Why does CloudFront cache 502 errors?

CloudFront caches error responses briefly to protect the origin from repeated failing requests. You can configure custom error pages and set the Error Caching Minimum TTL to control this behavior.

Can CloudFront 502 be caused by the viewer request?

Rarely. 502 is almost always an origin-side issue. However, viewer requests with extremely large headers can cause 502 if they exceed CloudFront's header size limits (20KB for all headers).

AWS CloudFront 502 Bad Gateway — Origin Connection and Response Errors

Error5xx server error

Overview

Fix AWS CloudFront 502 Bad Gateway errors caused by origin server connection failures, SSL misconfigurations, or Lambda@Edge function errors.

Key Details

CloudFront returns 502 when it cannot connect to the origin or receives an invalid response
CloudFront-specific 502 errors include an X-Cache: Error from cloudfront header
Lambda@Edge function errors (timeouts, exceptions) also produce 502 responses
Origin SSL certificate issues are a leading cause of CloudFront 502 errors
CloudFront caches 502 error responses for a short period, so fixes may not be immediately visible

Common Causes

Origin server SSL certificate expired or does not match the domain name
Lambda@Edge function throwing an unhandled exception or exceeding time/memory limits
Origin server returning a response larger than CloudFront's maximum (body size limits)
Origin server security group or firewall blocking CloudFront IP ranges

Steps

1Check the origin server SSL certificate validity and ensure it matches the origin domain name
2Review Lambda@Edge function logs in CloudWatch for errors or timeout messages
3Verify security groups allow inbound traffic from CloudFront IP ranges (AWS publishes these)
4Test the origin directly by bypassing CloudFront to confirm the origin is functioning correctly
5Invalidate CloudFront cache after fixing the issue: aws cloudfront create-invalidation --distribution-id DIST_ID --paths '/*'

Related Items

http-521-web-server-is-down-cloudflare

More in 5xx Server Error

http-500-internal-server-errorHTTP 500 Internal Server Error — What It Means & How to Fix It

Critical

http-501-not-implementedHTTP 501 Not Implemented — What It Means & How to Fix It

Critical

http-502-bad-gatewayHTTP 502 Bad Gateway — What It Means & How to Fix It

Critical

http-503-service-unavailableHTTP 503 Service Unavailable — What It Means & How to Fix It

Critical

http-504-gateway-timeoutHTTP 504 Gateway Timeout — What It Means & How to Fix It

Critical

http-505-http-version-not-supportedHTTP 505 HTTP Version Not Supported — What It Means & How to Fix It

Critical

Frequently Asked Questions

Check CloudWatch logs in us-east-1 (Lambda@Edge logs go to the region closest to the viewer). Look for function execution errors, timeout messages, or memory exceeded errors.

AWS CloudFront 502 Bad Gateway — Origin Connection and Response Errors

Overview

Key Details

Common Causes

Steps

Tags

Related Items

More in 5xx Server Error

Frequently Asked Questions