Amazon CloudFront SaaS Manager正式发布，旨在帮助SaaS提供商、Web开发平台提供商以及拥有多个品牌和网站的公司，更高效地管理跨多个域名的内容分发。该服务利用CloudFront在全球的边缘节点、AWS WAF和AWS Certificate Manager，通过简单的API和可重用的配置，显著降低了管理大量租户网站的复杂性。CloudFront SaaS Manager采用多租户分发模型，允许单个CloudFront分发为多个租户提供内容服务，并使用模板分发定义跨域名的基础配置，从而为每个客户域名提供高性能的内容交付和企业级安全保障。

🌐CloudFront SaaS Manager旨在解决SaaS提供商和Web开发平台在管理大量租户网站时面临的挑战，包括TLS证书管理、DDoS保护和性能监控等。

⚙️CloudFront SaaS Manager采用多租户分发模型，通过模板分发来定义跨域名的基础配置，如源配置、缓存行为和安全设置，从而简化了多域名管理。

🛡️用户可以根据不同的客户定价层级（如Bronze、Silver和Gold）创建多租户分发模板，并为每个租户分配自定义参数值，例如源域名和源路径，以及定制安全配置。

🔄通过CloudFront SaaS Manager，用户可以轻松地将客户从一个定价层级升级到另一个定价层级，或者在不再需要时安全地停用与非活动客户账户关联的域名。

