diff --git a/.env.template b/.env.template
index 6bd724b..64b469d 100644
--- a/.env.template
+++ b/.env.template
@@ -62,4 +62,9 @@ LANGFUSE_SECRET_KEY=""
 LANGFUSE_HOST="" # Optional, defaults to https://cloud.langfuse.com
 FAKE_LLM_LOAD_TESTING_ENDPOINT_CERTIFICATE_ARN=""
 FAKE_LLM_LOAD_TESTING_ENDPOINT_HOSTED_ZONE_NAME=""
-FAKE_LLM_LOAD_TESTING_ENDPOINT_RECORD_NAME=""
\ No newline at end of file
+FAKE_LLM_LOAD_TESTING_ENDPOINT_RECORD_NAME=""
+
+# CloudFront and Route53 Configuration
+USE_ROUTE53="false"
+USE_CLOUDFRONT="true"
+CLOUDFRONT_PRICE_CLASS="PriceClass_100"
diff --git a/README.md b/README.md
index 2d9c39a..4988613 100644
--- a/README.md
+++ b/README.md
@@ -7,6 +7,7 @@ Project ACTIVE as of Feb 15, 2025
 - [Project Overview](#project-overview)
 - [Architecture](#architecture)
 - [AWS Services in this Guidance](#aws-services-in-this-Guidance)
+- [Distribution Options](#distribution-options)
 - [Cost](#cost)
    - [Cost Considerations](#cost-considerations)
    - [Cost Components](#cost-components)
@@ -27,7 +28,7 @@ If you are unfamiliar with LiteLLM, it provides a consistent interface to access
 
 ## Architecture
 
-![Reference Architecture Diagram ECS EKS](./media/Reference_architecture_ECS_EKS_platform_combined.jpg)
+![Reference Architecture Diagram ECS EKS](./media/architecture.png)
 
