Logo / Blog

How to set up a Custom Domain for FusionAuth using AWS CloudFront

Learn how to use AWS CloudFront to Setup a Custom Domain with FusionAuth.

Authors

Mark Robustelli

Published: March 21, 2025

While you configure a custom domain with a FusionAuth Hosting package, you can also configure one using AWS Cloudfront.

One of the great things about FusionAuth is its flexibility. FusionAuth wants you to be able to control your auth and run it the way that works best for you. If AWS CloudFront is your chosen tool for your domain management, you should and can manage how users access your instance of FusionAuth from there.

The Setup

For the purpose of this blog, pretend you own a software company named Code Gremlins. Code Gremlins offers a web based ToDo app to customers. You have a hosted instance of FusionAuth and want to configure AWS CloudFront to access that instance.

Get Your SSL Certificate

Cloudfront requires an SSL certificate from AWS Certificate Manager (ACM) if you want to serve traffic securely (which you do). Here’s how to get one:

  • Go to AWS Certificate Manager and click the Sign In or Sign in to the Console button.
  • Once at the Console, enter Certificate Manager in the search bar.
AWS Certificate Manager.
  • Request a public certificate for auth.codegremlins.net (or whatever subdomain you are using). You will need to choose a validation method using either DNS (recommended) or email. If you choose DNS, you will be given information and need to create a CNAME record with whoever hosts your domain. Fill out the information on the form and click Request.
AWS DNS Validation.
  • Once the request has been submitted you will be taken to another screen. As you see in the screen shot below, the status will be Pending validation until you perform the validation.
AWS Certificate Request.
Notice in the screenshot there is only limited information visible. To the right of the CNAME name in the Domains section there is more information in the table but you may not be able to scroll. You may have to highlight the text with your mouse and drag to the right of the screen to see the rest of the information. For example, In this case the CNAME name is _7f214f44b65f038ed047cf3e4885000e.auth.codegremlins.net. and the CNAME value is _19a113b312369bece7458ffab448ffdb.xlfgrmvvlj.acm-validations.aws.
  • Add the CNAME DNS entry with your domain provider.
  • After you login to GoDaddy , select Domains.
  • Choose codegremlins.net (or your subdomain).
  • Go to DNS.
  • Select Add New Record.
  • Select CNAME for Type .
  • Enter _7f214f44b65f038ed047cf3e4885000e.auth for Name . Notice this is not the full value provided by the CNAME it is only the subdomain part. Each provider may be different.
  • Enter _d000256d72e990f3dff7497b0d486f4c.xlfgrmvvlj.acm-validations.aws. for the Value .
  • Click Save.
GoDaddy CNAME settings.
Most DNS updates take effect within an hour, but could take up to 48 hours to update globally.

Set Up CloudFront Distribution

  • Go back to the AWS console and search for CloudFront. Select CloudFront.
Search for AWS Cloudfront.
  • Select Create distribution.
  • Fill in the form with the necessary info. Origin domain will be codegremlins.fusionauth.io. You will need to make a selection in the Web Application Firewall (WAF) section. Click Create distribution.
AWS Cloudfront create distribution.
  • After the new distribution is created, please note the ‘Distribution domain name’ as you will need it later. In this case, it is d2gwcywxndug73.cloudfront.net.
  • Next, select Edit in the Settings section of the General tab.
AWS Cloudfront edit distribution.
  • Under Alternate domain name (CNAME) - optional, select Add item. Enter auth.codegremlins.net.
  • Under Custom SSL certificate - optional, select auth.codegremlins.net. This is the certificate you set in the above steps.
  • Select Save Changes.
AWS Cloudfront edit distribution values.
After you make the changes, it may take a while for AWS to deploy them. Check on the status, by returning to the list of distributions and check the Last modified. It will read Deploying if it is still deploying and it will have a date when complete.

Now you will have to make a change to allow the proper headers.

  • Next, click on the Behaviors tab.
  • Choose Default(*).
  • Select Edit
AWS Cloudfront edit distribution behaviors.
  • Scroll down to the Cache key and origin requests section.
  • Change the Cache policy to CachingDisabled.
  • Change the Origin request policy to AllViewerExceptHostHeader.
  • Select Save changes.

Configure The DNS

Now that you have the distribution set up, you need to tell the DNS to point to the distribution when a user enters auth.codegremlins.net.

  • Go to your domain provider. In this case, GoDaddy.
  • Go to My Products.
  • Select Domains.
  • Select codegremlins.net.
  • Click on the DNS tab.
  • Click Add New Record.
  • Choose CNAME for the Type .
  • Enter auth for the Name .
  • Value is the name of the AWS Distribution domain name. In this case, Name will be d2gwcywxndug73.cloudfront.net.
  • Click Save.
AWS Cloudfront edit distribution behaviors settings.

Visit FusionAuth Using The New Custom Domain

Open your browser and visit https://auth.codegremlins.net. You should get the FusionAuth Admin UI web page.

Next steps

At this point, you should be able to use https://auth.codegremlins.net as you would the original https://codegremlins.fusionauth.io address. It will work with your applications and the APIs. You can also use these steps to create additional domains for additional applications.

There are also several other settings in the AWS Distribution set up and you can tweak them until they work just right for you. After all, that is one of the beautiful parts about owning your authentication. You get to set it up so that it works just for your needs. FusionAuth gives you that flexibility.

Get updates on techniques, technical guides, and the latest product innovations coming from FusionAuth.

Just dev stuff. No junk.