AWS Certificate Manager - Do regions matter?

n00b picture n00b · May 18, 2016 · Viewed 7.9k times · Source

I already have a certificate from AWS Certificate Manager (ACM) when only the 1 region was available (think the US-West-1 region?) and currently being used with Cloudfront to host a website for the Australian market.

Now that ACM is available in more regions, would using a certificate created from the Sydney region have any improvements in performance?

Answer

Michael - sqlbot picture Michael - sqlbot · May 18, 2016

ACM now supports multiple regions, but that doesn't have any implications for certificates for use with CloudFront.

To use an ACM certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.

https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html

The reason for this is that CloudFront, unlike most AWS services, where the regional implementation of the service is independent of all other regions, has all of its provisioning/administrative infrastructure based in us-east-1.

The operational infrastructure is globally distributed and independent, so the centralized management of CloudFront doesn't have performance implications. If you have performance issues, those should be investigated separately.

The announcement of new regions for ACM doesn't apply to CloudFront. It's applicable to the other service integrated with ACM, Elastic Load Balancer, which previously only supported ACM certificates in us-east-1 because that was the only region in which they were available, and ELB regions are fully independent of each other.

Follow-up: This answer was reviewed in May, 2018, two years after it was originally posted, and then again in the summer of 2020. It is still accurate, as written. Certificates for CloudFront (as well as for Edge-Optimized deployments in API Gateway, which have a somewhat hidden dependency on CloudFront) are always provisioned in the us-east-1 region of ACM. There is no compelling reason to expect this to change, as CloudFront's control plane runs in us-east-1.