 ### Architecture steps
 
@@ -38,7 +39,154 @@ If you are unfamiliar with LiteLLM, it provides a consistent interface to access
 5. External model providers providers (OpenAI, Anthropic, Vertex AI etc.) are configured using LiteLLM Admin UI to enable additional LLM model access via unified application interface. Pre-existing configurations of third-party providers are integrated into the Gateway using LiteLLM APIs.
 6. LiteLLM integrates with [Amazon ElastiCache (Redis OSS)](https://aws.amazon.com/elasticache/), [Amazon Relational Database Service (RDS)](https://aws.amazon.com/rds/), and [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) services. Amazon ElastiCache enables multi-tenant distribution of application settings and prompt caching. Amazon RDS enables persistence of virtual API keys and other configuration settings provided by LiteLLM. AWS Secrets Manager stores external model provider credentials and other sensitive settings securely.
 7. LiteLLM and the API/middleware store application logs in the dedicated [Amazon S3](https://aws.amazon.com/s3) storage bucket for troubleshooting and access analysis.
-   
+
+## Distribution Options
+
+Starting with version 1.1.0, this solution supports flexible deployment scenarios to meet various security and accessibility requirements. You can customize how your LiteLLM gateway is accessed based on your specific needs.
+
+### Deployment Scenarios
+
+#### Scenario 1: Default - Public with CloudFront (Recommended)
+```bash
+USE_CLOUDFRONT="true"
+USE_ROUTE53="false"
+PUBLIC_LOAD_BALANCER="true"
+```
+
+**Why choose this scenario:**
+- Global performance with low-latency access via CloudFront's edge locations
+- Enhanced security with AWS Shield Standard DDoS protection
+- Simplified HTTPS management with CloudFront's default certificate
+- Best option for public-facing AI services with global user base
+
+**Security:**
+- CloudFront IP filtering restricts ALB access to only CloudFront traffic
+- WAF can be applied at the CloudFront level (requires global WAF)
+- Simpler certificate management using CloudFront's default certificate
+
+**Access URL:** `https://d1234abcdef.cloudfront.net`
+
+#### Scenario 2: Custom Domain with CloudFront
+```bash
+USE_CLOUDFRONT="true"
+USE_ROUTE53="true"
+PUBLIC_LOAD_BALANCER="true"
+HOSTED_ZONE_NAME="example.com"
+RECORD_NAME="genai"
+CERTIFICATE_ARN="arn:aws:acm:region:account:certificate/certificate-id"
+```
+
+**Why choose this scenario:**
+- Brand consistency with your custom domain
+- Professional appearance and SEO benefits
+- Same global performance and security as Scenario 1
+
+**Additional requirements:**
+- Route53 hosted zone for your domain
+- ACM certificate for your domain (must be in us-east-1 for CloudFront)
+
+**Access URL:** `https://genai.example.com`
+
+#### Scenario 3: Direct ALB Access (No CloudFront)
+```bash
+USE_CLOUDFRONT="false"
+USE_ROUTE53="true"
+PUBLIC_LOAD_BALANCER="true"
+HOSTED_ZONE_NAME="example.com"
+RECORD_NAME="genai"
+CERTIFICATE_ARN="arn:aws:acm:region:account:certificate/certificate-id"
+```
+
+**Why choose this scenario:**
+- Lower latency for single-region deployments
+- Simplified architecture without CloudFront 
+- Regional WAF can be directly applied to the ALB
+- Cost savings by eliminating CloudFront distribution
+
+**Security considerations:**
+- No CloudFront layer means direct internet exposure of ALB
+- WAF protection becomes particularly important
+- ALB security group allows traffic from all IPs (0.0.0.0/0)
+
+**Access URL:** `https://genai.example.com` (points directly to ALB)
+
+#### Scenario 4: Private VPC Only
+```bash
+USE_CLOUDFRONT="false"
+USE_ROUTE53="true"
+PUBLIC_LOAD_BALANCER="false"
+HOSTED_ZONE_NAME="example.internal"  # Often a private .internal domain
+RECORD_NAME="genai"
+CERTIFICATE_ARN="arn:aws:acm:region:account:certificate/certificate-id"
+```
+
+**Why choose this scenario:**
+- Maximum security for internal enterprise applications
+- Complete isolation from public internet
+- Suitable for processing sensitive or proprietary data
+
+**Access methods:**
+- VPN connection to the VPC
+- AWS Direct Connect
+- VPC peering with corporate network
+- Transit Gateway
+
+**Security considerations:**
+- No public internet access possible
+- ALB security group only allows traffic from private subnet CIDRs
+- Requires network connectivity to the VPC for access
+
+**Access URL:** `https://genai.example.internal` (resolves only within VPC or connected networks)
+
+### Configuration Quick Reference
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `USE_CLOUDFRONT` | `true` | Enables CloudFront distribution for global delivery |
+| `USE_ROUTE53` | `false` | Enables Route53 for custom domain support |
+| `PUBLIC_LOAD_BALANCER` | `true` | Deploys ALB in public subnets |
+| `CLOUDFRONT_PRICE_CLASS` | `PriceClass_100` | CloudFront price class (100/200/All) |
+| `HOSTED_ZONE_NAME` | `""` | Route53 hosted zone name for custom domain |
+| `RECORD_NAME` | `""` | Record to create in Route53 (subdomain) |
+| `CERTIFICATE_ARN` | `""` | ARN of ACM certificate for custom domain |
+
+### Security Considerations
+
+Each deployment scenario offers different security characteristics:
+
+1. **CloudFront with public ALB (Default)**: 
+   - ALB is in public subnets but protected by custom header authentication
+   - Only traffic with the proper CloudFront secret header is allowed (except health check paths)
+   - CloudFront provides an additional security layer with AWS Shield Standard DDoS protection
+   - Best balance of accessibility and security for public services
+
+2. **Direct ALB access (No CloudFront)**:
+   - ALB directly accessible from internet
+   - WAF protection is crucial for this deployment
+   - Consider IP-based restrictions if possible
+
+3. **Private VPC deployment**:
+   - Highest security, no direct internet exposure
+   - Requires VPN or Direct Connect for access
+   - Consider for sensitive workloads or internal services
+
+All scenarios maintain security best practices including:
+- HTTPS for all communications with TLS 1.2+ 
+- Security groups with principle of least privilege
+- WAF protection against common attacks
+- IAM roles with appropriate permissions
+
+### CloudFront Authentication
+
+When using CloudFront, a custom security mechanism is implemented:
+
+1. CloudFront adds a secret header (`X-CloudFront-Secret`) to all requests sent to the ALB
+2. The ALB has listener rules that verify this header before allowing access
+3. Health check paths are specifically exempted to allow CloudFront origin health checks
+4. The secret is stable across deployments (won't change unless explicitly changed)
+
+This provides a robust defense against direct ALB access even if someone discovers your ALB's domain name. The secret is only displayed once after creation in the Terraform outputs and is marked as sensitive.
+
 ### AWS Services in this Guidance
 
