aws-cdk-lib 2.179.0__py3-none-any.whl → 2.181.0__py3-none-any.whl

aws_cdk/aws_cloudfront_origins/__init__.py

@@ -74,15 +74,16 @@ cloudfront.Distribution(self, "myDist",
 
 When creating a standard S3 origin using `origins.S3BucketOrigin.withOriginAccessControl()`, an [Origin Access Control resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-originaccesscontrol-originaccesscontrolconfig.html) is automatically created with the origin type set to `s3` and signing behavior set to `always`.
 
-You can grant read, list, write or delete access to the OAC using the `originAccessLevels` property:
+You can grant read, read versioned, list, write or delete access to the OAC using the `originAccessLevels` property:
 
 ```python
 my_bucket = s3.Bucket(self, "myBucket")
-s3_origin = origins.S3BucketOrigin.with_origin_access_control(my_bucket,
-    origin_access_levels=[cloudfront.AccessLevel.READ, cloudfront.AccessLevel.WRITE, cloudfront.AccessLevel.DELETE]
-)
+s3_origin = origins.S3BucketOrigin.with_origin_access_control(my_bucket, origin_access_levels=[cloudfront.AccessLevel.READ, cloudfront.AccessLevel.READ_VERSIONED, cloudfront.AccessLevel.WRITE, cloudfront.AccessLevel.DELETE])
 ```
 
+The read versioned permission does contain the read permission, so it's required to set both `AccessLevel.READ` and
+`AccessLevel.READ_VERSIONED`.
+
 For details of list permission, see [Setting up OAC with LIST permission](#setting-up-oac-with-list-permission).
 
 You can also pass in a custom S3 origin access control:
@@ -550,9 +551,6 @@ An Elastic Load Balancing (ELB) v2 load balancer may be used as an origin. In or
 accessible (`internetFacing` is true). Both Application and Network load balancers are supported.
 
 ```python
-import aws_cdk.aws_ec2 as ec2
-import aws_cdk.aws_elasticloadbalancingv2 as elbv2
-
 # vpc: ec2.Vpc
 
 # Create an application load balancer in a VPC. 'internetFacing' must be 'true'
@@ -569,8 +567,6 @@ cloudfront.Distribution(self, "myDist",
 The origin can also be customized to respond on different ports, have different connection properties, etc.
 
 ```python
-import aws_cdk.aws_elasticloadbalancingv2 as elbv2
-
 # load_balancer: elbv2.ApplicationLoadBalancer
 
 origin = origins.LoadBalancerV2Origin(load_balancer,
@@ -598,6 +594,131 @@ cloudfront.Distribution(self, "myDist",
 
 See the documentation of `aws-cdk-lib/aws-cloudfront` for more information.
 
+## VPC origins
+
+You can use CloudFront to deliver content from applications that are hosted in your virtual private cloud (VPC) private subnets.
+You can use Application Load Balancers (ALBs), Network Load Balancers (NLBs), and EC2 instances in private subnets as VPC origins.
+
+Learn more about [Restrict access with VPC origins](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html).
+
+### From an Application Load Balancer
+
+An Application Load Balancer (ALB) can be used as a VPC origin.
+It is not needed to be publicly accessible.
+
+```python
+# Creates a distribution from an Application Load Balancer
+# vpc: ec2.Vpc
+
+# Create an application load balancer in a VPC. 'internetFacing' can be 'false'.
+alb = elbv2.ApplicationLoadBalancer(self, "ALB",
+    vpc=vpc,
+    internet_facing=False,
+    vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
+)
+cloudfront.Distribution(self, "myDist",
+    default_behavior=cloudfront.BehaviorOptions(origin=origins.VpcOrigin.with_application_load_balancer(alb))
+)
+```
+
+### From a Network Load Balancer
+
+A Network Load Balancer (NLB) can also be use as a VPC origin.
+It is not needed to be publicly accessible.
+
+* A Network Load Balancer must have a security group attached to it.
+* Dual-stack Network Load Balancers and Network Load Balancers with TLS listeners can't be added as origins.
+
+```python
+# Creates a distribution from a Network Load Balancer
+# vpc: ec2.Vpc
+
+# Create a network load balancer in a VPC. 'internetFacing' can be 'false'.
+nlb = elbv2.NetworkLoadBalancer(self, "NLB",
+    vpc=vpc,
+    internet_facing=False,
+    vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
+    security_groups=[ec2.SecurityGroup(self, "NLB-SG", vpc=vpc)]
+)
+cloudfront.Distribution(self, "myDist",
+    default_behavior=cloudfront.BehaviorOptions(origin=origins.VpcOrigin.with_network_load_balancer(nlb))
+)
+```
+
+### From an EC2 instance
+
+An EC2 instance can also be used directly as a VPC origin.
+It can be in a private subnet.
+
+```python
+# Creates a distribution from an EC2 instance
+# vpc: ec2.Vpc
+
+# Create an EC2 instance in a VPC. 'subnetType' can be private.
+instance = ec2.Instance(self, "Instance",
+    vpc=vpc,
+    instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.MICRO),
+    machine_image=ec2.MachineImage.latest_amazon_linux2023(),
+    vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS)
+)
+cloudfront.Distribution(self, "myDist",
+    default_behavior=cloudfront.BehaviorOptions(origin=origins.VpcOrigin.with_ec2_instance(instance))
+)
+```
+
+### Restrict traffic coming to the VPC origin
+
+You may need to update the security group for your VPC private origin (Application Load Balancer, Network Load Balancer, or EC2 instance) to explicitly allow the traffic from your VPC origins.
+
+#### The CloudFront managed prefix list
+
+You can allow the traffic from the CloudFront managed prefix list named **com.amazonaws.global.cloudfront.origin-facing**. For more information, see [Use an AWS-managed prefix list](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html#use-aws-managed-prefix-list).
+
+```python
+# alb: elbv2.ApplicationLoadBalancer
+
+
+peer = ec2.Peer.prefix_list("pl-xxxxxxxx") # See the management console to find actual PrefixList Id.
+alb.connections.allow_from(peer, ec2.Port.HTTP)
+```
+
+#### The VPC origin service security group
+
+VPC origin will create a security group named `CloudFront-VPCOrigins-Service-SG`.
+It can be further restricted to allow only traffic from your VPC origins.
+
+The id of the security group is not provided by CloudFormation currently.
+You can retrieve it dynamically using a custom resource.
+
+```python
+import aws_cdk.custom_resources as cr
+
+# vpc: ec2.Vpc
+# distribution: cloudfront.Distribution
+# alb: elbv2.ApplicationLoadBalancer
+
+
+# Call ec2:DescribeSecurityGroups API to retrieve the VPC origins security group.
+get_sg = cr.AwsCustomResource(self, "GetSecurityGroup",
+    on_create=cr.AwsSdkCall(
+        service="ec2",
+        action="describeSecurityGroups",
+        parameters={
+            "Filters": [{"Name": "vpc-id", "Values": [vpc.vpc_id]}, {"Name": "group-name", "Values": ["CloudFront-VPCOrigins-Service-SG"]}
+            ]
+        },
+        physical_resource_id=cr.PhysicalResourceId.of("CloudFront-VPCOrigins-Service-SG")
+    ),
+    policy=cr.AwsCustomResourcePolicy.from_sdk_calls(resources=["*"])
+)
+# The security group may be available after the distributon is deployed
+get_sg.node.add_dependency(distribution)
+sg_vpc_origins = ec2.SecurityGroup.from_security_group_id(self, "VpcOriginsSecurityGroup",
+    get_sg.get_response_field("SecurityGroups.0.GroupId"))
+# Allow connections from the security group
+alb.connections.allow_from(sg_vpc_origins, ec2.Port.HTTP)
+```
+
 ## Failover Origins (Origin Groups)
 
