The Core Idea

When your backend is an actual app (not S3), CloudFront can still sit in front of it. Two ways to connect — depends on whether your infra is private or public.

Option 1 — VPC Origins (Private Subnet) ✅ Recommended

image.png

Your EC2 / ALB lives in a private subnet — never exposed to the internet. CloudFront connects to it over AWS's private network via a VPC Origin.

Users --> CloudFront Edge --> VPC Origin --> Private ALB / NLB / EC2

Option 2 — Public Network

image.png

If you are not using VPC Origins, your EC2 or ALB must be public. You then lock it down so only CloudFront IPs can reach it — not random users.

EC2 as Origin

Users --> Edge Location --> EC2 (must be public)

ALB as Origin

Users --> Edge Location --> ALB (must be public) --> EC2 (can be private)