 | **AWS Service**                                                                                         | **Role**           | **Description**                                                                                             |
@@ -51,10 +199,11 @@ If you are unfamiliar with LiteLLM, it provides a consistent interface to access
 | [Amazon Web Applications Firewall](https://aws.amazon.com/waf/) (WAF)                | Core Service       | Protect guidance applications from common exploits                                                          |
 | [Amazon Elastic Container Registry](http://aws.amazon.com/ecr/) (ECR)                | Supporting service | Stores and manages Docker container images for EKS deployments.                                             |
 | [Elastic Load Balancer](https://aws.amazon.com/elasticloadbalancing/) (ALB)          | Supporting service | Distributes incoming traffic across multiple targets in the EKS cluster.                                    |
+| [Amazon CloudFront](https://aws.amazon.com/cloudfront/)                              | Supporting service | Global content delivery network for improved performance and security.                                      |
 | [Amazon Simple Storage Service ](https://aws.amazon.com/s3) (S3)                     | Supporting service | Provides persistent object storage for Applications logs and other related data.                            |
 | [Amazon Relational Database Service ](https://aws.amazon.com/rds/) (RDS)             | Supporting service | Enables persistence of virtual API keys and other configuration settings provided by LiteLLM.               |
 | [Amazon ElastiCache Service (Redis OSS) ](https://aws.amazon.com/elasticache/) (OSS) | Supporting service | Enables multi-tenant distribution of application settings and prompt caching.                               |
-| [AWS Route 53](https://aws.amazon.com/route53/)                                      | Supporting Service | Routes users to the guidance application via DNS records                                                    |
+| [AWS Route 53](https://aws.amazon.com/route53/)                                      | Supporting Service | Optional DNS service for custom domain management                                                           |
 | [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM)              | Supporting service | Manages access to AWS services and resources securely, including ECS or EKS cluster access.                 |
 | [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/) (ACM)         | Security service   | Manages SSL/TLS certificates for secure communication within the cluster.                                   |
 | [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/)                              | Monitoring service | Collects and tracks metrics, logs, and events from ECS, EKS and other AWS resources provisoned in the guidance   |
@@ -118,8 +267,8 @@ While this implementation guide provides default configurations, customers are r
 
 Customers should regularly review their AWS service usage patterns, adjust configurations as needed, and leverage AWS cost management tools to optimize their spending.
 
-We recommend creating a [budget](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-create.html) 
-through [AWS Cost Explorer](http://aws.amazon.com/aws-cost-management/aws-cost-explorer/) to
+We recommend creating a [budget](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-create.html) 
+through [AWS Cost Explorer](http://aws.amazon.com/aws-cost-management/aws-cost-explorer/) to
 help manage costs. Prices are subject to change and also depend on model provider usage patterns/volume of data. For full details, please refer to the pricing webpage for each AWS service used in this guidance.
 
