Ahead of re:Invent, AWS has announced that Amazon CloudFront now supports Anycast static IPs, providing a dedicated set of IP addresses for connecting to all CloudFront edge locations worldwide. Additionally, the new VPC origins feature enables developers to designate private resources within a VPC as origins, eliminating the need for public IP addresses or internet connectivity.
Typically, CloudFront uses rotating IP addresses to serve traffic. However, the support for Anycast static IPs is designed to meet the requirements of large and regulated customers. The new feature allows a pool of Anycast static IPs to be assigned to CloudFront distributions, enabling a small, fixed set of 21 addresses to be configured in other appliances or applications as required.
Anycast assigns the same IP address to multiple servers or nodes in different locations, routing user requests to the nearest or best node based on factors such as network conditions, proximity, or policies. Sagar Desarda, TAM leader at AWS, highlights how the new feature simplifies zero-rating and IP address management:
For end-customers accessing your application, you now can collaborate with network carriers to exempt data charges from your end-customers’ data limits or implement distinct pricing models for accessing specific types of online content.
In addition to enabling zero-rated billing, the cloud provider recommends the new feature for several scenarios: managing network firewalls, reducing the frequency of IP address range updates, recognizing traffic from content providers, and simplifying IP address management for complex or legacy applications through the use of a small, fixed set of IP addresses.
Source: AWS Blog
The new capability costs 3000 USD per month, a price that has surprised many developers and currently limits its adoption to a few use cases. Corey Quinn, chief cloud economist at The Duckbill Group, comments:
For the low low price of $3K per month per list, you can still pretend it's 1995 and avoid rewriting your application.
On the same day, Amazon CloudFront separately announced Virtual Private Cloud (VPC) origins, a new feature that enables customers to use the content distribution network in front of applications hosted in VPC private subnets. With VPC origins, application and network load balancers, as well as EC2 instances in private subnets, can be made accessible exclusively through their CloudFront distributions, enhancing the security of the deployment. Matheus Guimaraes, senior developer advocate at AWS, writes:
CloudFront VPC Origins offers a new way for organizations to deliver secure, high-performance applications by enabling CloudFront distributions to serve content directly from resources hosted within private subnets. This reduces the complexity and cost of maintaining public-facing origins while ensuring that your application remains secure.
Until now, customers serving content from S3 and Lambda Function URLs could use Origin Access Control as a managed solution. However, for other origins in VPCs, they had to configure public subnets and implement additional mechanisms to restrict access to those origins. Matt Johnson, formerly chief technologist at AWS, comments:
This is great for security teams, but also for hobbyists, since you can now use CloudFront to provide SSL and free tier egress, coupled to an EC2 back-end instance that doesn’t need a public IP address, saving money as well!
VPC origins are available in all commercial regions with no additional costs associated with the feature.