 You can set up CloudFront with origin failover for scenarios that require high availability.
@@ -765,6 +886,7 @@ from ..aws_cloudfront import (
     IOrigin as _IOrigin_83d4c1fa,
     IOriginAccessControl as _IOriginAccessControl_82a6fe5a,
     IOriginAccessIdentity as _IOriginAccessIdentity_a922494c,
+    IVpcOrigin as _IVpcOrigin_6f584d50,
     OriginBase as _OriginBase_b8fe5bcc,
     OriginBindConfig as _OriginBindConfig_25a57096,
     OriginBindOptions as _OriginBindOptions_088c2b51,
@@ -772,8 +894,14 @@ from ..aws_cloudfront import (
     OriginProtocolPolicy as _OriginProtocolPolicy_967ed73c,
     OriginSelectionCriteria as _OriginSelectionCriteria_ba6d3e21,
     OriginSslPolicy as _OriginSslPolicy_d65cede2,
+    VpcOriginOptions as _VpcOriginOptions_f9e74bd8,
+)
+from ..aws_ec2 import IInstance as _IInstance_ab239e7c
+from ..aws_elasticloadbalancingv2 import (
+    IApplicationLoadBalancer as _IApplicationLoadBalancer_4cbd50ab,
+    ILoadBalancerV2 as _ILoadBalancerV2_4c5c0fbb,
+    INetworkLoadBalancer as _INetworkLoadBalancer_96e17101,
 )
-from ..aws_elasticloadbalancingv2 import ILoadBalancerV2 as _ILoadBalancerV2_4c5c0fbb
 from ..aws_lambda import IFunctionUrl as _IFunctionUrl_1a74cd94
 from ..aws_s3 import IBucket as _IBucket_42e086fd
 
@@ -1574,26 +1702,15 @@ class HttpOrigin(
 
     Example::
 
-        # Adding realtime logs config to a Cloudfront Distribution on default behavior.
-        import aws_cdk.aws_kinesis as kinesis
-        
-        # stream: kinesis.Stream
-        
-        
-        real_time_config = cloudfront.RealtimeLogConfig(self, "realtimeLog",
-            end_points=[
-                cloudfront.Endpoint.from_kinesis_stream(stream)
-            ],
-            fields=["timestamp", "c-ip", "time-to-first-byte", "sc-status"
-            ],
-            realtime_log_config_name="my-delivery-stream",
-            sampling_rate=100
-        )
-        
-        cloudfront.Distribution(self, "myCdn",
+        my_bucket = s3.Bucket(self, "myBucket")
+        cloudfront.Distribution(self, "myDist",
             default_behavior=cloudfront.BehaviorOptions(
-                origin=origins.HttpOrigin("www.example.com"),
-                realtime_log_config=real_time_config
+                origin=origins.OriginGroup(
+                    primary_origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket),
+                    fallback_origin=origins.HttpOrigin("www.example.com"),
+                    # optional, defaults to: 500, 502, 503 and 504
+                    fallback_status_codes=[404]
+                )
             )
         )
     '''
@@ -1967,9 +2084,7 @@ class LoadBalancerV2Origin(
 
     Example::
 
-        import aws_cdk.aws_ec2 as ec2
-        import aws_cdk.aws_elasticloadbalancingv2 as elbv2
-        
+        # Creates a distribution from an ELBv2 load balancer
         # vpc: ec2.Vpc
         
         # Create an application load balancer in a VPC. 'internetFacing' must be 'true'
@@ -2102,8 +2217,6 @@ class LoadBalancerV2OriginProps(HttpOriginProps):
 
         Example::
 
-            import aws_cdk.aws_elasticloadbalancingv2 as elbv2
-            
             # load_balancer: elbv2.ApplicationLoadBalancer
             
             origin = origins.LoadBalancerV2Origin(load_balancer,
@@ -2794,15 +2907,14 @@ class S3BucketOrigin(
     Example::
 
         my_bucket = s3.Bucket(self, "myBucket")
-        cloudfront.Distribution(self, "myDist",
+        s3_origin = origins.S3BucketOrigin.with_origin_access_control(my_bucket,
+            origin_access_levels=[cloudfront.AccessLevel.READ, cloudfront.AccessLevel.LIST]
+        )
+        cloudfront.Distribution(self, "distribution",
             default_behavior=cloudfront.BehaviorOptions(
-                origin=origins.OriginGroup(
-                    primary_origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket),
-                    fallback_origin=origins.HttpOrigin("www.example.com"),
-                    # optional, defaults to: 500, 502, 503 and 504
-                    fallback_status_codes=[404]
-                )
-            )
+                origin=s3_origin
+            ),
+            default_root_object="index.html"
         )
     '''
 
@@ -4271,115 +4383,1047 @@ class S3StaticWebsiteOriginProps(HttpOriginProps):
         )
 
 
-__all__ = [
-    "FunctionUrlOrigin",
-    "FunctionUrlOriginBaseProps",
-    "FunctionUrlOriginProps",
-    "FunctionUrlOriginWithOACProps",
-    "HttpOrigin",
-    "HttpOriginProps",
-    "LoadBalancerV2Origin",
-    "LoadBalancerV2OriginProps",
-    "OriginGroup",
-    "OriginGroupProps",
-    "RestApiOrigin",
-    "RestApiOriginProps",
-    "S3BucketOrigin",
-    "S3BucketOriginBaseProps",
-    "S3BucketOriginWithOACProps",
-    "S3BucketOriginWithOAIProps",
-    "S3Origin",
-    "S3OriginProps",
-    "S3StaticWebsiteOrigin",
-    "S3StaticWebsiteOriginProps",
-]
+class VpcOrigin(
+    _OriginBase_b8fe5bcc,
+    metaclass=jsii.JSIIAbstractClass,
+    jsii_type="aws-cdk-lib.aws_cloudfront_origins.VpcOrigin",
+):
+    '''Represents a distribution's VPC origin.
 
