Amazon CloudFront Announces WebSocket Support for VPC Origins

Amazon CloudFront WebSockets Support for VPC Origins

Amazon CloudFront now supports WebSockets traffic through Virtual Private Cloud (VPC) origins, enabling you to use CloudFront as the single entry point for real-time applications hosted entirely in private subnets. This feature extends VPC origins to applications that require persistent, bidirectional connections between clients and servers, such as chat platforms, collaborative editing tools, live dashboards, and IoT device management systems.

Previously, customers running real-time applications over WebSockets had to keep their origins in public subnets and use Access Control Lists and other mechanisms to restrict access to their WebSockets-enabled servers. Now, customers can place their Application Load Balancers (ALB), Network Load Balancers (NLB), and EC2 instances serving WebSockets traffic in private subnets accessible only through their CloudFront distributions. CloudFront serves as the single front door for both traditional HTTP traffic and real-time WebSockets connections, reducing attack surface, simplifying security management, and providing built-in DDoS protection.

What to do

• Place your WebSockets-enabled servers in private subnets.
• Configure your CloudFront distribution to use VPC origins.
• Ensure your security groups and network access control lists (ACLs) are properly configured to allow traffic between CloudFront and your VPC origins.

Source: AWS release notes

If you need further guidance on AWS, our experts are available at AWS@westloop.io. You may also reach us by submitting the Contact Us form.