I'm working on an e-commerce platform that allows clients to access their stores using personalized custom domains (like clientstore.com) with active HTTPS support. Each store's content will be customized based on the Host header in the requests.
I'm looking to fully automate several processes including:
- Requesting SSL certificates for each client domain,
- Performing automatic DNS validation,
- Creating or updating CloudFront distributions for these domains with SSL support, and
- Routing all requests (both frontend and API) through CloudFront while identifying each store based on the request header.
Currently, our architecture involves our Django backend requesting a certificate from AWS Certificate Manager whenever a new domain is registered and performing DNS validation automatically. Once the SSL certificate is issued, we attach the domain to a CloudFront distribution. Clients then point their domains via CNAME records.
What architecture would best scale this to support hundreds or thousands of custom domains securely and efficiently on CloudFront?
4 Answers
Achieving full automation can be tricky if you don't control the DNS. A practical approach might be a multi-step setup:
1. Let your customer specify their desired domain.
2. Create the ACM cert and provide them instructions for DNS validation.
3. Once validated, create a dedicated CloudFront distribution for that domain.
4. Inform clients about the required CNAME record to point to CloudFront. This way, you maintain a level of separation by customer, which can simplify cache invalidation and metrics tracking. Also, don't forget, ACM is free, and only data transfer through CloudFront incurs costs, so excess certs or distros won’t break the bank!
I'd recommend using separate CloudFront distributions for each tenant. It offers better management flexibility and separation, without a significant increase in cost.
One thing to consider is how you'll automate DNS entries for custom domains since clients typically control their DNS zones. With various providers like GoDaddy and Cloudflare, each has different APIs, so you'll need a strategy for that. Once sorted, using Route 53 along with AWS Certificate Manager could streamline your SSL cert process.
Have you checked out the new "Multi-Tenant Distributions" feature? It's tailored for situations like yours! It can significantly reduce your operational overhead. You can find some details about it on AWS's blog.
That sounds promising! I’ll definitely look into it, thanks!.
Wow, I can't believe I missed that update. Thanks for the heads up!