 ### Sample Cost tables
@@ -268,6 +417,4 @@ For detailed information about the open source libraries used in this applicatio
 
 ## Notices 
 
-Customers are responsible for making their own independent assessment of the information in this Guidance. This Guidance: (a) is for informational purposes only, (b) represents AWS current product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from AWS and its affiliates, suppliers or licensors. AWS products or services are provided “as is” without warranties, representations, or conditions of any kind, whether express or implied. AWS responsibilities and liabilities to its customers are controlled by AWS agreements, and this Guidance is not part of, nor does it modify, any agreement between AWS and its customers.
-
-
+Customers are responsible for making their own independent assessment of the information in this Guidance. This Guidance: (a) is for informational purposes only, (b) represents AWS current product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from AWS and its affiliates, suppliers or licensors. AWS products or services are provided "as is" without warranties, representations, or conditions of any kind, whether express or implied. AWS responsibilities and liabilities to its customers are controlled by AWS agreements, and this Guidance is not part of, nor does it modify, any agreement between AWS and its customers.
diff --git a/deploy.sh b/deploy.sh
index e01c14a..7ce930e 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -46,7 +46,6 @@ if [ ! -f ".env" ]; then
     cp .env.template .env
 fi
 
-
 SKIP_BUILD=false
 while [[ $# -gt 0 ]]; do
     case $1 in
@@ -66,10 +65,44 @@ APP_NAME=litellm
 MIDDLEWARE_APP_NAME=middleware
 LOG_BUCKET_STACK_NAME="log-bucket-stack"
 MAIN_STACK_NAME="litellm-stack"
-
+TRACKING_STACK_NAME="tracking-stack"
 # Load environment variables from .env file
 source .env
 
+# Auto-detect existing deployments and set defaults for backward compatibility
+if aws cloudformation describe-stacks --stack-name "${TRACKING_STACK_NAME}" &>/dev/null; then
+  echo "Detected existing deployment - ensuring backward compatibility"
+  # If variables aren't explicitly set in .env, use existing configuration
+  if [ -z "$USE_ROUTE53" ]; then
+    # For existing deployments where HOSTED_ZONE_NAME is set, maintain Route53 usage
+    if [ -n "$HOSTED_ZONE_NAME" ] && [ -n "$RECORD_NAME" ]; then
+      USE_ROUTE53="true"
+      echo "→ Setting USE_ROUTE53=true to maintain existing configuration"
+    else
+      USE_ROUTE53="false"
+    fi
+  fi
+else
+  echo "New deployment detected - using new defaults"
+  # For new deployments, set defaults if not explicitly defined
+  if [ -z "$USE_ROUTE53" ]; then
+    USE_ROUTE53="false"
+    echo "→ Setting USE_ROUTE53=false (default for new deployments)"
+  fi
+fi
+
+# Use CloudFront by default if not explicitly set
+if [ -z "$USE_CLOUDFRONT" ]; then
+  USE_CLOUDFRONT="true"
+  echo "→ Setting USE_CLOUDFRONT=true (default)"
+fi
+
+# Set CloudFront price class if not defined
+if [ -z "$CLOUDFRONT_PRICE_CLASS" ]; then
+  CLOUDFRONT_PRICE_CLASS="PriceClass_100"
+  echo "→ Setting CLOUDFRONT_PRICE_CLASS=${CLOUDFRONT_PRICE_CLASS} (default)"
+fi
+
 # Check if bucket exists
 if aws s3api head-bucket --bucket "$TERRAFORM_S3_BUCKET_NAME" 2>/dev/null; then
     echo "Terraform Bucket $TERRAFORM_S3_BUCKET_NAME already exists, skipping creation"
@@ -84,9 +117,21 @@ if [[ (-z "$LITELLM_VERSION") || ("$LITELLM_VERSION" == "placeholder") ]]; then
     exit 1
 fi
 
-if [ -z "$CERTIFICATE_ARN" ] || [ -z "$RECORD_NAME" ]; then
-    echo "Error: CERTIFICATE_ARN and RECORD_NAME must be set in .env file"
-    exit 1
+# Update validation logic
+if [ "$USE_ROUTE53" = "true" ]; then
+    if [ -z "$HOSTED_ZONE_NAME" ] || [ -z "$RECORD_NAME" ]; then
+        echo "Error: When USE_ROUTE53=true, both HOSTED_ZONE_NAME and RECORD_NAME must be set in .env file"
+        exit 1
+    fi
+    
+    if [ -z "$CERTIFICATE_ARN" ]; then
+        echo "Warning: No CERTIFICATE_ARN provided. Using CloudFront-to-ALB HTTP communication with header authentication."
+        echo "Note: Communication between users and CloudFront will still use HTTPS."
+    fi
+else
+    if [ -n "$HOSTED_ZONE_NAME" ] || [ -n "$RECORD_NAME" ]; then
+        echo "Warning: HOSTED_ZONE_NAME and/or RECORD_NAME are set but will not be used because USE_ROUTE53=false"
+    fi
 fi
 
