- Relies on the SNI extension of the TLS protocol, which allows multiple domains to serve SSL traffic over the same IP address.
- Offers the same level of security when using Dedicated IP Custom SSL.
- If you configure CloudFront to serve HTTPS requests using SNI, CloudFront associates your alternate domain name with an IP address for each edge location. The IP address to your domain name is determined during the SSL/TLS handshake negotiation, and isn’t dedicated to your distribution.
- Some older browsers do not support SNI and will not be able to establish a connection with CloudFront to load the HTTPS version of your content.
- You can use SNI Custom SSL with no upfront or monthly fees for certificate management.
- Mainly useful for browsers that do not support SNI.
- For this feature, the Amazon content delivery network allocates dedicated IP addresses to serve your SSL content at each Edge location.
- You will need to upload a SSL certificate and associate it with your CloudFront distributions.
- You can associate more than two custom SSL certificate with your AWS Account by submitting a CloudFront Limit Increase Form.
- This method works for every HTTPS request, regardless of the browser or other viewer that the user is using.
- Because of the added cost associated with dedicating IP addresses per SSL certificate, AWS charges a fixed monthly fee of $600 for each custom SSL certificate you associate with your content delivery network distributions, pro-rated by the hour.
- You can switch to using a custom SSL/TLS certificate with SNI instead and eliminate the charge that is associated with dedicated IP addresses.