AWS CloudFront 502 Bad Gateway — Origin Connection and Response Errors
About AWS CloudFront 502 Bad Gateway
Fix AWS CloudFront 502 Bad Gateway errors caused by origin server connection failures, SSL misconfigurations, or Lambda@Edge function errors. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: CloudFront returns 502 when it cannot connect to the origin or receives an invalid response. CloudFront-specific 502 errors include an X-Cache: Error from cloudfront header. Lambda@Edge function errors (timeouts, exceptions) also produce 502 responses. Origin SSL certificate issues are a leading cause of CloudFront 502 errors. CloudFront caches 502 error responses for a short period, so fixes may not be immediately visible. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Origin server SSL certificate expired or does not match the domain name. Lambda@Edge function throwing an unhandled exception or exceeding time/memory limits. Origin server returning a response larger than CloudFront's maximum (body size limits). Origin server security group or firewall blocking CloudFront IP ranges. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Check the origin server SSL certificate validity and ensure it matches the origin domain name. Review Lambda@Edge function logs in CloudWatch for errors or timeout messages. Verify security groups allow inbound traffic from CloudFront IP ranges (AWS publishes these). Test the origin directly by bypassing CloudFront to confirm the origin is functioning correctly. Invalidate CloudFront cache after fixing the issue: aws cloudfront create-invalidation --distribution-id DIST_ID --paths '/*'. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our HTTP Status Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
How do I identify if it is a Lambda@Edge error?
Check CloudWatch logs in us-east-1 (Lambda@Edge logs go to the region closest to the viewer). Look for function execution errors, timeout messages, or memory exceeded errors.
Overview
Fix AWS CloudFront 502 Bad Gateway errors caused by origin server connection failures, SSL misconfigurations, or Lambda@Edge function errors.
Key Details
- CloudFront returns 502 when it cannot connect to the origin or receives an invalid response
- CloudFront-specific 502 errors include an X-Cache: Error from cloudfront header
- Lambda@Edge function errors (timeouts, exceptions) also produce 502 responses
- Origin SSL certificate issues are a leading cause of CloudFront 502 errors
- CloudFront caches 502 error responses for a short period, so fixes may not be immediately visible
Common Causes
- Origin server SSL certificate expired or does not match the domain name
- Lambda@Edge function throwing an unhandled exception or exceeding time/memory limits
- Origin server returning a response larger than CloudFront's maximum (body size limits)
- Origin server security group or firewall blocking CloudFront IP ranges
Steps
- 1Check the origin server SSL certificate validity and ensure it matches the origin domain name
- 2Review Lambda@Edge function logs in CloudWatch for errors or timeout messages
- 3Verify security groups allow inbound traffic from CloudFront IP ranges (AWS publishes these)
- 4Test the origin directly by bypassing CloudFront to confirm the origin is functioning correctly
- 5Invalidate CloudFront cache after fixing the issue: aws cloudfront create-invalidation --distribution-id DIST_ID --paths '/*'