 echo "Certificate Arn: " $CERTIFICATE_ARN
@@ -325,6 +370,14 @@ export TF_VAR_disable_swagger_page=$DISABLE_SWAGGER_PAGE
 export TF_VAR_disable_admin_ui=$DISABLE_ADMIN_UI
 export TF_VAR_langfuse_public_key=$LANGFUSE_PUBLIC_KEY
 export TF_VAR_langfuse_secret_key=$LANGFUSE_SECRET_KEY
+export TF_VAR_use_route53=$USE_ROUTE53
+export TF_VAR_use_cloudfront=$USE_CLOUDFRONT
+export TF_VAR_cloudfront_price_class=$CLOUDFRONT_PRICE_CLASS
+
+# Display CloudFront and Route53 configuration
+echo "USE_ROUTE53: $USE_ROUTE53"
+echo "USE_CLOUDFRONT: $USE_CLOUDFRONT"
+echo "CLOUDFRONT_PRICE_CLASS: $CLOUDFRONT_PRICE_CLASS"
 
 if [ -n "${LANGFUSE_HOST}" ]; then
     export TF_VAR_langfuse_host=$LANGFUSE_HOST
@@ -355,7 +408,6 @@ if [ $? -eq 0 ]; then
     echo "Deployment successful. Extracting outputs..."
     
     if [ "$DEPLOYMENT_PLATFORM" = "ECS" ]; then
-
         LITELLM_ECS_CLUSTER=$(terraform output -raw LitellmEcsCluster)
         LITELLM_ECS_TASK=$(terraform output -raw LitellmEcsTask)
         SERVICE_URL=$(terraform output -raw ServiceURL)
@@ -378,6 +430,30 @@ if [ $? -eq 0 ]; then
         aws eks update-kubeconfig --region $aws_region --name $EKS_CLUSTER_NAME
         kubectl rollout restart deployment $EKS_DEPLOYMENT_NAME
     fi
+    
+    # Validate CloudFront if enabled
+    if [ "$USE_CLOUDFRONT" = "true" ]; then
+        echo "Validating CloudFront deployment..."
+        CF_DIST_ID=$(terraform output -raw cloudfront_distribution_id 2>/dev/null || echo "")
+        if [ -n "$CF_DIST_ID" ]; then
+            echo "✓ CloudFront distribution created successfully: $CF_DIST_ID"
+            CF_DOMAIN=$(terraform output -raw cloudfront_domain_name 2>/dev/null || echo "")
+            echo "✓ CloudFront domain: $CF_DOMAIN"
+            echo "CloudFrontDomain=$CF_DOMAIN" >> resources.txt
+            echo "CloudFrontID=$CF_DIST_ID" >> resources.txt
+            
+            echo "Note: CloudFront distribution deployment may take 15-30 minutes to complete globally"
+        else
+            echo "⚠️ CloudFront distribution ID not found in outputs - this is expected if CloudFront module was not applied"
+        fi
+    fi
+
+    # Validate Route53 if used
+    if [ "$USE_ROUTE53" = "true" ]; then
+        echo "✓ Route53 configuration applied successfully"
+    fi
+    
+    echo "✓ Deployment completed successfully"
 else
     echo "Deployment failed"
-fi
\ No newline at end of file
+fi
diff --git a/litellm-terraform-stack/main.tf b/litellm-terraform-stack/main.tf
index 8229f36..1724d7d 100644
--- a/litellm-terraform-stack/main.tf
+++ b/litellm-terraform-stack/main.tf
@@ -6,7 +6,7 @@ resource "aws_cloudformation_stack" "guidance_deployment_metrics" {
     template_body = <<STACK
     {
         "AWSTemplateFormatVersion": "2010-09-09",
-        "Description": "Guidance for Running Generative AI Gateway Proxy on AWS. The Solution ID is SO9022 and the Solution Version is 1.0.0",
+        "Description": "Guidance for Running Generative AI Gateway Proxy on AWS. The Solution ID is SO9022 and the Solution Version is 1.1.0",
         "Resources": {
             "EmptyResource": {
                 "Type": "AWS::CloudFormation::WaitConditionHandle"
@@ -32,6 +32,7 @@ module "base" {
   rds_allocated_storage = var.rds_allocated_storage
   redis_node_type = var.redis_node_type
   redis_num_cache_clusters = var.redis_num_cache_clusters
+  use_route53 = var.use_route53
 }
 