-publication.publish()
+    :exampleMetadata: infused
 
-def _typecheckingstub__fcda903697b26acfe2149a285d5a64619682b675affb52f4ae2d1aca46c8f1c3(
-    lambda_function_url: _IFunctionUrl_1a74cd94,
-    *,
-    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
-    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
-    origin_path: typing.Optional[builtins.str] = None,
-    connection_attempts: typing.Optional[jsii.Number] = None,
-    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
-    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
-    origin_access_control_id: typing.Optional[builtins.str] = None,
-    origin_id: typing.Optional[builtins.str] = None,
-    origin_shield_enabled: typing.Optional[builtins.bool] = None,
-    origin_shield_region: typing.Optional[builtins.str] = None,
-) -> None:
-    """Type checking stubs"""
-    pass
+    Example::
 
-def _typecheckingstub__b4d59b7721f41be7903dbcffeddd34d596392d2c8d2a4110f31a4dacdb532727(
-    lambda_function_url: _IFunctionUrl_1a74cd94,
-    *,
-    origin_access_control: typing.Optional[_IOriginAccessControl_82a6fe5a] = None,
-    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
-    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
-    origin_path: typing.Optional[builtins.str] = None,
-    connection_attempts: typing.Optional[jsii.Number] = None,
-    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
-    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
-    origin_access_control_id: typing.Optional[builtins.str] = None,
-    origin_id: typing.Optional[builtins.str] = None,
-    origin_shield_enabled: typing.Optional[builtins.bool] = None,
-    origin_shield_region: typing.Optional[builtins.str] = None,
-) -> None:
-    """Type checking stubs"""
-    pass
+        # Creates a distribution from a Network Load Balancer
+        # vpc: ec2.Vpc
+        
+        # Create a network load balancer in a VPC. 'internetFacing' can be 'false'.
+        nlb = elbv2.NetworkLoadBalancer(self, "NLB",
+            vpc=vpc,
+            internet_facing=False,
+            vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
+            security_groups=[ec2.SecurityGroup(self, "NLB-SG", vpc=vpc)]
+        )
+        cloudfront.Distribution(self, "myDist",
+            default_behavior=cloudfront.BehaviorOptions(origin=origins.VpcOrigin.with_network_load_balancer(nlb))
+        )
+    '''
 
-def _typecheckingstub__610b4764a440619f38a9adeb3e13225e58180ee2ee316abd994579fdcdb84c12(
-    *,
-    connection_attempts: typing.Optional[jsii.Number] = None,
-    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
-    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
-    origin_access_control_id: typing.Optional[builtins.str] = None,
-    origin_id: typing.Optional[builtins.str] = None,
-    origin_shield_enabled: typing.Optional[builtins.bool] = None,
-    origin_shield_region: typing.Optional[builtins.str] = None,
-    origin_path: typing.Optional[builtins.str] = None,
-) -> None:
-    """Type checking stubs"""
-    pass
+    def __init__(
+        self,
+        domain_name_: builtins.str,
+        *,
+        domain_name: typing.Optional[builtins.str] = None,
+        keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''
+        :param domain_name_: -
+        :param domain_name: The domain name associated with your VPC origin. Default: - The default domain name of the endpoint.
+        :param keepalive_timeout: Specifies how long, in seconds, CloudFront persists its connection to the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(5)
+        :param read_timeout: Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(30)
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__27d66442a972110883cdde622df199c2db6a7264e19031f1118d7aa01681cef6)
+            check_type(argname="argument domain_name_", value=domain_name_, expected_type=type_hints["domain_name_"])
+        props = VpcOriginProps(
+            domain_name=domain_name,
+            keepalive_timeout=keepalive_timeout,
+            read_timeout=read_timeout,
+            origin_path=origin_path,
+            connection_attempts=connection_attempts,
+            connection_timeout=connection_timeout,
+            custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
+            origin_id=origin_id,
+            origin_shield_enabled=origin_shield_enabled,
+            origin_shield_region=origin_shield_region,
+        )
 
-def _typecheckingstub__56d340a9ac5dd93c6aa22cb98bcbc860fb23f8d247b53c2cd1a51ecd8406909a(
-    *,
-    connection_attempts: typing.Optional[jsii.Number] = None,
-    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
-    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
-    origin_access_control_id: typing.Optional[builtins.str] = None,
-    origin_id: typing.Optional[builtins.str] = None,
-    origin_shield_enabled: typing.Optional[builtins.bool] = None,
-    origin_shield_region: typing.Optional[builtins.str] = None,
-    origin_path: typing.Optional[builtins.str] = None,
-    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
-    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
-) -> None:
-    """Type checking stubs"""
-    pass
+        jsii.create(self.__class__, self, [domain_name_, props])
 
-def _typecheckingstub__56968af993436ccfcac0aa6a57169f1a033078c10740d435d086816ad0336a75(
-    *,
-    connection_attempts: typing.Optional[jsii.Number] = None,
-    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
-    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
-    origin_access_control_id: typing.Optional[builtins.str] = None,
-    origin_id: typing.Optional[builtins.str] = None,
-    origin_shield_enabled: typing.Optional[builtins.bool] = None,
-    origin_shield_region: typing.Optional[builtins.str] = None,
-    origin_path: typing.Optional[builtins.str] = None,
-    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
-    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
-    origin_access_control: typing.Optional[_IOriginAccessControl_82a6fe5a] = None,
-) -> None:
-    """Type checking stubs"""
-    pass
+    @jsii.member(jsii_name="withApplicationLoadBalancer")
+    @builtins.classmethod
+    def with_application_load_balancer(
+        cls,
+        alb: _IApplicationLoadBalancer_4cbd50ab,
+        *,
+        domain_name: typing.Optional[builtins.str] = None,
+        keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        http_port: typing.Optional[jsii.Number] = None,
+        https_port: typing.Optional[jsii.Number] = None,
+        origin_ssl_protocols: typing.Optional[typing.Sequence[_OriginSslPolicy_d65cede2]] = None,
+        protocol_policy: typing.Optional[_OriginProtocolPolicy_967ed73c] = None,
+        vpc_origin_name: typing.Optional[builtins.str] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+    ) -> "VpcOrigin":
+        '''Create a VPC origin with an Application Load Balancer.
 
