How to Configure AWS S3 as Origin Site on Alibaba Cloud CDN

By Joon Park, Solutions Architect

Scenario Description

Alibaba Cloud Content Delivery Network (CDN) is a scalable and high-performance content delivery service for accelerated distribution of content to users across the globe. CDN is commonly used with Alibaba Cloud’s Object Storage Service (OSS) to accelerate large files and other static content for websites.

However, CDN is not limited to OSS; CDN can be used to accelerate files hosted on third party platforms, such as in a multi-cloud scenario. In this scenario, traffic flows from Clients to Alibaba Cloud CDN, which will then be forwarded to AWS S3. Both HTTP and HTTPS protocols are supported in this solution. For this solution to work, the AWS S3 bucket is assumed to be properly configured with access policy with HTTP referer.

Step 1: Verify Public Address and Access Permission on S3 Bucket

1. Take note of your S3 public end-point address and bucket name as your origin site.

  • AWS console > Services > Storage > S3 > Your bucket name
  • In this guide, the S3 public end-point address is “s3.ap-northeast-2.amazonaws.com” and bucket name is “ali-cdn-test”
Image for post
Image for post

2. Make sure your S3 bucket has “Public Access” permission. At the end of this guide, we will apply HTTP referer policy on S3 bucket to protect unauthorized access from any IP or Address.

Image for post
Image for post

3. Perform a pre-test on your S3 bucket through your browser with S3 public end-point address.

Image for post
Image for post

Step 2: Add and Configure Alibaba Cloud CDN with AWS S3 Public Address

1. Go to the CDN console on Alibaba Cloud

  • Alibaba Cloud console > CDN > Domain Names > Add Domain Name

2. Add and configure your service domain

  • Domain: your service domain, “test.test.com”
  • Origin Site Information: “Origin Site”
  • Domain Name: your S3 public address, in this guide: “s3.ap-northeast-2.amazonaws.com”
  • “Acceleration Region” options can be selected based on your own needs
Image for post
Image for post

3. Additional configure for AWS S3 as origin site

  • Domain Names > Your service Domain > Manage > Back-to-Origin Configuration > Back-to-origin Host > Enable > Domain Type > Origin Site
Image for post
Image for post

Step 3: Configure CNAME Record on Your DNS

1. Take a note CNAME record from CDN console on Alibaba Cloud. In this guide, I will use “test.test.com.w.kunlunsl.com”

Image for post
Image for post

2. Update CNAME record of your service domain on DNS

3. Verify CNAME record is working correctly

  • Please make sure “Exclamation mark” is removed from CDN console”.
  • DIG command with your service domain has right CNAME record.
Image for post
Image for post

Step 4: Validate

1. Input your service domain with S3 bucket name,http://service-domain/s3-bucket-name/filename

  • In this scenario, http://test.test.com/ali-dns-test/15mb.jpg
  • If you already apply “SSL certification” on this service domain, you can input https protocol. You can find “SSL protocol enable guide” at the end of this document.
Image for post
Image for post

Step 5: Security Hardening

1. Apply SSL certification and enable HTTPS protocol on Alibaba Cloud CDN

Image for post
Image for post

2. Configure ACL (Access Control List) policy on S3 Public Bucket
In case of AWS S3 with Alibaba CDN, this is a mandatory security hardening task, not optional. Please make sure your S3 bucket must be accessed from limited service domain, not from any public address.

Image for post
Image for post
{
"Id": "Alibaba CDN with AWS S3 http referer policy",
"Statement": [
{
"Sid": "Allow get requests originated from www.example.com and example.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::ali-cdn-test/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://test.test.com/*"
}
}
}
]
}

Reference:https://www.alibabacloud.com/blog/how-to-configure-aws-s3-as-origin-site-on-alibaba-cloud-cdn_594572?spm=a2c41.12663365.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store