 module "ecs_cluster" {
@@ -47,6 +48,9 @@ module "ecs_cluster" {
   ecr_middleware_repository_url = module.base.MiddlewareRepositoryUrl
   litellm_version = var.litellm_version
   config_bucket_name = module.base.ConfigBucketName
+  use_route53 = var.use_route53
+  use_cloudfront = var.use_cloudfront
+  cloudfront_price_class = var.cloudfront_price_class
   openai_api_key = var.openai_api_key
   azure_openai_api_key = var.azure_openai_api_key
   azure_api_key = var.azure_api_key
@@ -195,4 +199,4 @@ module "eks_cluster" {
   langfuse_host = var.langfuse_host
 
   depends_on = [ module.base ]
-}
\ No newline at end of file
+}
diff --git a/litellm-terraform-stack/modules/base/route53.tf b/litellm-terraform-stack/modules/base/route53.tf
index d92d6e2..4e3828c 100644
--- a/litellm-terraform-stack/modules/base/route53.tf
+++ b/litellm-terraform-stack/modules/base/route53.tf
@@ -1,17 +1,19 @@
-# If publicLoadBalancer = true, we fetch the existing public hosted zone
+locals {
+  # Only proceed with Route53 resources if use_route53 is true
+  use_route53 = var.use_route53 && var.hostedZoneName != ""
+  create_private_load_balancer = var.use_route53 && !var.publicLoadBalancer ? local.creating_new_vpc || var.create_private_hosted_zone_in_existing_vpc ? true : false : false
+  import_private_load_balancer = var.use_route53 && !var.publicLoadBalancer ? !local.create_private_load_balancer : false
+}
+
+# If publicLoadBalancer = true and use_route53 = true, we fetch the existing public hosted zone
 data "aws_route53_zone" "public_zone" {
-  count       = var.publicLoadBalancer ? 1 : 0
+  count       = local.use_route53 && var.publicLoadBalancer ? 1 : 0
   name        = var.hostedZoneName
   private_zone = false
 }
 
-locals {
-  create_private_load_balancer = var.publicLoadBalancer ? false : local.creating_new_vpc || var.create_private_hosted_zone_in_existing_vpc ? true : false
-  import_private_load_balancer = var.publicLoadBalancer ? false : local.creating_new_vpc || var.create_private_hosted_zone_in_existing_vpc ? false : true
-}
-
 resource "aws_route53_zone" "new_private_zone" {
-  //If public load balancer, never create private zone
+  //If use_route53 = false or public load balancer, never create private zone
   //If private load balancer, always create private zone if we are creating new vpc
   //If private load balancer, and user brings their own vpc, decide whether to create or import private hosted zone based on "var.create_private_hosted_zone_in_existing_vpc" variable
   count = local.create_private_load_balancer ? 1 : 0
@@ -22,7 +24,7 @@ resource "aws_route53_zone" "new_private_zone" {
 }
 