-def _typecheckingstub__57d13f69f251622e0723aa73c3eb93e482e0deb7a7b1e8439c7d7ad35cfc0cc5(
-    domain_name: builtins.str,
+        :param alb: -
+        :param domain_name: The domain name associated with your VPC origin. Default: - The default domain name of the endpoint.
+        :param keepalive_timeout: Specifies how long, in seconds, CloudFront persists its connection to the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(5)
+        :param read_timeout: Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(30)
+        :param http_port: The HTTP port for the CloudFront VPC origin endpoint configuration. Default: 80
+        :param https_port: The HTTPS port of the CloudFront VPC origin endpoint configuration. Default: 443
+        :param origin_ssl_protocols: A list that contains allowed SSL/TLS protocols for this distribution. Default: - TLSv1.2
+        :param protocol_policy: The origin protocol policy for the CloudFront VPC origin endpoint configuration. Default: OriginProtocolPolicy.MATCH_VIEWER
+        :param vpc_origin_name: The name of the CloudFront VPC origin endpoint configuration. Default: - generated from the ``id``
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__8615ead9bb90a8fd2c91dc07371d03b8f4b4192a1500a449646bd8a7be95fa6c)
+            check_type(argname="argument alb", value=alb, expected_type=type_hints["alb"])
+        props = VpcOriginWithEndpointProps(
+            domain_name=domain_name,
+            keepalive_timeout=keepalive_timeout,
+            read_timeout=read_timeout,
+            http_port=http_port,
+            https_port=https_port,
+            origin_ssl_protocols=origin_ssl_protocols,
+            protocol_policy=protocol_policy,
+            vpc_origin_name=vpc_origin_name,
+            origin_path=origin_path,
+            connection_attempts=connection_attempts,
+            connection_timeout=connection_timeout,
+            custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
+            origin_id=origin_id,
+            origin_shield_enabled=origin_shield_enabled,
+            origin_shield_region=origin_shield_region,
+        )
+
+        return typing.cast("VpcOrigin", jsii.sinvoke(cls, "withApplicationLoadBalancer", [alb, props]))
+
+    @jsii.member(jsii_name="withEc2Instance")
+    @builtins.classmethod
+    def with_ec2_instance(
+        cls,
+        instance: _IInstance_ab239e7c,
+        *,
+        domain_name: typing.Optional[builtins.str] = None,
+        keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        http_port: typing.Optional[jsii.Number] = None,
+        https_port: typing.Optional[jsii.Number] = None,
+        origin_ssl_protocols: typing.Optional[typing.Sequence[_OriginSslPolicy_d65cede2]] = None,
+        protocol_policy: typing.Optional[_OriginProtocolPolicy_967ed73c] = None,
+        vpc_origin_name: typing.Optional[builtins.str] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+    ) -> "VpcOrigin":
+        '''Create a VPC origin with an EC2 instance.
+
+        :param instance: -
+        :param domain_name: The domain name associated with your VPC origin. Default: - The default domain name of the endpoint.
+        :param keepalive_timeout: Specifies how long, in seconds, CloudFront persists its connection to the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(5)
+        :param read_timeout: Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(30)
+        :param http_port: The HTTP port for the CloudFront VPC origin endpoint configuration. Default: 80
+        :param https_port: The HTTPS port of the CloudFront VPC origin endpoint configuration. Default: 443
+        :param origin_ssl_protocols: A list that contains allowed SSL/TLS protocols for this distribution. Default: - TLSv1.2
+        :param protocol_policy: The origin protocol policy for the CloudFront VPC origin endpoint configuration. Default: OriginProtocolPolicy.MATCH_VIEWER
+        :param vpc_origin_name: The name of the CloudFront VPC origin endpoint configuration. Default: - generated from the ``id``
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__1fc3f8db0baa99548845b1733d31d8271fbe2c934c89a6c44958edcb38b35a13)
+            check_type(argname="argument instance", value=instance, expected_type=type_hints["instance"])
+        props = VpcOriginWithEndpointProps(
+            domain_name=domain_name,
+            keepalive_timeout=keepalive_timeout,
+            read_timeout=read_timeout,
+            http_port=http_port,
+            https_port=https_port,
+            origin_ssl_protocols=origin_ssl_protocols,
+            protocol_policy=protocol_policy,
+            vpc_origin_name=vpc_origin_name,
+            origin_path=origin_path,
+            connection_attempts=connection_attempts,
+            connection_timeout=connection_timeout,
+            custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
+            origin_id=origin_id,
+            origin_shield_enabled=origin_shield_enabled,
+            origin_shield_region=origin_shield_region,
+        )
+
+        return typing.cast("VpcOrigin", jsii.sinvoke(cls, "withEc2Instance", [instance, props]))
+
+    @jsii.member(jsii_name="withNetworkLoadBalancer")
+    @builtins.classmethod
+    def with_network_load_balancer(
+        cls,
+        nlb: _INetworkLoadBalancer_96e17101,
+        *,
+        domain_name: typing.Optional[builtins.str] = None,
+        keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        http_port: typing.Optional[jsii.Number] = None,
+        https_port: typing.Optional[jsii.Number] = None,
+        origin_ssl_protocols: typing.Optional[typing.Sequence[_OriginSslPolicy_d65cede2]] = None,
+        protocol_policy: typing.Optional[_OriginProtocolPolicy_967ed73c] = None,
+        vpc_origin_name: typing.Optional[builtins.str] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+    ) -> "VpcOrigin":
+        '''Create a VPC origin with a Network Load Balancer.
+
+        :param nlb: -
+        :param domain_name: The domain name associated with your VPC origin. Default: - The default domain name of the endpoint.
+        :param keepalive_timeout: Specifies how long, in seconds, CloudFront persists its connection to the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(5)
+        :param read_timeout: Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(30)
+        :param http_port: The HTTP port for the CloudFront VPC origin endpoint configuration. Default: 80
+        :param https_port: The HTTPS port of the CloudFront VPC origin endpoint configuration. Default: 443
+        :param origin_ssl_protocols: A list that contains allowed SSL/TLS protocols for this distribution. Default: - TLSv1.2
+        :param protocol_policy: The origin protocol policy for the CloudFront VPC origin endpoint configuration. Default: OriginProtocolPolicy.MATCH_VIEWER
+        :param vpc_origin_name: The name of the CloudFront VPC origin endpoint configuration. Default: - generated from the ``id``
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__83c5561f2747600ee99b6ee41190dcba45f2a24cc1c9500759e9c382320b83d6)
+            check_type(argname="argument nlb", value=nlb, expected_type=type_hints["nlb"])
+        props = VpcOriginWithEndpointProps(
+            domain_name=domain_name,
+            keepalive_timeout=keepalive_timeout,
+            read_timeout=read_timeout,
+            http_port=http_port,
+            https_port=https_port,
+            origin_ssl_protocols=origin_ssl_protocols,
+            protocol_policy=protocol_policy,
+            vpc_origin_name=vpc_origin_name,
+            origin_path=origin_path,
+            connection_attempts=connection_attempts,
+            connection_timeout=connection_timeout,
+            custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
