API Routing Using CloudFront Function

CloudFront is limited to 25 cache behaviors per distribution. The quota can be increased, but restrictions still apply, there is an upper limit to the number of origins that can be routed through CloudFront. It has been possible to re-route the request origin using a Lambda@Edge function, but not using a CloudFront Function, at least until recently. Around re:Invent last year, AWS announced that Amazon CloudFront Functions now allow origin modifications, which will reduce latency and costs compared to using a Lambda@Edge function as the edge router.

Building the Edge Router

We will be using AWS SAM to define our infrastructure for this project. The stack will contain a CloudFront Distribution with a default origin that has a CloudFront Function acting as the edge router using the viewer-request event type. The function must use the JavaScript runtime 2.0.

Modifying the Origin

Modifying the origin is done through the helper method updateRequestOrigin, which is exported in the CloudFront Functions module. In the example below, we're changing the request origin to target an API Gateway instance. The helper method can also be used to update other origin settings, such as changing the Origin Access Control (OAC). See the documentation for all settings.

import cf from 'cloudfront';

// ...

cf.updateRequestOrigin({
  domainName: '0000000000.execute-api.eu-north-1.amazonaws.com'
});

The Stack Definition

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: CloudFront Function Edge Router

Resources:
  CloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: true
        Origins:
          - Id: DefaultOrigin
            DomainName:
              Fn::Sub: "my-app-bucket.s3.${AWS::Region}.${AWS::URLSuffix}"
            S3OriginConfig:
              OriginAccessIdentity: ""
            OriginAccessControlId: !GetAtt S3OriginAccessControl.Id
        DefaultCacheBehavior:
          TargetOriginId: DefaultOrigin
          ViewerProtocolPolicy: redirect-to-https
          AllowedMethods: [GET, HEAD, OPTIONS]
          CachePolicyId: 4135ea2d-6df8-44a3-9df3-4b5a84be39ad # CachingDisabled
          OriginRequestPolicyId: b689b0a8-53d0-40ab-baf2-68738e2966ac # AllViewerExceptHostHeader
          FunctionAssociations:
            - EventType: viewer-request
              FunctionARN: !GetAtt Router.FunctionMetadata.FunctionARN
  Router:
    Type: AWS::CloudFront::Function
    Properties:
      AutoPublish: true
      FunctionCode: |
        import cf from 'cloudfront';

        function handler(event) {
          const request = event.request;
          const uri = request.uri;

          if (uri.startsWith('/api')) {
            const apiName = uri.split('/')[2]; // The first path parameter indicates where to route the request
            let apiGatewayId = '0000000000';

            switch (apiName) {
              case 'my-api':
                apiGatewayId = '1111111111';
                break;
            }

            const apiGatewayPath = uri.split('/').slice(3).join('/'); // Strip /api/ from the uri
            const domainName = `${apiGatewayId}.execute-api.eu-north-1.amazonaws.com`;

            request.uri = `/${apiGatewayPath}`;

            cf.updateRequestOrigin({
              domainName: domainName,
              originAccessControlConfig: {
                enabled: false
              }
            });
          }

          return request;
        }
      FunctionConfig:
        Comment: "Router function, forwards requests to the appropriate API Gateway if path starts with /api"
        Runtime: "cloudfront-js-2.0"
      Name: "router"
  S3OriginAccessControl:
    Type: AWS::CloudFront::OriginAccessControl
    Properties:
      OriginAccessControlConfig:
        Name: S3OriginAccessControl
        OriginAccessControlOriginType: s3
        SigningBehavior: always
        SigningProtocol: sigv4