 data "aws_route53_zone" "existing_private_zone" {
-  //If public load balancer, never create private zone
+  //If use_route53 = false or public load balancer, never look up private zone
   //If private load balancer, always create private zone if we are creating new vpc
   //If private load balancer, and user brings their own vpc, decide whether to create or import private hosted zone based on "var.create_private_hosted_zone_in_existing_vpc" variable
   count = local.import_private_load_balancer ? 1 : 0
diff --git a/litellm-terraform-stack/modules/base/variables.tf b/litellm-terraform-stack/modules/base/variables.tf
index 18317f2..e267b46 100644
--- a/litellm-terraform-stack/modules/base/variables.tf
+++ b/litellm-terraform-stack/modules/base/variables.tf
@@ -1,26 +1,12 @@
-variable "vpc_id" {
-  type      = string
-  description = "If set, use this VPC instead of creating a new one. Leave empty to create a new VPC."
-}
-
-variable "deployment_platform" {
-  type    = string
-  description = "Either 'ECS' or 'EKS'."
-}
-
-variable "disable_outbound_network_access" {
-  type    = bool
-  description = "If true, NAT Gateways = 0 and private subnets will be fully isolated."
-}
-
-variable "create_vpc_endpoints_in_existing_vpc" {
-  type    = bool
-  description = "If using an existing VPC, set this to true to also create interface/gateway endpoints within it."
+variable "name" {
+  description = "Standard name to be used as prefix on all resources."
+  type        = string
 }
 
-variable "name" {
-  type    = string
-  description = "Used for tagging resources with stack-id."
+variable "vpc_id" {
+  description = "ID of an existing VPC to use. If not provided, a new VPC will be created."
+  type        = string
+  default     = ""
 }
 
 variable "ecrLitellmRepository" {
@@ -33,18 +19,39 @@ variable "ecrMiddlewareRepository" {
   description = "Name of the Middleware ECR repository"
 }
 
-variable "publicLoadBalancer" {
-  type        = bool
-  description = "If true, use existing public hosted zone; if false, create private hosted zone"
+variable "deployment_platform" {
+  description = "Which platform to deploy (ECS or EKS)"
+  type        = string
+  
+  validation {
+    condition     = can(regex("^(ECS|EKS)$", upper(var.deployment_platform)))
+    error_message = "DEPLOYMENT_PLATFORM must be either 'ECS' or 'EKS' (case insensitive)."
+  }
+}
+
+variable "disable_outbound_network_access" {
+    description = "Whether to disable outbound network access"
+    type = bool
+}
+
+variable "create_vpc_endpoints_in_existing_vpc" {
+  type    = bool
+  description = "If using an existing VPC, set this to true to also create interface/gateway endpoints within it."
 }
 
 variable "hostedZoneName" {
+  description = "Hosted zone name"
   type        = string
-  description = "Hosted Zone Name (e.g., 'example.com')"
+  default     = ""
+}
+
+variable "publicLoadBalancer" {
+  description = "Whether the load balancer is public or private"
+  type = bool
 }
 
 variable "create_private_hosted_zone_in_existing_vpc" {
-  description = "In the case public_load_balancer=false (meaning we need a private hosted zone), and an vpc_id is provided, decides whether we create a private hosted zone, or assume one already exists and import it"
+  description = "In the case publicLoadBalancer=false (meaning we need a private hosted zone), and an vpc_id is provided, decides whether we create a private hosted zone, or assume one already exists and import it"
   type        = bool
 }
 