+            origin_id=origin_id,
+            origin_shield_enabled=origin_shield_enabled,
+            origin_shield_region=origin_shield_region,
+        )
+
+        return typing.cast("VpcOrigin", jsii.sinvoke(cls, "withNetworkLoadBalancer", [nlb, props]))
+
+    @jsii.member(jsii_name="withVpcOrigin")
+    @builtins.classmethod
+    def with_vpc_origin(
+        cls,
+        origin: _IVpcOrigin_6f584d50,
+        *,
+        domain_name: typing.Optional[builtins.str] = None,
+        keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+    ) -> "VpcOrigin":
+        '''Create a VPC origin with an existing VPC origin resource.
+
+        :param origin: -
+        :param domain_name: The domain name associated with your VPC origin. Default: - The default domain name of the endpoint.
+        :param keepalive_timeout: Specifies how long, in seconds, CloudFront persists its connection to the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(5)
+        :param read_timeout: Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(30)
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__b7ed2e0f746eab77b2774c1adb0f114f10e786a05b531cd1218f93ad3770e5af)
+            check_type(argname="argument origin", value=origin, expected_type=type_hints["origin"])
+        props = VpcOriginProps(
+            domain_name=domain_name,
+            keepalive_timeout=keepalive_timeout,
+            read_timeout=read_timeout,
+            origin_path=origin_path,
+            connection_attempts=connection_attempts,
+            connection_timeout=connection_timeout,
+            custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
+            origin_id=origin_id,
+            origin_shield_enabled=origin_shield_enabled,
+            origin_shield_region=origin_shield_region,
+        )
+
+        return typing.cast("VpcOrigin", jsii.sinvoke(cls, "withVpcOrigin", [origin, props]))
+
+    @jsii.member(jsii_name="renderVpcOriginConfig")
+    def _render_vpc_origin_config(
+        self,
+    ) -> typing.Optional[_CfnDistribution_d9ad3595.VpcOriginConfigProperty]:
+        return typing.cast(typing.Optional[_CfnDistribution_d9ad3595.VpcOriginConfigProperty], jsii.invoke(self, "renderVpcOriginConfig", []))
+
+    @builtins.property
+    @jsii.member(jsii_name="props")
+    def _props(self) -> "VpcOriginProps":
+        return typing.cast("VpcOriginProps", jsii.get(self, "props"))
+
+    @builtins.property
+    @jsii.member(jsii_name="vpcOrigin")
+    def _vpc_origin(self) -> typing.Optional[_IVpcOrigin_6f584d50]:
+        return typing.cast(typing.Optional[_IVpcOrigin_6f584d50], jsii.get(self, "vpcOrigin"))
+
+    @_vpc_origin.setter
+    def _vpc_origin(self, value: typing.Optional[_IVpcOrigin_6f584d50]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__1d0218fc5ea8fbca94cbaeda39ab353fe5c35e197d6d8d60852fb576332785ce)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "vpcOrigin", value) # pyright: ignore[reportArgumentType]
+
+
+class _VpcOriginProxy(
+    VpcOrigin,
+    jsii.proxy_for(_OriginBase_b8fe5bcc), # type: ignore[misc]
+):
+    pass
+
+# Adding a "__jsii_proxy_class__(): typing.Type" function to the abstract class
+typing.cast(typing.Any, VpcOrigin).__jsii_proxy_class__ = lambda : _VpcOriginProxy
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cloudfront_origins.VpcOriginProps",
+    jsii_struct_bases=[_OriginProps_0675928d],
+    name_mapping={
+        "connection_attempts": "connectionAttempts",
+        "connection_timeout": "connectionTimeout",
+        "custom_headers": "customHeaders",
+        "origin_access_control_id": "originAccessControlId",
+        "origin_id": "originId",
+        "origin_shield_enabled": "originShieldEnabled",
+        "origin_shield_region": "originShieldRegion",
+        "origin_path": "originPath",
+        "domain_name": "domainName",
+        "keepalive_timeout": "keepaliveTimeout",
+        "read_timeout": "readTimeout",
+    },
+)
+class VpcOriginProps(_OriginProps_0675928d):
+    def __init__(
+        self,
+        *,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        domain_name: typing.Optional[builtins.str] = None,
+        keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    ) -> None:
+        '''Properties to define a VPC origin.
+
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param domain_name: The domain name associated with your VPC origin. Default: - The default domain name of the endpoint.
+        :param keepalive_timeout: Specifies how long, in seconds, CloudFront persists its connection to the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(5)
+        :param read_timeout: Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(30)
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            import aws_cdk as cdk
+            from aws_cdk import aws_cloudfront_origins as cloudfront_origins
+            
+            vpc_origin_props = cloudfront_origins.VpcOriginProps(
+                connection_attempts=123,
+                connection_timeout=cdk.Duration.minutes(30),
+                custom_headers={
+                    "custom_headers_key": "customHeaders"
+                },
+                domain_name="domainName",
+                keepalive_timeout=cdk.Duration.minutes(30),
+                origin_access_control_id="originAccessControlId",
+                origin_id="originId",
+                origin_path="originPath",
+                origin_shield_enabled=False,
+                origin_shield_region="originShieldRegion",
+                read_timeout=cdk.Duration.minutes(30)
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__6605ea586b09bdf0ddb88a83b7c4e00626fe891625563cb019777b1480340f14)
+            check_type(argname="argument connection_attempts", value=connection_attempts, expected_type=type_hints["connection_attempts"])
+            check_type(argname="argument connection_timeout", value=connection_timeout, expected_type=type_hints["connection_timeout"])
+            check_type(argname="argument custom_headers", value=custom_headers, expected_type=type_hints["custom_headers"])
+            check_type(argname="argument origin_access_control_id", value=origin_access_control_id, expected_type=type_hints["origin_access_control_id"])
+            check_type(argname="argument origin_id", value=origin_id, expected_type=type_hints["origin_id"])
+            check_type(argname="argument origin_shield_enabled", value=origin_shield_enabled, expected_type=type_hints["origin_shield_enabled"])
+            check_type(argname="argument origin_shield_region", value=origin_shield_region, expected_type=type_hints["origin_shield_region"])
+            check_type(argname="argument origin_path", value=origin_path, expected_type=type_hints["origin_path"])
+            check_type(argname="argument domain_name", value=domain_name, expected_type=type_hints["domain_name"])
+            check_type(argname="argument keepalive_timeout", value=keepalive_timeout, expected_type=type_hints["keepalive_timeout"])
+            check_type(argname="argument read_timeout", value=read_timeout, expected_type=type_hints["read_timeout"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if connection_attempts is not None:
+            self._values["connection_attempts"] = connection_attempts
+        if connection_timeout is not None:
+            self._values["connection_timeout"] = connection_timeout
+        if custom_headers is not None:
+            self._values["custom_headers"] = custom_headers
+        if origin_access_control_id is not None:
+            self._values["origin_access_control_id"] = origin_access_control_id
+        if origin_id is not None:
+            self._values["origin_id"] = origin_id
