Networking & Content Delivery

Scale your SaaS application at the edge with the new Amazon CloudFront SaaS Manager

From startups to enterprises, thousands of software as a service (SaaS) solutions harness the power of Amazon CloudFront to secure, scale, and accelerate their applications globally. Building on over 16 years of innovation, we are introducing Amazon CloudFront SaaS Manager, a long-awaited capability for CloudFront customers.

CloudFront SaaS Manager revolutionizes how platform providers manage multi-domain content delivery networks (CDN) on CloudFront. Organizations can now scale their web applications across millions of subdomains and vanity domains without hitting infrastructure ceilings or compromising security. Through improved integration with adjacent Amazon Web Services (AWS) services, CloudFront delivers automated certificate management, unified security controls, and streamlined configuration management—all within the trusted AWS ecosystem. This solution dramatically reduces operational complexity while making sure of high-performance content delivery and enterprise-grade security for every customer domain.

CloudFront SaaS Manager introduces a new type of distribution called a Multi-Tenant Distribution. This enables you to secure, deliver, and accelerate content across multiple tenants while sharing configuration and infrastructure. It streamlines multi-tenancy by enabling the sharing of configuration, while maintaining flexibility with granular tenant-specific configurations.

In this post, we explore the new CloudFront SaaS Manager, demonstrating how to implement and use this capability to deliver high-performance and enterprise-grade security for your customer domains. We delve into key use cases where this capability is beneficial and walk through step-by-step instructions for implementation and best-practices.

Determining when to use CloudFront SaaS Manager

Before we dive into details, we can observe some common scenarios where CloudFront SaaS Manager is suitable:

  • SaaS providers with custom domains: Enable your SaaS customers to use their own branded domains. You can provide white-labeled experiences that maintain their brand identity, while using the CloudFront global infrastructure. This approach is widely used by leading Platform as a Service (PaaS) providers, allowing their users to deliver seamless, branded experiences to customers while benefiting from enhanced security and faster performance.
  • SSL/TLS security management at scale: Simplify certificate lifecycle management by automatically handling the entire SSL lifecycle for customer domains, such as issuance, validation, renewal, and re-issuance, across all your customer domains.
  • Tiered acceleration and security with centralized operations: Implement tailored security and acceleration capabilities across your customer segments. This streamlines operations by managing shared configurations from a single template distribution. It allows you to offer varied levels of DDoS protection, WAF rules, and performance optimizations based on your SaaS tenant tiers, while reducing operational overhead and making sure of a consistent baseline.
  • Dynamic content delivery: Enable tenant-specific content delivery rules while maintaining shared origin configurations, optimizing performance and costs across your customer base with granular control.

If your application doesn’t need multi-tenancy capabilities, then the CloudFront Standard Distribution continues to provide the same powerful features and performance on which you rely.

New capabilities in CloudFront SaaS Manager

CloudFront SaaS Manager allows you to create the following resources:

  • Multi-tenant distribution: Create a template that defines shared settings for origins, cache behaviors, and security across multiple domains. When you operate in tenant-only mode, you can’t serve traffic directly, but you can provide parameters that enable tenant-specific customizations while maintaining consistent baseline configurations. You create parameters for Origin Domain Names and Unique Origin Paths. This approach helps you make sure of standardization while giving you flexibility for individual tenant needs.
  • Distribution tenant: Create a tenant-specific implementation that inherits configuration from the Multi-Tenant Distribution. Assign at least one domain name with valid TLS certificate coverage to each tenant. You can customize each tenant with unique origin paths, further domain names, Web ACL overrides, and custom TLS certificates.

Example scenario with an e-commerce SaaS platform

As an example, imagine Example Corp, an e-commerce SaaS platform that enables online store creation and management. As Example Corp, you have defined three pricing tiers: Basic, Premium, and Enterprise. These three tiers span across over 1,000,000 active customers.

You provide each customer with a dedicated <anycompany>.example.com subdomain and a shared Amazon Simple Storage Service (Amazon S3) bucket for their assets. When customers upgrade to your Premium or Enterprise tier, you allow them to use custom vanity domains, while providing them with advanced security protections, improved content acceleration, and a dedicated S3 bucket for their assets.

