
const targetGroup = new aws.alb.TargetGroup("my-target-group", {
port: 80,
protocol: "HTTP",
vpcId: vpc.id,
});
// Create a Listener for the ALB
const listener = new aws.alb.Listener("my-listener", {
loadBalancerArn: alb.arn,
port: 80,
defaultActions: [{
type: "forward",
targetGroupArn: targetGroup.arn,
}],
});
// Create an IAM Role for CloudFront
const cloudfrontRole = new aws.iam.Role("cloudfront-role", {
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Action: "sts:AssumeRole",
Principal: { Service: "cloudfront.amazonaws.com" },
Effect: "Allow",
Sid: ""
}]
})
});
// Attach a policy to the IAM Role
const cloudfrontRolePolicy = new aws.iam.RolePolicy("cloudfront-role-policy", {
role: cloudfrontRole.id,
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Action: "s3:GetObject",
Effect: "Allow",
Resource: "arn:aws:s3:::my-bucket/*"
}]
})
});
// Create a CloudFront Distribution
const cloudfrontDistribution = new aws.cloudfront.Distribution("my-distribution", {
enabled: true,
origins: [{
domainName: alb.dnsName,
originId: "my-alb-origin",
}],
defaultCacheBehavior: {
targetOriginId: "my-alb-origin",
viewerProtocolPolicy: "redirect-to-https",
allowedMethods: ["GET", "HEAD"],
cachedMethods: ["GET", "HEAD"],
forwardedValues: {
queryString: false,
cookies: { forward: "none" }
}
},
priceClass: "PriceClass_100",
restrictions: {
geoRestriction: {
restrictionType: "none"
}
},
viewerCertificate: {
cloudfrontDefaultCertificate: true
}
});
export const cloudfrontDistributionUrl = cloudfrontDistribution.domainName;
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.