Communication between Cloudfront and ALB resulting in a 502 error

Question

I'm getting Cloudfront 502 errors in the communication to the ALB origin, which results in:

CloudFront wasn't able to connect to the origin.

The Cloudfront logs show me OriginConnectError.

I've gone back and forth regarding what the issue could be, and I'm not sure how to debug this further.

Any ideas greatly appreciated!

Detailed

• My application uses a wildcard A-record to handle all subdomains. It routes to Cloudfront
• Cloudfront has a certificate in us-east-1 with *.example.com as domain name
• Cloudfront points to ALB in eu-west-1 with a different *.example.com certificate from eu-west-1
• Creating an alias record that points directly to ALB works, but I want it to point to Cloudfront. So the App is up and running.

Answer 1

Very common mistake when use CloudFront with ALB as origin is we forgot to set the Origin request policy to allow Cloudfront to forward Cloudfront "Host" header to ALB.

• If you created a custom domain for your ALB with valid ACM Cert and use that domain name as origin in Cloudfront, then the problem won't happen
• If you directly select ALB DNS name from Cloudfront console, the domain name is now ALB DNS name which will failed TLS when running resulted in 502. To solve this you need to set Origin request policy to ALL_VIEWER or ALL_VIEWER_AND_CLOUDFRONT. This will tell Cloudfront to forward "Host" header that client type in browser to your ALB, which matches the ALB rule (with valid ACM cert).

Hope it helps

Answer 2

I encountered similar issues with CloudFront and an ALB origin, which only had HTTPS enabled. While accessing the origin through CloudFront, I experienced numerous OriginConnectError and 502 errors.

Upon inspecting the ALB's "Monitoring" page, I discovered a high number of "Client TLS Negotiation Errors."

I attempted adjusting the TLS version without success. Ultimately, I enabled HTTP on the ALB, and made CloudFront protocol "HTTP only", this resolved the issue.