Description:
Cloud Front Origin Failover checks whether an origin group is configured for the distribution of at least 2 origins in the origin group for Amazon Cloud Front. This rule is NON_COMPLIANT if there are no origin groups for the distribution.
Rationale:
Ensure that the Origin Failover feature is enabled for your Amazon Cloud Front web distributions to improve the availability of the content delivered to your end-users set up.
Impact:
To implement Origin Failover, you have to create an origin group to provide rerouting during a failover event. Then you can associate an origin group with a cache behavior (using only GET, HEAD, and OPTIONS methods) to have requests routed from a primary origin to a secondary origin as a failover strategy. Before you can create an origin group, you must have two origins configured for your Cloud Front web distribution.
With Origin Failover capability, you can set up two origins for your Cloud Front web distributions: primary and secondary. In the event of primary origin failure, your content is automatically served from the secondary origin, maintaining the distribution's high reliability.
Default Value:
By default, Cloud Front Distribution and Origin Failover are disabled.
Pre-requisites:
In Cloud Front distributions, ensure that origins and origins groups are available.
Remediation
Test Plan
To determine if your AWS Cloud Front distributions are using Origin Failover, perform the following actions:
1. Sign in to the AWS Management Console.
2. Navigate to the Cloud Front dashboard at https://console.aws.amazon.com/cloudfront/.
3. In the left navigation panel, click Distributions to access the existing distributions.
4. Select the Cloud Front distribution that you want to examine.
5. Click the Distribution Settings button from the dashboard top menu to access the resource configuration page.
6. Choose the Origins and Origin Groups tab to access the selected distribution origins.
7. Check for any origin groups defined within the Origin Groups section. If there are no origin groups available in the selected Amazon Cloud Front web distribution then it does not have an origin group configured, therefore the Origin Failover feature is not currently enabled.
8. Determine the Origin Failover configuration status.
Using AWS CLI:
To know the cloud front distribution
aws lambda get-distribution-config --id <value>
Implementation steps:
To enable and configure Origin Failover for your Amazon Cloud Front CDN distributions, perform the following actions:
1. Sign in to the AWS Management Console.
2. Navigate to the CloudFront dashboard at https://console.aws.amazon.com/cloudfront/.
3. In the left navigation panel, click Distributions to access the existing distributions.
4. Select the Cloud Front distribution that you want to reconfigure.
5. Click the Distribution Settings button from the dashboard top menu to access the resource configuration page.
6. Choose the Origins and Origin Groups tab to access the selected distribution origins.
7. Within the Origins section, click Create Origin to set up the secondary origin for your distribution.
8. On Create Origin page, perform the following:
A. Click inside the Origin Domain Name box and specify the domain name for your secondary origin. This can be an S3 bucket, an ELB, a Media Package channel endpoint, a MediaStoreContainer endpoint, or a web server from which you want Amazon Cloud Front service to get your web content.
B. In the Origin ID box enter a description for the new origin.
C. From Origin SSL Protocols choose which SSL protocols are allowed to be used when establishing an HTTPS connection to your secondary origin.
D. From Origin Protocol Policy, select whether you want Amazon Cloud Front to connect to your new origin using only HTTP, only HTTP,S or to connect by matching the protocol used by the viewer.
E. In the Origin Response Timeout box, set the amount of time that Cloud Front waits for a response from the new origin.
F. For Origin Keep-alive Timeout, set the amount of time that Cloud Front maintains an idle connection with the secondary origin server before closing the connection.
G. For HTTP Port and HTTPS Port fields, provide the HTTP and HTTPS ports that the new origin listens on.
H. For Origin Custom Headers, provide the custom header keys and values to be included in every request to the secondary origin.
I. Click Create to create the distribution origin.
9. Within the Origin Groups section, click Create Origin Group to set up the necessary origin group.
10. On Create Origin Group page, perform the following:
A. Add the primary and the secondary origin from the Origins dropdown list.
B. From the Failover criteria, select one or more status codes (i.e. 4xx and 4xx status codes) to use as t failover criteria. When the codes that you select are returned by your primary origin, requests are rerouted to the secondary origin.
C. In the Origin Group ID box, provide a unique name for your new origin group.
D. Click Create to save the origin group. This action will enable the Origin Failover feature for the selected Amazon Cloud Front web distribution. From now on Cloud Front can automatically switch to the secondary origin when the primary origin returns the HTTP status code(s) configured within the origin group.
11. To enable Origin Failover for other Amazon Cloud Front CDN distributions available within your AWS account follow the steps mentioned for other Cloud Front distributions.
Using CLI commands:
To create cloud front origin
aws lambda create-cloud-front-origin-access-identity --cloud-front-origin-access-identity-config <value>
Backout Plan:
1. Sign in to the AWS Management Console.
2. Navigate to the Cloud Front dashboard at https://console.aws.amazon.com/cloudfront/.
3. Select the Cloud Front distribution
4. Select Distribution settings for the Origin and Origin groups disable Failover and delete.
Using AWS CLI:
To delete the origin from the cloud front
aws lambda delete-cloud-front-origin-access-identity --id <value>