To achieve this, you create one Multi-Tenant Distribution for each tier, as shown in the following figure:

  1. Basic tier: You include a wildcard certificate for *.example.com, implement basic caching rules, and protect it with AWS Web Application Firewall (AWS WAF). You provide each Basic tier customer with their own distribution tenant, but you do not allow for customization at the tenant level.
  2. Premium tier: You build upon the Basic tier by adding Origin Shield to improve performance. You allow Premium Tier customers to customize their distribution tenant with certificates for vanity domains (such as <anycompany>.com).
  3. Enterprise tier: You include all Premium tier features plus AWS WAF Bot Control capabilities in the WebACL for more protection. Like the Premium tier, you allow Enterprise tier customers to also use custom certificates for their vanity domains. For specific customers, you provide customization of security settings by associating different WebACLs for distribution tenants associated with these customers.

Example Architecture - CloudFront SaaS ManagerFigure 1: High-level illustration of example scenario with CloudFront SaaS Manager

These examples serve only as illustrations. In practice, you can apply these tiers to different customer segments, operational regions, or whatever makes the most sense for your SaaS organization. Beyond Amazon S3, CloudFront supports a wide range of origins including VPC Origins, Elastic Load Balancer and Amazon API Gateway.

Create multi-tenant distribution with CloudFront in just a few clicks

In this section, we walk through the steps to create the multi-tenant distributions (and S3 buckets) defined previously.

Prerequisites

  • Ensure you have an AWS account with appropriate Identity and Access Management (IAM) permissions to create and manage AWS resources including S3 buckets, CloudFront distributions, WAFs and Route53 DNS records.
  • Obtain or create the necessary SSL/TLS certificates in AWS Certificate Manager for your domains.
  • Decide on your naming conventions for S3 buckets and domains.

Basic tier: creating a multi-tenant distribution with a single (pooled) distribution tenant and subdomain per tenant

1. Create an S3 bucket (pooled bucket) to store assets for all Basic tier tenants.

2. In the CloudFront console, click Create Distribution.

3. Select the Multi-tenant architecture option.

CloudFront SaaS Manager Console - Distribution options

  1. Enter a name for the distribution.
  2. Configure the distribution with the wildcard certificate (e.g. *.example.com).

CloudFront SaaS Manager - Provide Basic Details

  1. For the origin, select the shared S3 bucket created in Step 1.

CloudFront SaaS Manager - Specify Origin

  1. Configure the cache and origin settings using AWS recommended defaults.

CloudFront SaaS Manager - Origin Settings

  1. Enable security protections by creating a Web Application Firewall (WAF) for this distribution.

CloudFront SaaS Manager - Enable security protections

  1. Review all settings and click Create Distribution.

CloudFront SaaS Manager - Create Distribution

That concludes the creation of the multi-tenant distribution. Now, you create a distribution tenant.

5. In the CloudFront Distribution Tenants console, click Create tenant or Create distribution tenant.

CloudFront SaaS Manager - Tenants

  1. In the Custom TLS certificate field, retain the default wildcard certificate (e.g. *.example.com).
  2. In the Domain field, enter *.example.com to enable the distribution to serve all Basic Tier tenants under this domain.
  3. Review and create the distribution tenant.

CloudFront SaaS Manager - Pooled Tenant

A pooled distribution tenant will now be created for Basic tier tenants. For each new Basic tier tenant you onboard:

  1. Create a DNS record (e.g. tenant1.example.com) that points to the CloudFront distribution’s endpoint
  2. (optional) Repeat for additional Basic tier tenants.

Premium tier: creating a parameterized multi-tenant distribution with Origin Shield for improved performance and support for vanity domain per tenant

1. In the CloudFront console, click Create Distribution.

2. Select the Multi-tenant architecture option.

  1. Enter a name for the distribution.
  2. Select Amazon S3 as the origin.
  3. Add a customer-name parameter using the Insert parameter feature.
  4. For the S3 origin, use a parameterized bucket name (e.g. amzn-s3-demo-bucket-{{customer-name}}.s3.us-east-1.amazonaws.com).