+        if origin_shield_enabled is not None:
+            self._values["origin_shield_enabled"] = origin_shield_enabled
+        if origin_shield_region is not None:
+            self._values["origin_shield_region"] = origin_shield_region
+        if origin_path is not None:
+            self._values["origin_path"] = origin_path
+        if domain_name is not None:
+            self._values["domain_name"] = domain_name
+        if keepalive_timeout is not None:
+            self._values["keepalive_timeout"] = keepalive_timeout
+        if read_timeout is not None:
+            self._values["read_timeout"] = read_timeout
+
+    @builtins.property
+    def connection_attempts(self) -> typing.Optional[jsii.Number]:
+        '''The number of times that CloudFront attempts to connect to the origin;
+
+        valid values are 1, 2, or 3 attempts.
+
+        :default: 3
+        '''
+        result = self._values.get("connection_attempts")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def connection_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''The number of seconds that CloudFront waits when trying to establish a connection to the origin.
+
+        Valid values are 1-10 seconds, inclusive.
+
+        :default: Duration.seconds(10)
+        '''
+        result = self._values.get("connection_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
+    @builtins.property
+    def custom_headers(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
+
+        :default: {}
+        '''
+        result = self._values.get("custom_headers")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
+    @builtins.property
+    def origin_access_control_id(self) -> typing.Optional[builtins.str]:
+        '''The unique identifier of an origin access control for this origin.
+
+        :default: - no origin access control
+        '''
+        result = self._values.get("origin_access_control_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_id(self) -> typing.Optional[builtins.str]:
+        '''A unique identifier for the origin.
+
+        This value must be unique within the distribution.
+
+        :default: - an originid will be generated for you
+        '''
+        result = self._values.get("origin_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_shield_enabled(self) -> typing.Optional[builtins.bool]:
+        '''Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
+
+        :default: - true
+        '''
+        result = self._values.get("origin_shield_enabled")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def origin_shield_region(self) -> typing.Optional[builtins.str]:
+        '''When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
+
+        :default: - origin shield not enabled
+
+        :see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
+        '''
+        result = self._values.get("origin_shield_region")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_path(self) -> typing.Optional[builtins.str]:
+        '''An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
+
+        Must begin, but not end, with '/' (e.g., '/production/images').
+
+        :default: '/'
+        '''
+        result = self._values.get("origin_path")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def domain_name(self) -> typing.Optional[builtins.str]:
+        '''The domain name associated with your VPC origin.
+
+        :default: - The default domain name of the endpoint.
+        '''
+        result = self._values.get("domain_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def keepalive_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''Specifies how long, in seconds, CloudFront persists its connection to the origin.
+
+        The valid range is from 1 to 180 seconds, inclusive.
+
+        Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
+        has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
+
+        :default: Duration.seconds(5)
+        '''
+        result = self._values.get("keepalive_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
+    @builtins.property
+    def read_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout.
+
+        The valid range is from 1 to 180 seconds, inclusive.
+
+        Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
+        has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
+
+        :default: Duration.seconds(30)
+        '''
+        result = self._values.get("read_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "VpcOriginProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cloudfront_origins.VpcOriginWithEndpointProps",
+    jsii_struct_bases=[VpcOriginProps, _VpcOriginOptions_f9e74bd8],
+    name_mapping={
+        "connection_attempts": "connectionAttempts",
+        "connection_timeout": "connectionTimeout",
+        "custom_headers": "customHeaders",
+        "origin_access_control_id": "originAccessControlId",
+        "origin_id": "originId",
+        "origin_shield_enabled": "originShieldEnabled",
+        "origin_shield_region": "originShieldRegion",
+        "origin_path": "originPath",
+        "domain_name": "domainName",
+        "keepalive_timeout": "keepaliveTimeout",
+        "read_timeout": "readTimeout",
+        "http_port": "httpPort",
+        "https_port": "httpsPort",
+        "origin_ssl_protocols": "originSslProtocols",
+        "protocol_policy": "protocolPolicy",
+        "vpc_origin_name": "vpcOriginName",
+    },
+)
+class VpcOriginWithEndpointProps(VpcOriginProps, _VpcOriginOptions_f9e74bd8):
+    def __init__(
+        self,
+        *,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        domain_name: typing.Optional[builtins.str] = None,
+        keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        http_port: typing.Optional[jsii.Number] = None,
+        https_port: typing.Optional[jsii.Number] = None,
+        origin_ssl_protocols: typing.Optional[typing.Sequence[_OriginSslPolicy_d65cede2]] = None,
+        protocol_policy: typing.Optional[_OriginProtocolPolicy_967ed73c] = None,
+        vpc_origin_name: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Properties to define a VPC origin with endpoint.
+
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param domain_name: The domain name associated with your VPC origin. Default: - The default domain name of the endpoint.
+        :param keepalive_timeout: Specifies how long, in seconds, CloudFront persists its connection to the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(5)
+        :param read_timeout: Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(30)
+        :param http_port: The HTTP port for the CloudFront VPC origin endpoint configuration. Default: 80
+        :param https_port: The HTTPS port of the CloudFront VPC origin endpoint configuration. Default: 443
+        :param origin_ssl_protocols: A list that contains allowed SSL/TLS protocols for this distribution. Default: - TLSv1.2
+        :param protocol_policy: The origin protocol policy for the CloudFront VPC origin endpoint configuration. Default: OriginProtocolPolicy.MATCH_VIEWER
+        :param vpc_origin_name: The name of the CloudFront VPC origin endpoint configuration. Default: - generated from the ``id``
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            import aws_cdk as cdk
+            from aws_cdk import aws_cloudfront as cloudfront
+            from aws_cdk import aws_cloudfront_origins as cloudfront_origins
+            
+            vpc_origin_with_endpoint_props = cloudfront_origins.VpcOriginWithEndpointProps(
+                connection_attempts=123,
+                connection_timeout=cdk.Duration.minutes(30),
+                custom_headers={
+                    "custom_headers_key": "customHeaders"
+                },
