View a markdown version of this page

Amazon CloudFront in Amazon Web Services in China - Getting Started with Amazon Web Services in China
Region availabilityHow CloudFront differsDocumentation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon CloudFront in Amazon Web Services in China

Amazon CloudFront is a content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers, with low latency and high transfer speeds, in a developer-friendly environment. When a user requests content that you’re serving with CloudFront, the request is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance.

CloudFront China uses a network of four edge locations in the following cities: Beijing, Shanghai, Zhongwei, and Shenzhen.

Region availability

Amazon CloudFront is available in the following regions in China:

  • Beijing Region

  • Ningxia Region

How CloudFront differs

The following differences apply to Amazon CloudFront:

  • You can’t use the default CloudFront domain, *.cloudfront.cn, to serve content. You must add an alternate domain name, also known as a CNAME, to your CloudFront distributions, and then use that domain name in the URLs for your content. You also must have an ICP registration. In addition, just as with the global CloudFront service, to serve content over HTTPS, you must use an SSL/TLS certificate with your alternate domain name.

    Amazon CloudFront in the China Regions currently does not support Amazon Certificate Manager. You must get an SSL/TLS certificate from a different third-party certificate authority (CA) and then upload it to the IAM certificate store. For more information, see Importing an SSL/TLS Certificate in the Amazon CloudFront Developer Guide.

  • By using the CloudFront API, you can view the ICP recordal status for each CNAME in a CloudFront distribution: APPROVED, SUSPENDED, or PENDING. The ICP recordal status is also displayed in the console for Amazon Web Services in China customers. For more information, see CNAME Status (General Tab) in the Amazon CloudFront Developer Guide and AliasICPRecordal in the Amazon CloudFront API Reference.

  • Console workflows with preconfigured settings for standard distributions are not available.

  • Dedicated IP addresses are not available for custom SSL certificates.

  • IPv6 is not available.

  • Regional edge caches (RECs) are not available.

  • Lambda@Edge is not available. Some rules can be implemented on Application Load Balancer or API Gateway origin.

  • Amazon WAF, a web application firewall service, is not available for CloudFront. Amazon WAF can be used on the origin (Application Load Balancer or API Gateway). For rules that should act on the user IP, such as rate limits, configure it to get the IP from the X-Forwarded-For header sent by CloudFront..

  • If you need to restore ACL permissions for the awslogsdelivery account so that CloudFront can write access logs to your Amazon S3 bucket, you must provide the following canonical name for the account: a52cb28745c0c06e84ec548334e44bfa7fc2a85c54af20cd59e4969344b7af56

  • When you use an Amazon S3 bucket as a CloudFront origin, use the following configuration:

    • If the S3 bucket is located inside the China Regions, use one of the following formats.

      • If your S3 bucket is not a website endpoint, use the following format: bucket-name .s3. region .amazonaws.com.cn.

      • If your S3 bucket is a website endpoint, use the following format: bucket-name .s3-website. region .amazonaws.com.cn.

    • When you specify Amazon S3 origins, region can be one of the following:

      • For the Beijing Region: cn-north-1.

      • For the Ningxia Region: cn-northwest-1.

    • If the S3 bucket is located outside of the China Regions, use the following format when you add the bucket as a CloudFront origin: bucket-name .s3-website. region .amazonaws.com.cn. For more information and guidance, follow the recommendations in Using Amazon S3 Buckets Configured as Website Endpoints for Your Origin.

  • For Amazon Web Services in China customers, CloudFront does not have root keys and does not support root access.

  • Cache policies and origin request policies are not available. Legacy cache settings can be used instead.

  • Origin Shield is not available.

  • CloudFront Functions are not available.

  • Legacy clients that don’t support server name indication (SNI) are not available.

  • Associate-alias and List-conflicting-aliases API are not available.

  • Real-time logs are not available.

  • Standard logging (v2) is not available. You can use standard logging (legacy) with an S3 bucket.

  • Anycast static IP lists are not available.

  • VPC origins are not available.

  • Media quality-aware resiliency (MQAR) is not available.

  • gRPC is not available.

  • Multi-tenant distributions and distribution tenants are not available.

  • Brotli compression is not available. Gzip compression can be used.

  • Origin access control (OAC) is not available. Origin Access Identity (OAI) can be used.

  • MediaStore is not available.

  • HTTP/3 is not available.

  • Websocket is not available.

  • CloudFront managed prefix list is not available. CloudFront IP addresses can be allowlisted in Security Groups associated with resources inside Amazon VPC. For more details about China CloudFront ip addresses, contact Amazon Web Services Support.

Documentation