CloudFront SaaS Manager - S3 Origin

3. Enable Origin Shield and select the region closest to your CloudFront origin to improve performance for Premium tier tenants.

CloudFront SaaS Manager - Origin Shield

  1. Configure the cache, origin, and security settings as recommended.
  2. Review all settings and click Create Distribution

4. For each new Premium tier tenant you onboard:

  1. Create a dedicated S3 bucket named according to your parameterized origin (e.g. amzn-s3-demo-bucket-example-org).
  2. Create a distribution tenant referencing the multi-tenant distribution.
  3. Assign a custom SSL certificate (validated by the tenant) via AWS Certificate Manager.
  4. Set the tenant’s preferred vanity domain (e.g. assets.example.org).

CloudFront SaaS Manager - Premium Tier Tenant Domain

Note: assets.example.org is illustrative only. In practice, you can use an apex domain as a vanity domain for your tenant (e.g. <anycompany>.com).

  1. Set the customer-name parameter to match the tenant’s identifier (e.g. example-org)

CloudFront SaaS Manager - Tenant Parameter Configuration

  1. Review and create the new distribution tenant.
  2. (optional) Repeat for additional tenants.

Enterprise tier: creating a multi-tenant distribution with Origin Shield for improved performance, support for vanity domain per tenant and WAF Bot Control for additional security

1. In the CloudFront console, create a new multi-tenant distribution with settings similar to the Premium tier.

2. After the distribution is created, navigate to the Security tab, Sampled bot requests for the specified time range section, and click Manage Bot Protection.

3. Review information and select the Enable Bot Control for common bots checkbox.

CloudFront for SaaS - Managed Bot Protection

4. (optional) For advanced bot protection, navigate to the associated WAF WebACL and add Bot Control rule groups.

5. For each new Enterprise tier tenant you onboard:

  1. Create a dedicated S3 bucket for the tenant’s assets.
  2. Create a distribution tenant referencing the multi-tenant distribution.
  3. Assign a custom SSL certificate (validated by the tenant) via AWS Certificate Manager.
  4. Set the tenant’s vanity domain (e.g. <anycompany>.com).
  5. (optional) Override the default WAF with a new tenant-specific WAF.
  6. (optional) Navigate to the new tenant-specific WAF and customize it according to the tenant’s requirements.
  7. Review and create the new distribution tenant.
  8. (optional) Repeat for additional Enterprise tier tenants.

Cleanup

If you no longer need the AWS resources, be sure to delete any unnecessary S3 buckets, CloudFront distributions, WAFs, and Route 53 DNS records to prevent incurring unnecessary charges.

Advanced use cases with CloudFront Functions

If your application needs to support advanced scenarios (such as data-driven tenant routing), you can use CloudFront Functions to dynamically route requests based on headers, cookies, or JWT tokens, all with sub-millisecond latency at the edge. With CloudFront SaaS Manager, you can now use helper methods to retrieve tenant-specific parameter values directly from your multi-tenant distribution within CloudFront Functions. This capability, in addition to CloudFront KeyValueStore, provides you with flexibility for managing multi-tenant use cases at the edge.

Customer Testimonials

The new CloudFront SaaS Manager capabilities have sparked considerable interest across AWS customers and partners. We gathered initial reactions from organizations who have previewed and evaluated this capability, highlighting its impact on security, operational efficiency, and scalability.

Salesforce is a SaaS solution and global strategic partner serving over 150,000 organizations through its #1 CRM and business applications:

“The new CloudFront SaaS Manager drastically reduces our cost to serve while helping us manage our CDN operations more effectively. The new platform is designed to reduce our complexity and risk while improving our observability as we manage billions of content assets for hundreds of thousands of customers each day. We’ve already relied on the performance and resilience of CloudFront for many of our most demanding client workloads. These new features allow us to scale that performance and reliability across our entire enterprise.”

Andy Sandefer, Sr. Director, Software Engineering at Salesforce

SmugMug is an online platform that allows photographers to easily showcase, customize, and sell their photos through beautiful, flexible galleries:

“At SmugMug, we’ve spent over two decades empowering photographers to turn their passion into profit, delivering billions of photos for millions of customers worldwide. We’re always there for our customers, but don’t need to be in their URLs—our customers can choose to bring their own domain. CloudFront SaaS Manager will thrill our customers by providing Cloudfront’s lightning-fast global delivery, intelligent caching, and an extra level of security for their custom domains.”

