Skip to content
Gallery
7. DNS, Caching and Performance Optimization
Share
Explore
Amazon Cloudfront

icon picker
SSL/TLS and SNI

Last edited 59 days ago by Kirtan Chavda
CloudFront supports , and integrates with to help you to easily serve content over HTTPS using your own domain and SSL/TLS certificate. In addition to accelerated static content delivery, CloudFront offers a number of advanced features that help you to build powerful, feature-rich applications. For example, CloudFront offers content customisation with , live or on-demand video streaming, private content support, and more. (For more information about how CloudFront can be useful in your web application, check out and .)

image.png

CloudFront uses one of two methods to serve content via HTTPS when using custom domain names:
Server Name Indication (SNI) (Default option, recommended for most users): Clients indicate which hostname they are attempting to reach in the “Client Hello” message at the beginning of the SSL/TLS . CloudFront uses the hostname to return the corresponding certificate.
Dedicated IP Addresses: CloudFront maps SSL/TLS certificates to dedicated IP addresses. When a request is sent to a dedicated IP address, CloudFront returns the certificate mapped to that IP address.
These methods refer to the process that CloudFront uses to establish an SSL/TLS connection with a client. In CloudFront, using dedicated IP addresses is also referred to as “Legacy Clients Support.” (Refer to for more details on CloudFront settings and configurations.)

Overview: SNI-Based SSL vs. Dedicated IP SSL

When establishing an SSL/TLS connection for secure data exchange over HTTPS, the server must present the appropriate SSL/TLS certificate corresponding to the requested hostname. Before the introduction of Server Name Indication (SNI), servers could only present a single default certificate per IP address and port combination. This limitation posed a challenge for servers hosting multiple websites or domains.

Server Name Indication (SNI)

SNI is an extension of SSL/TLS protocols enabling HTTP clients to specify the hostname they are attempting to reach at the beginning of the handshake process.
It allows servers to present multiple certificates using the same IP address and port number.
SNI-based SSL connections specify the hostname during the handshake process, allowing the server to return the appropriate certificate.
image.png

Dedicated IP SSL

With dedicated IP SSL, each hostname is associated with a unique IP address at the server level.
CloudFront uses dedicated IP addresses to associate each hostname with a specific IP address at its edge locations.
CloudFront does not consider SNI for dedicated IP SSL connections, relying solely on the assigned IP address to identify the correct certificate.

Use Cases

SNI-Based SSL:
Minimizes costs associated with SSL/TLS connections.
Recommended approach for most scenarios.
Dedicated IP SSL:
Supports browsers or clients that do not support SNI.
Incurs additional costs compared to SNI-based SSL.

Conclusion:

SNI-based SSL is generally preferred due to cost-effectiveness.
Dedicated IP SSL may be necessary for environments with a significant number of SNI-incompatible clients.
The majority of web browsers and certificates used with CloudFront rely on SNI, making it the standard choice for most scenarios.
In summary, understanding the differences between SNI-based SSL and dedicated IP SSL helps optimize SSL/TLS connections with CloudFront for various use cases while balancing costs and compatibility considerations.


Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.