(Read this article on the blog)

This is a new feature announced on Nov 20 and got Terraform support mid-December.

In a nutshell, it allows CloudFront to reach into a private subnet and use the private IPv4 addresses there. This achieves two things:

  • First, the instances in the subnet don't need to be public anymore. This is a huge improvement over the previous way as it makes CloudFront the only way to connect
  • And second, there is no need for a public IPv4 address. Since mid-2023 AWS charges per address (the IPv4 tax) so not having one makes the solution cheaper

While it's clearly an improvement there are still some rough edges in practice. Without an IPv4 address the instance can't connect to the outside internet via IPv4. Of course, there are solutions for this, but they come with their downsides as well:

  • Use IPv6. This is getting easier every day, but if a site you need don't support IPv6 then you can't connect to it. NPM supports. GitHub so-so. While adoption is increasing, it's still a hit or miss. Even AWS's own CLI defaults to IPv4 only and needs the aws configure set default.s3.use_dualstack_endpoint true to allow IPv6.
  • Use a NAT gateway. Make sure you check the pricing page first
  • You can deploy everything into the instance so that it does not need to connect to outside sites at all. For example, this guide builds a full image with everything included, there is no need to run npm ci inside the container or fetch anything else

Overall I'm happy with this new addition to CloudFront as it makes the architecture of hosting EC2 instances easier and it brings the possibility to avoid having a public IPv4 address.

Source: View source