+                domain_name="domainName",
+                http_port=123,
+                https_port=123,
+                keepalive_timeout=cdk.Duration.minutes(30),
+                origin_access_control_id="originAccessControlId",
+                origin_id="originId",
+                origin_path="originPath",
+                origin_shield_enabled=False,
+                origin_shield_region="originShieldRegion",
+                origin_ssl_protocols=[cloudfront.OriginSslPolicy.SSL_V3],
+                protocol_policy=cloudfront.OriginProtocolPolicy.HTTP_ONLY,
+                read_timeout=cdk.Duration.minutes(30),
+                vpc_origin_name="vpcOriginName"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__e581b80df977101d74a87a861c6ddf752f3dc8bcbd114f5e12bc33daa6879040)
+            check_type(argname="argument connection_attempts", value=connection_attempts, expected_type=type_hints["connection_attempts"])
+            check_type(argname="argument connection_timeout", value=connection_timeout, expected_type=type_hints["connection_timeout"])
+            check_type(argname="argument custom_headers", value=custom_headers, expected_type=type_hints["custom_headers"])
+            check_type(argname="argument origin_access_control_id", value=origin_access_control_id, expected_type=type_hints["origin_access_control_id"])
+            check_type(argname="argument origin_id", value=origin_id, expected_type=type_hints["origin_id"])
+            check_type(argname="argument origin_shield_enabled", value=origin_shield_enabled, expected_type=type_hints["origin_shield_enabled"])
+            check_type(argname="argument origin_shield_region", value=origin_shield_region, expected_type=type_hints["origin_shield_region"])
+            check_type(argname="argument origin_path", value=origin_path, expected_type=type_hints["origin_path"])
+            check_type(argname="argument domain_name", value=domain_name, expected_type=type_hints["domain_name"])
+            check_type(argname="argument keepalive_timeout", value=keepalive_timeout, expected_type=type_hints["keepalive_timeout"])
+            check_type(argname="argument read_timeout", value=read_timeout, expected_type=type_hints["read_timeout"])
+            check_type(argname="argument http_port", value=http_port, expected_type=type_hints["http_port"])
+            check_type(argname="argument https_port", value=https_port, expected_type=type_hints["https_port"])
+            check_type(argname="argument origin_ssl_protocols", value=origin_ssl_protocols, expected_type=type_hints["origin_ssl_protocols"])
+            check_type(argname="argument protocol_policy", value=protocol_policy, expected_type=type_hints["protocol_policy"])
+            check_type(argname="argument vpc_origin_name", value=vpc_origin_name, expected_type=type_hints["vpc_origin_name"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if connection_attempts is not None:
+            self._values["connection_attempts"] = connection_attempts
+        if connection_timeout is not None:
+            self._values["connection_timeout"] = connection_timeout
+        if custom_headers is not None:
+            self._values["custom_headers"] = custom_headers
+        if origin_access_control_id is not None:
+            self._values["origin_access_control_id"] = origin_access_control_id
+        if origin_id is not None:
+            self._values["origin_id"] = origin_id
+        if origin_shield_enabled is not None:
+            self._values["origin_shield_enabled"] = origin_shield_enabled
+        if origin_shield_region is not None:
+            self._values["origin_shield_region"] = origin_shield_region
+        if origin_path is not None:
+            self._values["origin_path"] = origin_path
+        if domain_name is not None:
+            self._values["domain_name"] = domain_name
+        if keepalive_timeout is not None:
+            self._values["keepalive_timeout"] = keepalive_timeout
+        if read_timeout is not None:
+            self._values["read_timeout"] = read_timeout
+        if http_port is not None:
+            self._values["http_port"] = http_port
+        if https_port is not None:
+            self._values["https_port"] = https_port
+        if origin_ssl_protocols is not None:
+            self._values["origin_ssl_protocols"] = origin_ssl_protocols
+        if protocol_policy is not None:
+            self._values["protocol_policy"] = protocol_policy
+        if vpc_origin_name is not None:
+            self._values["vpc_origin_name"] = vpc_origin_name
+
+    @builtins.property
+    def connection_attempts(self) -> typing.Optional[jsii.Number]:
+        '''The number of times that CloudFront attempts to connect to the origin;
+
+        valid values are 1, 2, or 3 attempts.
+
+        :default: 3
+        '''
+        result = self._values.get("connection_attempts")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def connection_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''The number of seconds that CloudFront waits when trying to establish a connection to the origin.
+
+        Valid values are 1-10 seconds, inclusive.
+
+        :default: Duration.seconds(10)
+        '''
+        result = self._values.get("connection_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
+    @builtins.property
+    def custom_headers(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
+
+        :default: {}
+        '''
+        result = self._values.get("custom_headers")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
+    @builtins.property
+    def origin_access_control_id(self) -> typing.Optional[builtins.str]:
+        '''The unique identifier of an origin access control for this origin.
+
+        :default: - no origin access control
+        '''
+        result = self._values.get("origin_access_control_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_id(self) -> typing.Optional[builtins.str]:
+        '''A unique identifier for the origin.
+
+        This value must be unique within the distribution.
+
+        :default: - an originid will be generated for you
+        '''
+        result = self._values.get("origin_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_shield_enabled(self) -> typing.Optional[builtins.bool]:
+        '''Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
+
+        :default: - true
+        '''
+        result = self._values.get("origin_shield_enabled")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def origin_shield_region(self) -> typing.Optional[builtins.str]:
+        '''When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
+
+        :default: - origin shield not enabled
+
+        :see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
+        '''
+        result = self._values.get("origin_shield_region")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_path(self) -> typing.Optional[builtins.str]:
+        '''An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
+
+        Must begin, but not end, with '/' (e.g., '/production/images').
+
+        :default: '/'
+        '''
+        result = self._values.get("origin_path")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def domain_name(self) -> typing.Optional[builtins.str]:
+        '''The domain name associated with your VPC origin.
+
+        :default: - The default domain name of the endpoint.
+        '''
+        result = self._values.get("domain_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def keepalive_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''Specifies how long, in seconds, CloudFront persists its connection to the origin.
+
+        The valid range is from 1 to 180 seconds, inclusive.
+
+        Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
