Restrictions on all edge functions
The following restrictions apply to all edge functions, both CloudFront Functions and Lambda@Edge.
Topics
AWS account ownership
To associate an edge function with a CloudFront distribution, the function and distribution must be owned by the same AWS account.
Combining CloudFront Functions with Lambda@Edge
For a given cache behavior, the following restrictions apply:
-
Each event type (viewer request, origin request, origin response, and viewer response) can have only one edge function association.
-
You can’t combine CloudFront Functions and Lambda@Edge in viewer events (viewer request and viewer response).
All other combinations of edge functions are allowed. The following table explains the allowed combinations.
CloudFront Functions |
|||
Viewer request |
Viewer response |
||
Lambda@Edge |
Viewer request |
Not allowed |
Not allowed |
Origin request |
Allowed |
Allowed |
|
Origin response |
Allowed |
Allowed |
|
Viewer response |
Not allowed |
Not allowed |
HTTP status codes
CloudFront doesn't invoke edge functions for viewer response events when the origin returns HTTP status code 400 or higher.
Lambda@Edge functions for origin response events are invoked for all origin responses, including when the origin returns HTTP status code 400 or higher. For more information, see Update HTTP responses in origin response triggers.
HTTP headers
Certain HTTP headers are disallowed, which means they're not exposed to edge functions and functions can't add them. Other headers are read-only, which means functions can read them but can't add, modify, or delete them.
Disallowed headers
The following HTTP headers are not exposed to edge functions, and functions can't add them. If your function adds one of these headers, it fails CloudFront validation and CloudFront returns HTTP status code 502 (Bad Gateway) to the viewer.
-
Connection
-
Expect
-
Keep-Alive
-
Proxy-Authenticate
-
Proxy-Authorization
-
Proxy-Connection
-
Trailer
-
Upgrade
-
X-Accel-Buffering
-
X-Accel-Charset
-
X-Accel-Limit-Rate
-
X-Accel-Redirect
-
X-Amz-Cf-*
-
X-Amzn-Auth
-
X-Amzn-Cf-Billing
-
X-Amzn-Cf-Id
-
X-Amzn-Cf-Xff
-
X-Amzn-Errortype
-
X-Amzn-Fle-Profile
-
X-Amzn-Header-Count
-
X-Amzn-Header-Order
-
X-Amzn-Lambda-Integration-Tag
-
X-Amzn-RequestId
-
X-Cache
-
X-Edge-*
-
X-Forwarded-Proto
-
X-Real-IP
Read-only headers
The following headers are read-only. Your function can read them and use them as input to the function logic, but it can't change the values. If your function adds or edits a read-only header, the request fails CloudFront validation and CloudFront returns HTTP status code 502 (Bad Gateway) to the viewer.
Read-only headers in viewer request events
The following headers are read-only in viewer request events.
-
Content-Length
-
Host
-
Transfer-Encoding
-
Via
Read-only headers in origin request events (Lambda@Edge only)
The following headers are read-only in origin request events, which exist only in Lambda@Edge.
-
Accept-Encoding
-
Content-Length
-
If-Modified-Since
-
If-None-Match
-
If-Range
-
If-Unmodified-Since
-
Transfer-Encoding
-
Via
Read-only headers in origin response events (Lambda@Edge only)
The following headers are read-only in origin response events, which exist only in Lambda@Edge.
-
Transfer-Encoding
-
Via
Read-only headers in viewer response events
The following headers are read-only in viewer response events for both CloudFront Functions and Lambda@Edge.
-
Warning
-
Via
The following headers are read-only in viewer response events for Lambda@Edge.
-
Content-Length
-
Content-Encoding
-
Transfer-Encoding
Query strings
The following restrictions apply to functions that read, update, or create a query string in a request URI.
-
(Lambda@Edge only) To access the query string in an origin request or origin response function, your cache policy or origin request policy must be set to All for Query strings.
-
A function can create or update a query string for viewer request and origin request events (origin request events exist only in Lambda@Edge).
-
A function can read a query string, but cannot create or update one, for origin response and viewer response events (origin response events exist only in Lambda@Edge).
-
If a function creates or updates a query string, the following restrictions apply:
-
The query string can't include spaces, control characters, or the fragment identifier (
#
). -
The total size of the URI, including the query string, must be less than 8,192 characters.
-
We recommend that you use percent encoding for the URI and query string. For more information, see URI, query string, and headers encoding.
-
URI
If a function changes the URI for a request, that doesn't change the cache behavior for the request or the origin that the request is forwarded to.
The total size of the URI, including the query string, must be less than 8,192 characters.
URI, query string, and headers encoding
The values for the URI, query string, and headers that are passed to edge functions are UTF-8 encoded. Your function should use UTF-8 encoding for the URI, query string, and header values that it returns. Percent encoding is compatible with UTF-8 encoding.
The following list explains how CloudFront handles encoding for the URI, query string, and headers:
-
When values in the request are UTF-8 encoded, CloudFront forwards the values to your function without changing them.
-
When values in the request are ISO-8859-1 encoded
, CloudFront converts the values to UTF-8 encoding before forwarding them to your function. -
When values in the request are encoded using some other character encoding, CloudFront assumes that they're ISO-8859-1 encoded and tries to convert from ISO-8859-1 to UTF-8.
Important
The converted characters might be an inaccurate interpretation of the values in the original request. This might cause your function or your origin to produce an unintended result.
The values for the URI, query string, and headers that CloudFront forwards to your origin depend on whether a function changes the values:
-
If a function doesn't change the URI, query string, or header, CloudFront forwards the values that it received in the request to your origin.
-
If a function changes the URI, query string, or header, CloudFront forwards the UTF-8 encoded values.
Microsoft Smooth Streaming
You can't use edge functions with a CloudFront distribution that you're using for streaming media files that you've transcoded into the Microsoft Smooth Streaming format.
Tagging
You can't add tags to edge functions. For more information about tagging in CloudFront, see Tag a distribution.