Custom SSL Domain Names and Root Domain Hosting for Amazon CloudFront (opens in new tab)

(aws.typepad.com)

69 pointsmattyb12y ago29 comments

29 comments

pfg12y ago

Pricing, since it's not explicitly mentioned in the blog post:

    You pay $600 per month for each custom SSL certificate associated with one
    or more CloudFront distributions. This monthly fee is pro-rated by the hour.
    For example, if you had your custom SSL certificate associated with at least
    one CloudFront distribution for just 24 hours (i.e. 1 day) in the month of June,
    your total charge for using the custom SSL certificate feature in June will be
    (1 day / 30 days) * $600 = $20.

cperciva12y ago

You pay $600 per month for each custom SSL certificate associated with one or more CloudFront distributions.

This is... impressively expensive.

ceejayoz12y ago

Not when you think about what's going on behind the scenes. There are 40 CloudFront datacenters, which means all 40 of them have to have a dedicated IP and setup just for you and your SSL certificate.

2 more replies

donavanm12y ago

do note that it's per cert. you could, for example, use a wildcard cert and serve multiple distributions & fqdns off a single cert.

ps: check out the insane pricing for dedicated certs & https on some other CDNs. $600/mo doesnt look too excessive in comparison.

lost-theory12y ago

I think it's the going rate. A wildcard cert from edgecast is similarly priced (plus a setup fee).

Afforess12y ago

Not compared to how expensive CloudFront is. cough

1 more reply

buro912y ago

CloudFlare ( https://www.cloudflare.com/ ) are going to be getting a lot of new customers very soon I suspect.

Not least because they intend to give SSL to everyone (even the free tier) very soon, and have acquired enough IPv4 addresses to make doing so possible. Additionally their price for custom SSL certificates is a fraction of the price of CloudFront.

It is strange, watching a company like Amazon make a pricing decision like this, knowing how it will then shift things.

In our startup ( http://microco.sm ), we are implementing S3 for storage, and then to use multiple reverse proxies that make our static files surface (with our sites) through CloudFlare. The best of both worlds.

ceejayoz12y ago

Why would people switch to CloudFlare because Amazon added a feature Amazon never offered?

1 more reply

psychometry12y ago

Jesus. I served 5 TB of video on a site with Cloudfront last month and it was cheaper than that. I'll stick with my uglyrandomletters.cloudfront.net domain.

rsanders12y ago

The (theoretical) security value of proving a secure connection to uglyrandomletters.cloudfront.net is significantly less than the value of proving a secure connection to TheSiteYouTrust.com.

When a group of U.S. ISPs first started working on anti-phishing solutions, we realized that the problem with SSL is that apparently nobody told users they needed to check anything but the golden lock icon to verify security. "Oh, look, I have a secure connection to bankofamerica.b1llingprovider.com, seems legit".

bdb12y ago

If they're not using SNI, this is reasonable. Hopefully they're not using SNI.

pfg12y ago

Considering the number of IP addresses they'll probably have to dedicate to every CF distribution with a custom certificate (at least one for each edge location), it's definitely reasonable.

That being said, I'm hoping they'll switch to SNI at some point. Windows XP won't be around forever (well, one can hope...). IMHO SNI is the better long-term solution (especially when it comes to costs), so once the number of clients not supporting SNI drops to a negligible number, they should go for it.

legutierr12y ago

I'm curious, in addition to a lack of compatibility with Windows XP and early versions of certain browsers, is there any other reason that one wouldn't want to use SNI?

2 more replies

stellar67812y ago

Any ideas on how they accomplish this?

I presume it means that when I upload an SSL cert and associate it with one (or more) cloudfront distribution, that Amazon ends up dedicating at least one IP address at every edge location solely to my SSL cert?

I guess the scarcity of IP address space explains the steep pricing? They want you to consider other options before asking to reserve 40 dedicated IP addresses.

pfg12y ago

Unfortunately the documentation doesn't mention how it's implemented (at least I couldn't find anything), but considering the steep pricing, you're probably right with your assumption.

