Table of Contents
1. Introduction
A multi-tenant distribution feature has been added on April 28th, 2025.
Announcing SaaS Manager for Amazon CloudFront
A multi-tenant distribution acts as a template-like configuration. Distribution tenants are associated with the multi-tenant distribution and represent the origin paths and domain names specific to each tenant.
For more details, please refer to the AWS documentation below.
Understand how multi-tenant distributions work
2. How to Set Up
First, create a multi-tenant distribution. On the distribution creation page, you will see the [Distribution options] section. Select the [Multi-tenant architecture] option.
Enter a name for the multi-tenant distribution. If you already have a shared certificate to be used across all associated distribution tenants, please select it. For the purpose of this post, we will skip this step.
Next, select the origin. In this example, we’ll choose [Amazon S3]. The settings can be left as default.
On the next page, you will be asked whether you want to enable AWS WAF. This is an optional feature. Please enable it if you plan to use AWS WAF.
Once the multi-tenant distribution has been created, the next step is to create a distribution tenant. Click the [Create tenant] button.
Enter a name for the distribution tenant, and select the multi-tenant distribution you just created from the dropdown menu.
If you want to configure a certificate for the distribution tenant, select one from the dropdown menu. Then, enter the domain. You may see a message indicating that the certificate is unavailable or that domain ownership has not been verified. We will address these later, so proceed to the next step to complete the configuration. We will also leave the remaining settings as default.
Once the distribution tenant has been created, you will see a message prompting you to complete the domain settings. The CloudFront endpoint is listed under [Endpoint], so configure your domain to route traffic to this endpoint.
After completing the domain configuration, the status will change from [Pending certificate request] to [Success]. Once the status has changed, click the [Apply certificate] button. When [Domain Ownership] changes from [Pending certificate validation] to [Verified through tenant certificate], the endpoint will be accessible from your domain.
The multi-tenant distribution acts as a template for basic configuration. When you add another distribution tenant, most of the same settings will be applied automatically. For example, standard log (access log) settings are configured at the multi-tenant distribution level, so the access logs of all associated distribution tenants are output to the same file and path.
In addition, multi-tenant distributions include a grouping mechanism for associating endpoint configurations, called connection groups. Connection groups handle routing configurations, so settings related to IPv6 and Anycast IP are managed here. All distribution tenants associated with the same connection group will share the same configuration.
Please note that the [Connection group] page is not available by default. To enable it, go to the [Settings] page in the CloudFront console and turn on the [Connection group] toggle. The menu item will then become visible.
The existing distributions (Standard distributions), all settings are contained within a single distribution. If you're used to that structure, it may initially be confusing to understand where each setting is configured in the multi-tenant model.
3. Using AWS WAF
You can choose whether to attach AWS WAF to the multi-tenant distribution or to a distribution tenant.
You cannot attach multiple web ACLs to a single distribution tenant, so you must choose whether to inherit the settings from the multi-tenant distribution or override them with distribution tenant-specific settings.
| AWS WAF Setting on Multi-Tenant Distribution | AWS WAF Setting on Distribution Tenant | Effective AWS WAF Setting |
|---|---|---|
| Enabled | Not enabled | AWS WAF setting from multi-tenant distribution (inherited) |
| Enabled | Enabled | AWS WAF setting from distribution tenant (overridden) |
| Not enabled | Enabled | AWS WAF setting from distribution tenant |
| Not enabled | Not enabled | AWS WAF not used |
A single web ACL can be attached to multiple distribution tenants. For example, if you have distribution tenants A, B, and C, you can attach web ACL 1 to tenants A and B, and attach web ACL 2 to tenant C.
In addition, if AWS WAF is enabled on the multi-tenant distribution, it will be automatically enabled for all associated distribution tenants due to configuration inheritance. If you want to enable AWS WAF only for specific distribution tenants, do not enable it at the multi-tenant distribution level. Instead, enable AWS WAF individually for each applicable distribution tenant.
4. Using WafCharm
In WafCharm, the Advanced rule policy can be used with multi-tenant distributions. For more information about the Advanced rule policy, please refer to the help page below.
Differences between Advanced rule policy and Legacy rule policy
5. Conclusion
Multi-tenant distributions are beneficial because they allow you to manage configurations in one place that were previously maintained individually in standard distributions. In SaaS products, available features may vary depending on the plan. In such cases, you can keep the basic configurations the same while using different connection groups to route to different endpoints.
However, if you want to view access logs for a specific distribution tenant, you will need to check the actual log file, since access logs from all associated distribution tenants are output to the same destination.
The differences in configuration may also be confusing if you're already familiar with the setup used in standard distributions.
