How to CNAME to Amazon API Gateway Endpoint

amazon-web-services dns amazon-cloudfront aws-api-gateway
Silian Rails picture Silian Rails · Apr 20, 2016 · Viewed 13.5k times · Source

I'm trying to set a CNAME on Cloudflare to point to an Amazon API Gateway endpoint. The CNAME is for use when referring to one of my subdomains. The gateway in turn points to the IP of a server on DigitalOcean. I am very new to Amazon web services and would appreciate if someone could give me an overview of the correct configuration for the DNS, Amazon Gateway and Cloudfront (which I think is needed to expose the gateway to DNS servers external to Amazon). Any help would be much appreciated.

UPDATE

I've been going at this for a while now and not making much progress. Does anyone have an idea if this is a viable approach or how else it might be done?

UPDATE2

I thought I needed to add the CNAME record to cloudFlare and just ended up in a redirect loop, observed by:

curl -L -i -v https://sub.mydomain.com/

Answer

BonsaiOak picture BonsaiOak · Aug 23, 2017

There are several reasons why it doens't work to simply point Cloudflare at your API Gateway domain and call it a day:

  • API Gateway uses shared hosting so it uses the domain name to figure out what API to send requests to. It has no way of knowing that api.yourdomain.com belongs to your API.
  • API Gateway requires that you use https, but the certificate that it uses is only valid for the default domain.

There is a solution, however. Here are the steps that I followed when I recently set this up:

  1. Generate an origin certificate from the crypto tab of the Cloudflare dashboard.
  2. Import the certificate to AWS Certificate manager in the us-east-1 region, even if your API is located in a different region. If you are prompted for the certificate chain you can copy it from here.
  3. Add your custom domain in the API Gateway console and select the certificate you just added. Check the AWS support article for more information on how to do this.
  4. It usually takes about 45 minutes for the custom domain to finish initializing. Once it's done it will give you a new Cloudfront URL. Go ahead and make sure your API still works through this new URL.
  5. Go to the Cloudflare DNS tab and setup a CNAME record pointing to Cloudfront URL you just created.
  6. Switch to the crypto tab and set your SSL mode to "Full (Strict)". If you skip this step you'll get a redirect loop.

That's it. Enjoy your new highly available API served from your custom domain!

Related questions

Pointing Amazon's CloudFront at an A record not a CNAME

I've found instructions to point my domain's CNAME to Amazon's CloudFront service but ideally I would like to point the root name (A record name). For example, foo.com instead of www.foo.com. Is this possible?

Read More
RRSet of type CNAME with DNS name foo.com. is not permitted at apex in zone bar.com

I own foo.com and bar.com. I am managing both in Route53. foo.com hosts my site, and I'd like to direct traffic from bar.com to foo.com. I tried to set up a CNAME record for bar.…

Read More
Static hosting on Amazon S3 - DNS Configuration

I'm working on a little webapp (all client-side) I want to host it on Amazon S3. I've found several guides on this and have managed to create myself a bucket (with the same name as my domain), set it as …

Read More