+        has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
+
+        :default: Duration.seconds(5)
+        '''
+        result = self._values.get("keepalive_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
+    @builtins.property
+    def read_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout.
+
+        The valid range is from 1 to 180 seconds, inclusive.
+
+        Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
+        has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
+
+        :default: Duration.seconds(30)
+        '''
+        result = self._values.get("read_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
+    @builtins.property
+    def http_port(self) -> typing.Optional[jsii.Number]:
+        '''The HTTP port for the CloudFront VPC origin endpoint configuration.
+
+        :default: 80
+        '''
+        result = self._values.get("http_port")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def https_port(self) -> typing.Optional[jsii.Number]:
+        '''The HTTPS port of the CloudFront VPC origin endpoint configuration.
+
+        :default: 443
+        '''
+        result = self._values.get("https_port")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def origin_ssl_protocols(
+        self,
+    ) -> typing.Optional[typing.List[_OriginSslPolicy_d65cede2]]:
+        '''A list that contains allowed SSL/TLS protocols for this distribution.
+
+        :default: - TLSv1.2
+        '''
+        result = self._values.get("origin_ssl_protocols")
+        return typing.cast(typing.Optional[typing.List[_OriginSslPolicy_d65cede2]], result)
+
+    @builtins.property
+    def protocol_policy(self) -> typing.Optional[_OriginProtocolPolicy_967ed73c]:
+        '''The origin protocol policy for the CloudFront VPC origin endpoint configuration.
+
+        :default: OriginProtocolPolicy.MATCH_VIEWER
+        '''
+        result = self._values.get("protocol_policy")
+        return typing.cast(typing.Optional[_OriginProtocolPolicy_967ed73c], result)
+
+    @builtins.property
+    def vpc_origin_name(self) -> typing.Optional[builtins.str]:
+        '''The name of the CloudFront VPC origin endpoint configuration.
+
+        :default: - generated from the ``id``
+        '''
+        result = self._values.get("vpc_origin_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "VpcOriginWithEndpointProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+__all__ = [
+    "FunctionUrlOrigin",
+    "FunctionUrlOriginBaseProps",
+    "FunctionUrlOriginProps",
+    "FunctionUrlOriginWithOACProps",
+    "HttpOrigin",
+    "HttpOriginProps",
+    "LoadBalancerV2Origin",
+    "LoadBalancerV2OriginProps",
+    "OriginGroup",
+    "OriginGroupProps",
+    "RestApiOrigin",
+    "RestApiOriginProps",
+    "S3BucketOrigin",
+    "S3BucketOriginBaseProps",
+    "S3BucketOriginWithOACProps",
+    "S3BucketOriginWithOAIProps",
+    "S3Origin",
+    "S3OriginProps",
+    "S3StaticWebsiteOrigin",
+    "S3StaticWebsiteOriginProps",
+    "VpcOrigin",
+    "VpcOriginProps",
+    "VpcOriginWithEndpointProps",
+]
+
+publication.publish()
+
+def _typecheckingstub__fcda903697b26acfe2149a285d5a64619682b675affb52f4ae2d1aca46c8f1c3(
+    lambda_function_url: _IFunctionUrl_1a74cd94,
+    *,
+    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__b4d59b7721f41be7903dbcffeddd34d596392d2c8d2a4110f31a4dacdb532727(
+    lambda_function_url: _IFunctionUrl_1a74cd94,
+    *,
+    origin_access_control: typing.Optional[_IOriginAccessControl_82a6fe5a] = None,
+    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__610b4764a440619f38a9adeb3e13225e58180ee2ee316abd994579fdcdb84c12(
+    *,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__56d340a9ac5dd93c6aa22cb98bcbc860fb23f8d247b53c2cd1a51ecd8406909a(
+    *,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__56968af993436ccfcac0aa6a57169f1a033078c10740d435d086816ad0336a75(
+    *,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    origin_access_control: typing.Optional[_IOriginAccessControl_82a6fe5a] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__57d13f69f251622e0723aa73c3eb93e482e0deb7a7b1e8439c7d7ad35cfc0cc5(
+    domain_name: builtins.str,
     *,
     http_port: typing.Optional[jsii.Number] = None,
     https_port: typing.Optional[jsii.Number] = None,
@@ -4700,3 +5744,153 @@ def _typecheckingstub__5bc18cdba7c0e6d7d0a68d2a1cf3c3f91f50a7e3e7384f5f62ebee600
 ) -> None:
     """Type checking stubs"""
     pass
+
+def _typecheckingstub__27d66442a972110883cdde622df199c2db6a7264e19031f1118d7aa01681cef6(
+    domain_name_: builtins.str,
+    *,
+    domain_name: typing.Optional[builtins.str] = None,
+    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__8615ead9bb90a8fd2c91dc07371d03b8f4b4192a1500a449646bd8a7be95fa6c(
+    alb: _IApplicationLoadBalancer_4cbd50ab,
+    *,
+    domain_name: typing.Optional[builtins.str] = None,
+    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    http_port: typing.Optional[jsii.Number] = None,
+    https_port: typing.Optional[jsii.Number] = None,
+    origin_ssl_protocols: typing.Optional[typing.Sequence[_OriginSslPolicy_d65cede2]] = None,
+    protocol_policy: typing.Optional[_OriginProtocolPolicy_967ed73c] = None,
+    vpc_origin_name: typing.Optional[builtins.str] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__1fc3f8db0baa99548845b1733d31d8271fbe2c934c89a6c44958edcb38b35a13(
+    instance: _IInstance_ab239e7c,
+    *,
+    domain_name: typing.Optional[builtins.str] = None,
+    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    http_port: typing.Optional[jsii.Number] = None,
+    https_port: typing.Optional[jsii.Number] = None,
+    origin_ssl_protocols: typing.Optional[typing.Sequence[_OriginSslPolicy_d65cede2]] = None,
+    protocol_policy: typing.Optional[_OriginProtocolPolicy_967ed73c] = None,
+    vpc_origin_name: typing.Optional[builtins.str] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__83c5561f2747600ee99b6ee41190dcba45f2a24cc1c9500759e9c382320b83d6(
+    nlb: _INetworkLoadBalancer_96e17101,
+    *,
+    domain_name: typing.Optional[builtins.str] = None,
+    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    http_port: typing.Optional[jsii.Number] = None,
+    https_port: typing.Optional[jsii.Number] = None,
+    origin_ssl_protocols: typing.Optional[typing.Sequence[_OriginSslPolicy_d65cede2]] = None,
+    protocol_policy: typing.Optional[_OriginProtocolPolicy_967ed73c] = None,
+    vpc_origin_name: typing.Optional[builtins.str] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__b7ed2e0f746eab77b2774c1adb0f114f10e786a05b531cd1218f93ad3770e5af(
+    origin: _IVpcOrigin_6f584d50,
+    *,
+    domain_name: typing.Optional[builtins.str] = None,
+    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__1d0218fc5ea8fbca94cbaeda39ab353fe5c35e197d6d8d60852fb576332785ce(
+    value: typing.Optional[_IVpcOrigin_6f584d50],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__6605ea586b09bdf0ddb88a83b7c4e00626fe891625563cb019777b1480340f14(
+    *,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    domain_name: typing.Optional[builtins.str] = None,
+    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__e581b80df977101d74a87a861c6ddf752f3dc8bcbd114f5e12bc33daa6879040(
+    *,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    domain_name: typing.Optional[builtins.str] = None,
+    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    http_port: typing.Optional[jsii.Number] = None,
+    https_port: typing.Optional[jsii.Number] = None,
+    origin_ssl_protocols: typing.Optional[typing.Sequence[_OriginSslPolicy_d65cede2]] = None,
+    protocol_policy: typing.Optional[_OriginProtocolPolicy_967ed73c] = None,
+    vpc_origin_name: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass