Amazon CloudFront - Getting Started with Amazon Web Services in China
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon CloudFront

Amazon CloudFront is a content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers, with low latency and high transfer speeds, in a developer-friendly environment. When a user requests content that you're serving with CloudFront, the request is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance.

CloudFront China uses a network of four edge locations in the following cities: Beijing, Shanghai, Zhongwei, and Shenzhen.

Region Availability

Amazon CloudFront is available in the following regions in China:

  • Beijing Region

  • Ningxia Region

Feature Availability and Implementation Differences

The Amazon Web Services in China implementation of Amazon CloudFront is unique in the following ways:

  • You can’t use the default CloudFront domain, *.cloudfront.cn, to serve content. You must add an alternate domain name, also known as a CNAME, to your CloudFront distributions, and then use that domain name in the URLs for your content. You also must have an ICP registration. In addition, just as with the global CloudFront service, to serve content over HTTPS, you must use an SSL/TLS certificate with your alternate domain name.

    Amazon CloudFront in the China Regions currently does not support Amazon Certificate Manager. You must get an SSL/TLS certificate from a different third-party certificate authority (CA) and then upload it to the IAM certificate store. For more information, see Importing an SSL/TLS Certificate in the Amazon CloudFront Developer Guide.

  • By using the CloudFront API, you can view the ICP recordal status for each CNAME in a CloudFront distribution: APPROVED, SUSPENDED, or PENDING. The ICP recordal status is also displayed in the console for Amazon Web Services in China customers. For more information, see CNAME Status (General Tab) in the Amazon CloudFront Developer Guide and AliasICPRecordal in the Amazon CloudFront API Reference.

  • Dedicated IP addresses are not available for custom SSL certificates.

  • IPv6 is not supported.

  • Regional edge caches (RECs) are not available.

  • Lambda@Edge is not available. Some rules can be implemented on Application Load Balancer or API Gateway origin.

  • Amazon WAF, a web application firewall service, is not available for CloudFront. Amazon WAF can be used on the origin (Application Load Balancer or API Gateway). For rules that should act on the user IP, such as rate limits, configure it to get the IP from the X-Forwarded-For header sent by CloudFront..

  • If you need to restore ACL permissions for the awslogsdelivery account so that CloudFront can write access logs to your Amazon S3 bucket, you must provide the following canonical name for the account: a52cb28745c0c06e84ec548334e44bfa7fc2a85c54af20cd59e4969344b7af56

  • When you use an Amazon S3 bucket as a CloudFront origin, use the following configuration:

    • If the S3 bucket is located inside the China Regions, use one of the following formats.

      • If your S3 bucket is not a website endpoint, use the following format: bucket-name .s3. region .amazonaws.com.cn.

      • If your S3 bucket is a website endpoint, use the following format: bucket-name .s3-website. region .amazonaws.com.cn.

    • When you specify Amazon S3 origins, region can be one of the following:

      • For the Beijing Region: cn-north-1.

      • For the Ningxia Region: cn-northwest-1.

    • If the S3 bucket is located outside of the China Regions, use the following format when you add the bucket as a CloudFront origin: bucket-name .s3-website. region .amazonaws.com.cn. For more information and guidance, follow the recommendations in Using Amazon S3 Buckets Configured as Website Endpoints for Your Origin.

  • For Amazon Web Services in China customers, CloudFront does not have root keys and does not support root access.

  • Cache policies and origin request policies are not available. Legacy cache settings can be used instead.

  • Origin Shield is not available.

  • CloudFront Functions are not available.

  • Legacy clients that don't support server name indication (SNI) are not supported.

  • Associate-alias and List-conflicting-aliases API are not available.

  • Real-time logs are not available.

  • Standard logging (v2) is not available. You can use standard logging (legacy) with an S3 bucket.

  • Anycast static IP lists are not supported.

  • VPC origins are not supported.

  • Media quality-aware resiliency (MQAR) is not supported.

  • gRPC is not supported.

  • Brotli compression is not available. Gzip compression can be used.

  • Origin access control (OAC) is not available. Origin Access Identity (OAI) can be used.

  • MediaStore is not available.

  • HTTP/3 is not available.

  • Websocket is not supported.

  • CloudFront managed prefix list is not available. CloudFront IP addresses can be allowlisted in Security Groups associated with resources inside Amazon VPC. For more details about China CloudFront ip addresses, contact Amazon Web Services Support.

Guides and References

Amazon Web Services in China user guides are available in HTML and PDF, in both Chinese and English. API references are available in HTML and PDF. Some API references may be available only in English. Currently, not all API references are available in the Beijing and Ningxia Regions. Links to some API references will take you to the global Amazon Web Services site. Note that some features and functionality described in the guides and references may not be available in the current Amazon Web Services in China release.

General Information About Amazon Web Services in China

The following information applies to all Amazon Web Services that are available in the China Regions.

Amazon Web Services Accounts in the China Regions

To use services in the Beijing and Ningxia Regions, you need an account and credentials specific to each of those Regions.

  • Accounts and credentials for other Amazon Regions will not work for services operating in the Beijing and Ningxia Regions.

  • Accounts and credentials for the Beijing and Ningxia Regions will not work for other Amazon Regions.

  • For more information, see Signup, Accounts, and Credentials.

Domain for Amazon Web Services in China

The domain for Amazon Web Services in China is www.amazonaws.cn.

Endpoints & Amazon Resource Names (ARNs)

For information about endpoints and ARNs in Amazon Web Services in China, see Endpoints and ARNs for Amazon Web Services in China.

Availability Zones for the China Regions

  • In the Beijing Region, there are three Availability Zones.

  • In the Ningxia Region, there are three Availability Zones.

General Information for Amazon Web Services in China

The following applies to all Amazon Web Services that are available in the China Regions. For detailed information about specific Amazon Web Services, see the service-specific topic in this guide.

  • Amazon Identity and Access Management (IAM)

    • You can grant or deny a service access to resources using the Principal policy element.

    • Service principal values vary by Region.

  • EC2-Classic Platform

    • The EC2-Classic platform is not supported.

  • Free Usage Tier

    • The free usage tier is supported in the Ningxia Region.

    • The free usage tier is not supported in the Beijing Region.

Amazon Web Services Console

The console for Amazon Web Services in China is unique to China. The screenshots in the Amazon Web Services guides might differ from what you see on your console. For information about differences in service functionality, see the topics for each service in this guide.

Code Examples

The Amazon Web Services documentation might include endpoints and ARNs in code examples that are not specific to the Beijing and Ningxia Regions. When using examples, verify you are using the endpoints and ARNs for your Region.