Using cross-account CloudFront VPC origins for multi-account private API Gateway architecture
Networking & Content Delivery Blog
This article explains how to use CloudFront's new cross-account VPC origins feature to build multi-account private API Gateway architectures with team-specific subdomains.
- CloudFront now supports VPC origins in separate AWS accounts from distributions
- Teams maintain autonomous private APIs while sharing centralized CloudFront distribution
- Team-specific subdomains (team-a.example.com, team-b.example.com) enable isolated routing
- AWS RAM facilitates secure cross-account VPC origin sharing without compromising security
- Single CloudFront distribution reduces costs versus separate per-team distributions
- Architecture requires three accounts: two team accounts and one networking account
- Implementation includes VPC setup, private API Gateway, ALB, and path-based CloudFront behaviors
- Host header validation ensures seamless request flow without Lambda@Edge complexity
This pattern enables organizations to balance team autonomy, security isolation, and operational efficiency in multi-account AWS environments.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Nov 6
2025
2025
Amazon CloudFront announces cross-account support for VPC origins
Nov 5
2025
2025
Introducing cross-account support for Amazon CloudFront Virtual Private Cloud (VPC) origins
Mar 20
2026
2026
Migrate Amazon CloudFront public origins to private VPC origins
Sep 9
2025
2025
Accessing private Amazon API Gateway endpoints through custom Amazon CloudFront distribution using VPC Origins
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.