At re:Invent 2024, AWS announced Amazon CloudFront VPC Origins, a feature that enhances security and streamlines operations for applications hosted in Amazon Virtual Private Cloud (VPC).

This new capability addresses a common scenario: hosting servers or applications that should only be accessible via CloudFront, without direct external access. Previously, achieving this required workarounds like Origin Access Control (OAC) or configuring and verifying custom headers. Now, CloudFront VPC Origins simplifies the process significantly.

For those on a budget or for hobby workloads, this allows users to host a website or web application without a public IP and with an AWS SSL certificate, which can save a bit of money. For other business workloads, this is a straightforward way to make sure all traffic comes in through CloudFront ( including a WAF if you have it configured ) without having to add custom configuration or headers to CloudFront or your Load Balancer. You can connect to a single instance or to a load balancer in your VPC. 

I'll update this article with steps to create a VPC and create a web service or a web application instance in a private subnet. But for now, I'll assume you already have a VPC and a private resource that you are trying to expose via CloudFront.

I'm able to call the resource internally:

[ec2-user@ip-192-168-101-94 ~]$ curl http://192.168.101.109
You made it to the web service
[ec2-user@ip-192-168-101-94 ~]$

CloudFront will create an elastic network interface in the subnet that your resource is in, and the source IP address of the traffic will be from CloudFront. So the security group of the resource will need to allow all traffic from port 80. Since it doesn't have a public IP address that should be fine, but you can restrict access later either to the CloudFront prefix list or to the security group that CloudFront creates when it creates the network interface.

Step 1: Create the VPC Origin

Go to CloudFront > VPC Origins
Click the Create VPC Origin button

• Name: test-vpc-origin-service ( or whatever name you would like )
• Origin ARN: This is the ARN of the ec2 instance or load balancer you want to connect to. For me it's: arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-0dd8d95244daaab9d
• Protocol: HTTP only (unless you have an SSL certificate configured on your instance or load balancer)

Click Create VPC Origin button

This will take a few minutes to deploy which you can monitor from the VPC Origin dashboard

Step 2 : Create the CloudFront distribution

Once the VPC Origin has been deployed we can create the CloudFront distribution

Go to CloudFront > Distributions
Click the Create distribution button

• Origin Domain: Select the new VPC Origin created above from the drop down ( test-vpc-origin-service )
• VPC origin Domain: ip-192-168-101-109.ec2.internal ( this is the private DNS name of the instance )
• Name: test-vpc-origin-service
• Web Application Firewall: Do not enable security protections ( to save costs for this demo )
• Leave all other fields as their default or blank

Click Create Distribution button
This will take a few minutes to deploy which you can monitor from the Distributions dashboard

Once the status of the new CloudFront distribution is Enabled, take the domain name that was created ( in my case: d2tvoeg3n0nk4s.cloudfront.net ) and using that it should now route to your private resource ( with a secure URL as well ) 

[cloudshell-user@ip-10-134-34-228 ~]$ curl http://d2tvoeg3n0nk4s.cloudfront.net
You made it to the web service
[cloudshell-user@ip-10-134-34-228 ~]$ curl https://d2tvoeg3n0nk4s.cloudfront.net
You made it to the web service
[cloudshell-user@ip-10-134-34-228 ~]$ 

Link: https://aws.amazon.com/blogs/aws/introducing-amazon-cloudfront-vpc-origins-enhanced-security-and-streamlined-operations-for-your-applications/