TIL that CloudFront VPC origins and Websockets are broken
Update (2025-06)
From an update to the AWS docs, Websockets are not supported for VPC origins.
As of Mar 2025, CloudFront's new VPC origins do not work with the WebSockets protocol.
Although AWS claims that CloudFront natively supports WebSockets, trying to establish a WebSocket connection with an internal ALB via a VPC Origin causes a WebSockets connection error with a 502 status code.
# the architecture in question
CloudFront --via VPC origin--> internal ALB -> App
Taking a look at the CloudFront logs, we see an unexpected message:
{
"x-edge-detailed-result-type": "OriginDnsError"
}
Wait... what, a DNS error? That can't be right... right? Well, it turns out that this issue has already been reported.
# Are you sure?
To eliminate potential issues with the application, I also tested other setups. These are working as expected:
# direct connection
Public ALB -> App
# with ALB target type in the NLB target groups
Public NLB -> internal ALB -> App
# with exact same caching and behaviour configuration as the above VPC origin
CloudFront --via custom origin--> public ALB -> App
# Why is this happening?
I have no idea as I don't have any understanding on how VPC origins work with the WebSockets protocol.
# The workaround
The workaround is to switch back to a custom origin and a public-facing ALB:
CloudFront --via custom origin--> public ALB -> App
To secure the public ALB, AWS also recommends using its managed CloudFront prefix list.