Configuring a Content Delivery Network (CDN), such as Cloudflare, protects and accelerates your Workload running at Control Plane.
The configuration of various CDN providers is similar in concept. In this guide, you will find the steps on how to configure a CDN with Cloudflare and Amazon CloudFront.
Ready
state.From the Cloudflare UI, perform the following:
CNAME
record.Name
field, enter the desired target subdomain.Target
field, enter the Canonical Endpoint
URL from the Workload's Info page.Proxied
switch.Full (strict)
radio box.Origin Server
submenu link.Generate private key and CSR with Cloudflare
.RSA (2048)
.*.DOMAIN
and DOMAIN
hostnames.Create
. The next page will display the certificate and private key. You may save these as separate text files or
leave the page open and copy/paste the values when creating the TLS Secret at Control Plane in the next step.Secrets
from the left side menu.New
button at the top.Name
for the secret and select the secret type TLS
.Create
. This secret will be used when configuring your domain in the next step.Follow the steps below to configure your Domain at Control Plane.
Note: If a subdomain is being configured, the APEX domain will need to be verified.
Domains
from the left side menu.New
button at the top.Fully Qualified Domain Name (FQDN)
of your Domain.Next (Spec)
.CNAME
for the DNS Mode
.Routing Mode
.Configure TLS
switch.Use Custom Server Certificate
and select the TLS Secret created in the step above.Next (DNS)
.Create
.After following the steps above, it will take a few minutes for the updates to propagate throughout the Internet.
Once fully configured, your Workload will be accessible, via the CDN, using the subdomain configured in the first step.
Ready
state.Request a public certificate with AWS Certificate Manager (ACM) in N. Virginia
region using the setting below.
subdomain.mydomain.com
or *.mydomain.com
DNS Validation
RSA 2048
The certificate must be in the US East (N. Virginia) Region (us-east-1).
Go to CloudFront distributions page and click on Create Distribution
Configure the Origin Domain
to the public endpoint of your workload. Use one of the following methods, depending on whether you are using a BYOK location or a managed locations (standard):
For managed locations (standard) only:
Use the Canonical Endpoint
URL from the Workload's Info page as Origin Domain
, formatted as follows: cloudfront-httpbin-0ac6x9wrgpj00.cpln.app
.
For BYOK locations only:
Locate the public endpoint on your Workload's Deployments page. Use this address as the Origin Domain
value in CloudFront, formatted as follows: nginx3-7mhf5d3qcsrqt.eksctl-byok-aws-west2.controlplane.us
.
Edit the Alternate domain name
for your domain. In the format: subdomain.mydomain.com
.
Then select the Custom SSL certificate
created in Step one from the list.
You must select Cache policy
and complete the rest of the configuration as needed.
Click on Create distribution
and wait for a few minutes to changes to apply.
By now, you should have CloudFront distribution ready.
Create a CNAME record in your DNS service (such as Route53), that will match the Alternate domain name in CloudFront distribution created in Step two:
In order to ensure that it's not possible to directly access the workload's endpoint without going through the CloudFront CDN first, configure the firewall settings for the workload to allow ingress for
CloudFront list of ip ranges.
You can refer to this example workload YAML file and copy the CIDR range directly from this manifest.
BYOK Only: If you have created inbound rules on the Security Group of the Load Balancers, either directly or using the Actuator configuration INGRESS_FIREWALL_CIDR_LIST,
you will need to update the Security Group configuration with CloudFront CIDR list range to enable CloudFront access to the workloads.
Important: To support this setting, ensure that your quota for Inbound or outbound rules per security group
under Amazon Virtual Private Cloud (Amazon VPC)
values for at least 530 rules. Visit Service Quotas in the AWS console for your region to request a quota increase if necessary.