Andrew Shieh, Principal Engineer, SmugMug

Booking.com is a leading SaaS travel platform connecting millions of travelers with memorable experiences daily:

“The new Amazon CloudFront SaaS Manager feature represents a transformative advancement in how Booking.com manages our Edge/CDN infrastructure. We anticipate significant operational improvements in two key areas: consolidating our CloudFront distributions to a more manageable scale, and enabling a frictionless migration path for our affiliate traffic to CloudFront. The integration between CloudFront and AWS Certificate Manager for automated TLS certificate management is particularly valuable, as it accelerates the partner onboarding process and makes it more efficient.”

Global Traffic Distribution team at Booking.com

AllCloud is an AWS SaaS Competency partner and AWS Global SaaS Consulting Partner of the Year for 2024 providing cloud expertise for business transformation:

“CloudFront SaaS Manager will revolutionize how we help clients build and scale their SaaS applications by enabling multi-tenant architectures that can manage millions of customer domains through a single template distribution. I’m looking forward to sharing this upcoming capability with our solutions architects and engineering teams, as it will transform our approach to designing SaaS architectures for our customers.”

Blake Green, Sr. Manager of Cloud Engineering at AllCloud

Design.com, is an online creative marketplace serving a global audience of start-ups, businesses and entrepreneurs:

“As a rapidly scaling design marketplace hosting thousands of customer websites, managing an ever-growing number of Amazon CloudFront distributions across our infrastructure was becoming unsustainable. CloudFront SaaS Manager has transformed our approach, allowing our infrastructure team to maintain enterprise-grade security and performance while significantly reducing engineering overhead. This enables Design.com to focus on building features that allow our customers to reach a global audience, rather than managing thousands of infrastructure components.”

Paul McManus, Chief Technology Officer at Design.com

These testimonials highlight the growing excitement for CloudFront SaaS Manager. As organizations of all sizes—from innovative startups to global enterprises and AWS partners—begin to implement this feature, we anticipate significant improvements in security, scalability, and performance across the SaaS ecosystem.

Conclusion

In this post, you learned about Amazon CloudFront SaaS Manager, a powerful new capability that optimizes your multi-tenant architectures through shared configuration of CloudFront distributions. You explored how to implement this feature, such as creating a Multi-Tenant Distribution, managing tenant-specific customizations using Distribution Tenants, and implementing tiers of security and acceleration configuration. CloudFront SaaS Manager opens new possibilities for how you approach your SaaS architecture and operations, enabling you to better align infrastructure efficiency with your scalability needs.

We encourage you to explore this capability and start optimizing your SaaS architecture today. As outlined in the post, you can configure and implement CloudFront SaaS Manager in your environment in just a few steps!

To learn more, visit CloudFront SaaS Manager and read our Documentation.

To learn about SaaS on AWS, visit AWS SaaS Resources.

Bhagirath Gaonkar

Bhagirath Gaonkar

Bhagirath a Senior Product Manager at AWS for Amazon CloudFront and is based in the Bay Area. With over 15 years of experience, he has a proven track record in building and launching scalable products that enable enterprise customers to securely and reliably deliver content on the internet. His current focus at AWS is accelerating web and SaaS applications.

Daniel Wirjo

Daniel Wirjo

Daniel is a Solutions Architect at AWS, focused on FinTech and SaaS startups. As a former startup CTO, he enjoys collaborating with founders and engineering leaders to drive growth and innovation on AWS. Outside of work, Daniel enjoys taking walks with a coffee in hand, appreciating nature, and learning new ideas.

Syed Hussein

Syed Hussain

Syed works as a Solution Architect for AWS SaaS Factory, where he helps organizations build and optimize their SaaS solutions on AWS.

Alex Moening

Alex Moening

Alex is a Senior Edge Solutions Architect at AWS who brings innovative thinking and problem-solving expertise to cloud technology. He specializes in CDN and shares his expertise through interactive sessions at events like re:Invent.