Hopefully they'll be able to switch to Server Name Indication (SNI) in the near future as that would save a lot of IP addresses (and, if that's their biggest cost factor, allow them to lower the price). I think Windows XP is the biggest obstacle w.r.t. SNI, but thankfully XP will be EOL'd soon(ish).

adrr12y ago

Couldn't they do it with 1 IP and use anycast instead of DNS to route to the edges?

jread12y ago

CloudFront doesn't use Anycast for content routing - only the DNS side is Anycast

RyanGWU8212y ago

Both of these features look really useful; kudos to AWS for launching them. I've already moved my personal website's root domain directly to CloudFront. (I was previously hosting the root domain through S3 and the "www" through CloudFront, so it's nice to have them both set up the same way now.)

cperciva12y ago

I just made exactly the same change with libarchive.org; I'm guessing a lot of people will be doing this over the next few days...

jere12y ago

Awesome. I just started with cloudfront a few weeks ago and to my understanding the root domain thing has been asked about for years. I was kind of bummed that I had to start using www because I have a pretty short domain.

j / k navigate · click thread line to collapse

29 comments

pfg12y ago

Pricing, since it's not explicitly mentioned in the blog post:

    You pay $600 per month for each custom SSL certificate associated with one
    or more CloudFront distributions. This monthly fee is pro-rated by the hour.
    For example, if you had your custom SSL certificate associated with at least
    one CloudFront distribution for just 24 hours (i.e. 1 day) in the month of June,
    your total charge for using the custom SSL certificate feature in June will be
    (1 day / 30 days) * $600 = $20.

cperciva12y ago

You pay $600 per month for each custom SSL certificate associated with one or more CloudFront distributions.

This is... impressively expensive.

ceejayoz12y ago

2 more replies

donavanm12y ago

do note that it's per cert. you could, for example, use a wildcard cert and serve multiple distributions & fqdns off a single cert.

ps: check out the insane pricing for dedicated certs & https on some other CDNs. $600/mo doesnt look too excessive in comparison.

lost-theory12y ago

I think it's the going rate. A wildcard cert from edgecast is similarly priced (plus a setup fee).

Afforess12y ago

Not compared to how expensive CloudFront is. cough

1 more reply

buro912y ago

CloudFlare ( https://www.cloudflare.com/ ) are going to be getting a lot of new customers very soon I suspect.

It is strange, watching a company like Amazon make a pricing decision like this, knowing how it will then shift things.

ceejayoz12y ago

Why would people switch to CloudFlare because Amazon added a feature Amazon never offered?

1 more reply

psychometry12y ago

Jesus. I served 5 TB of video on a site with Cloudfront last month and it was cheaper than that. I'll stick with my uglyrandomletters.cloudfront.net domain.

rsanders12y ago

The (theoretical) security value of proving a secure connection to uglyrandomletters.cloudfront.net is significantly less than the value of proving a secure connection to TheSiteYouTrust.com.

bdb12y ago

If they're not using SNI, this is reasonable. Hopefully they're not using SNI.

pfg12y ago

Considering the number of IP addresses they'll probably have to dedicate to every CF distribution with a custom certificate (at least one for each edge location), it's definitely reasonable.

legutierr12y ago

I'm curious, in addition to a lack of compatibility with Windows XP and early versions of certain browsers, is there any other reason that one wouldn't want to use SNI?

2 more replies

stellar67812y ago

Any ideas on how they accomplish this?

I guess the scarcity of IP address space explains the steep pricing? They want you to consider other options before asking to reserve 40 dedicated IP addresses.

pfg12y ago

Unfortunately the documentation doesn't mention how it's implemented (at least I couldn't find anything), but considering the steep pricing, you're probably right with your assumption.

adrr12y ago

Couldn't they do it with 1 IP and use anycast instead of DNS to route to the edges?

jread12y ago

CloudFront doesn't use Anycast for content routing - only the DNS side is Anycast

RyanGWU8212y ago

cperciva12y ago

I just made exactly the same change with libarchive.org; I'm guessing a lot of people will be doing this over the next few days...

jere12y ago

j / k navigate · click thread line to collapse