<section class="blog-post-content lb-rtxt"><table id="amazon-polly-audio-table"><tbody><tr><td id="amazon-polly-audio-tab"><p></p></td></tr></tbody></table><p>Today, I’m happy to announce the general availability of <a href="https://aws.amazon.com/cloudfront/&quot;&gt;Amazon CloudFront</a> SaaS Manager, a new feature that helps <a href="https://aws.amazon.com/what-is/saas/&quot;&gt;software-as-a-service (SaaS)</a> providers, web development platform providers, and companies with multiple brands and websites efficiently manage delivery across multiple domains. Customers already use CloudFront to securely deliver content with low latency and high transfer speeds. CloudFront SaaS Manager addresses a critical challenge these organizations face: managing tenant websites at scale, each requiring TLS certificates, distributed denial-of-service (DDoS) protection, and performance monitoring.</p><p>With CloudFront Saas Manager, web development platform providers and enterprise SaaS providers who manage a large number of domains will use simple APIs and reusable configurations that use CloudFront edge locations worldwide, <a href="https://aws.amazon.com/waf/&quot;&gt;AWS WAF</a>, and <a href="https://aws.amazon.com/certificate-manager/&quot;&gt;AWS Certificate Manager</a>. CloudFront SaaS Manager can dramatically reduce operational complexity while providing high-performance content delivery and enterprise-grade security for every customer domain.</p><p><strong class="c4">How it works</strong><br />In CloudFront, you can use <a href="https://aws.amazon.com/developer/application-security-performance/articles/saas/&quot;&gt;multi-tenant SaaS deployments</a>, a strategy where a single CloudFront distribution serves content for multiple distinct tenants (users or organizations). CloudFront SaaS Manager uses a new template-based distribution model called a multi-tenant distribution to serve content across multiple domains while sharing configuration and infrastructure. However, if supporting single websites or application, a standard distribution would be better or recommended.</p><p>A template distribution defines the base configuration that will be used across domains such as origin configurations, cache behaviors, and security settings. Each template distribution has a distribution tenant to represent domain-specific origin paths or origin domain names including web access control list (ACL) overrides and custom TLS certificates.</p><p><img class="aligncenter wp-image-95601 size-full c5" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/04/27/2025-cloudfront-saas-manager-template-model.jpg&quot; alt="" width="1305" height="744" /></p><p>Optionally, multiple distribution tenants can use the same connection group that provides the CloudFront routing endpoint that serves content to viewers. <a href="https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ResourceRecordTypes.html&quot;&gt;DNS&lt;/a&gt; records point to the CloudFront endpoint of the connection group using a <a href="https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ResourceRecordTypes.html#CNAMEFormat&quot;&gt;Canonical Name Record (CNAME)</a>.</p><p>To learn more, visit <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-config-options.html&quot;&gt;Understand how multi-tenant distributions work</a> in the Amazon CloudFront Developer Guide.</p><p><strong class="c4">CloudFront SaaS Manager in action</strong><br />I’d like to give you an example to help you understand the capabilities of CloudFront SaaS Manager. You have a company called MyStore, a popular e-commerce platform that helps your customer easily set up and manage an online store. MyStore’s tenants already enjoy outstanding customer service, security, reliability, and ease-of-use with little setup required to get a store up and running, resulting in 99.95 percent uptime for the last 12 months.</p><p>Customers of MyStore are unevenly distributed across three different pricing tiers: Bronze, Silver, and Gold, and each customer is assigned a persistent <code>mystore.app</code> subdomain. You can apply these tiers to different customer segments, customized settings, and operational Regions. For example, you can add AWS WAF service in the Gold tier as an advanced feature. In this example, MyStore has decided not to maintain their own web servers to handle TLS connections and security for a growing number of applications hosted on their platform. They are evaluating CloudFront to see if that will help them reduce operational overhead.</p><p>Let’s find how as MyStore you configure your customer’s websites distributed in multiple tiers with the CloudFront SaaS Manager. To get started, you can create a multi-tenant distribution that acts as a template corresponding to each of the three pricing tiers the MyStore offers: Bronze, Sliver, and Gold shown in <strong>Multi-tenant distribution</strong> under the <strong>SaaS</strong> menu on the <a href="https://console.aws.amazon.com/cloudfront&quot;&gt;Amazon CloudFront console</a>.</p><p><img class="aligncenter wp-image-95371 size-full c6" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/04/20/2025-cf-saas-manager-1-multi-tenant-distribution.png&quot; alt="" width="2552" height="783" /></p><p>To create a multi-tenant distribution, choose <strong>Create distribution</strong> and select <strong>Multi-tenant architecture</strong> if you have multiple websites or applications that will share the same configuration. Follow the steps to provide basic details such as a name for your distribution, tags, and wildcard certificate, specify origin type and location for your content such as a website or app, and enable security protections with AWS WAF web ACL feature.</p><p><img class="aligncenter wp-image-95359 size-full c7" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/04/20/2025-cf-saas-manager-2-create-multi-tenants.png&quot; alt="" width="2546" height="1401" /></p><p>When the multi-tenant distribution is created successfully, you can create a distribution tenant by choosing <strong>Create tenant</strong> in the <strong>Distribution tenants</strong> menu in the left navigation pane. You can create a distribution tenant to add your active customer to be associated with the Bronze tier.</p><p><img class="aligncenter wp-image-95364 size-full c7" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/04/20/2025-cf-saas-manager-3-create-tenants.png&quot; alt="" width="2532" height="1410" /></p><p>Each tenant can be associated with up to one multi-tenant distribution. You can add one or more domains of your customers to a distribution tenant and assign custom parameter values such as origin domains and origin paths. A distribution tenant can inherit the TLS certificate and security configuration of its associated multi-tenant distribution. You can also attach a new certificate specifically for the tenant, or you can override the tenant security configuration.</p><p>When the distribution tenant is created successfully, you can finalize this step by updating a DNS record to route traffic to the domain in this distribution tenant and creating a CNAME pointed to the CloudFront application endpoint. To learn more, visit <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-creating-console.html&quot;&gt;Create a distribution</a> in the Amazon CloudFront Developer Guide.</p><p>Now you can see all customers in each distribution tenant to associate multi-tenant distributions.</p><p><img class="aligncenter size-full wp-image-95366 c6" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/04/20/2025-cf-saas-manager-4-tentants.png&quot; alt="" width="2794" height="1035" /></p><p>By increasing customers’ business needs, you can upgrade your customers from Bronze to Silver tiers by moving those distribution tenants to a proper multi-tenant distribution.</p><p>During the monthly maintenance process, we identify domains associated with inactive customer accounts that can be safely decommissioned. If you’ve decided to deprecate the Bronze tier and migrate all customers who are currently in the Bronze tier to the Silver tier, then you can delete a multi-tenant distribution to associate the Bronze tier. To learn more, visit <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/HowToUpdateDistribution.html&quot;&gt;Update a distribution</a> or <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/tenant-customization.html&quot;&gt;Distribution tenant customizations</a> in the Amazon CloudFront Developer Guide.</p><p>By default, your AWS account has one connection group that handles all your CloudFront traffic. You can enable <strong>Connection group</strong> in the <strong>Settings</strong> menu in the left navigation pane to create additional connection groups, giving you more control over traffic management and tenant isolation.</p><p><img class="aligncenter wp-image-95644 size-full c6" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/04/28/2025-cf-saas-manager-5-connection-group-1.png&quot; alt="" width="2676" height="1228" /></p><p>To learn more, visit <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/custom-connection-group.html&quot;&gt;Create custom connection group</a> in the Amazon CloudFront Developer Guide.</p><p><strong class="c4">Now available</strong><br />Amazon CloudFront SaaS Manager is available today. To learn about, visit <a href="http://aws.amazon.com/cloudfront/features/saas-manager&quot;&gt;CloudFront SaaS Manager product page</a> and <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-config-options.html&quot;&gt;documentation page</a>. To learn about SaaS on AWS, visit <a href="https://aws.amazon.com/partners/programs/saas-factory&quot;&gt;AWS SaaS Factory</a>.</p><p>Give CloudFront SaaS Manager a try in the <a href="https://console.aws.amazon.com/cloudfront&quot;&gt;CloudFront console</a> today and send feedback to <a href="https://repost.aws/tags/TA8pHF0m5aQdawzT2gwPcVYQ&quot;&gt;AWS re:Post for Amazon CloudFront</a> or through your usual AWS Support contacts.</p><p>— <a href="https://www.linkedin.com/in/veliswa-boya/&quot;&gt;Veliswa&lt;/a&gt;.&lt;br />___</p><p>How is the News Blog doing? Take this <a href="https://amazonmr.au1.qualtrics.com/jfe/form/SV_eyD5tC5xNGCdCmi&quot;&gt;1 minute survey</a>!</p><p>(<em>This <a href="https://amazonmr.au1.qualtrics.com/jfe/form/SV_eyD5tC5xNGCdCmi&quot;&gt;survey&lt;/a&gt; is hosted by an external company. AWS handles your information as described in the <a href="https://aws.amazon.com/privacy/&quot;&gt;AWS Privacy Notice</a>. AWS will own the data gathered via this survey and will not share the information collected with survey respondents.</em>)</p></section><aside id="Comments" class="blog-comments"><div data-lb-comp="aws-blog:cosmic-comments" data-env="prod" data-content-id="48c1ad50-95a3-4423-83d8-70d0dde3ded4" data-title="Reduce your operational overhead today with Amazon CloudFront SaaS Manager" data-url="https://aws.amazon.com/blogs/aws/reduce-your-operational-overhead-today-with-amazon-cloudfront-saas-manager/&quot;&gt;&lt;p data-failed-message="Comments cannot be loaded… Please refresh and try again.">Loading comments…</p></div></aside>