@@ -66,4 +73,10 @@ variable "redis_node_type" {
 variable "redis_num_cache_clusters" {
   type        = number
   description = "The number of cache clusters for Redis"
-}
\ No newline at end of file
+}
+
+variable "use_route53" {
+  description = "Whether to use Route53 for DNS management. If false, no Route53 resources will be created."
+  type        = bool
+  default     = false
+}
diff --git a/litellm-terraform-stack/modules/cloudfront/main.tf b/litellm-terraform-stack/modules/cloudfront/main.tf
new file mode 100644
index 0000000..a4f5d67
--- /dev/null
+++ b/litellm-terraform-stack/modules/cloudfront/main.tf
@@ -0,0 +1,83 @@
+resource "aws_cloudfront_distribution" "this" {
+  enabled             = true
+  is_ipv6_enabled     = true
+  comment             = "${var.name}-distribution"
+  default_root_object = ""
+  price_class         = var.price_class
+  
+  origin {
+    domain_name = var.alb_domain_name
+    origin_id   = "ALB"
+    
+    custom_origin_config {
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "https-only"
+      origin_ssl_protocols   = ["TLSv1.2"]
+    }
+  }
+  
+  # Default cache behavior for API requests
+  default_cache_behavior {
+    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cached_methods   = ["GET", "HEAD", "OPTIONS"]
+    target_origin_id = "ALB"
+    
+    forwarded_values {
+      query_string = true
+      headers      = ["Authorization", "Host", "Origin"]
+      
+      cookies {
+        forward = "all"
+      }
+    }
+    
+    viewer_protocol_policy = "redirect-to-https"
+    min_ttl                = 0
+    default_ttl            = 0
+    max_ttl                = 0
+    compress               = true
+  }
+  
+  # Use the provided certificate if custom domain is used
+  dynamic "viewer_certificate" {
+    for_each = var.certificate_arn != "" && var.custom_domain != "" ? [1] : []
+    content {
+      acm_certificate_arn = var.certificate_arn
+      ssl_support_method  = "sni-only"
+      minimum_protocol_version = "TLSv1.2_2021"
+    }
+  }
+  
+  # Use CloudFront default certificate if no custom domain
+  dynamic "viewer_certificate" {
+    for_each = var.certificate_arn == "" || var.custom_domain == "" ? [1] : []
+    content {
+      cloudfront_default_certificate = true
+    }
+  }
+  
+  # Add aliases only if custom domain is provided
+  aliases = var.custom_domain != "" ? [var.custom_domain] : []
+  
+  # Associate WAF Web ACL if provided - commented out due to regional WAF scope issue
+  # CloudFront requires global WAF WebACLs, but the current WAF is regional
+  # web_acl_id = var.wafv2_acl_arn
+  
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  # Set to true to enable logging (can be set up later)
+  # logging_config {
+  #   include_cookies = false
+  #   bucket          = "logs-bucket-domain"
+  #   prefix          = "cloudfront-logs/"
+  # }
+
+  tags = {
+    Name = "${var.name}-cloudfront-distribution"
+  }
+}
diff --git a/litellm-terraform-stack/modules/cloudfront/outputs.tf b/litellm-terraform-stack/modules/cloudfront/outputs.tf
new file mode 100644
index 0000000..f90dce2
--- /dev/null
+++ b/litellm-terraform-stack/modules/cloudfront/outputs.tf
@@ -0,0 +1,19 @@
+output "distribution_id" {
+  description = "The ID of the CloudFront distribution"
+  value       = aws_cloudfront_distribution.this.id
+}
+
+output "domain_name" {
+  description = "The domain name of the CloudFront distribution"
+  value       = aws_cloudfront_distribution.this.domain_name
+}
+
+output "hosted_zone_id" {
+  description = "The CloudFront distribution hosted zone ID"
+  value       = aws_cloudfront_distribution.this.hosted_zone_id
+}
+
+output "distribution_arn" {
+  description = "The ARN of the CloudFront distribution"
+  value       = aws_cloudfront_distribution.this.arn
+}
diff --git a/litellm-terraform-stack/modules/cloudfront/variables.tf b/litellm-terraform-stack/modules/cloudfront/variables.tf
new file mode 100644
index 0000000..85a18d2
--- /dev/null
+++ b/litellm-terraform-stack/modules/cloudfront/variables.tf
@@ -0,0 +1,42 @@
+variable "name" {
+  description = "Standard name to be used as prefix on all resources."
+  type        = string
+}
+
+variable "alb_domain_name" {
+  description = "Domain name of the ALB"
+  type        = string
+}
+
+variable "alb_zone_id" {
+  description = "Zone ID of the ALB"
+  type        = string
+}
+
+variable "certificate_arn" {
+  description = "ARN of the ACM certificate"
+  type        = string
+  default     = ""
+}
+
+variable "custom_domain" {
+  description = "Custom domain for CloudFront distribution"
+  type        = string
+  default     = ""
+}
+
+variable "price_class" {
+  description = "Price class for CloudFront distribution"
+  type        = string
+  default     = "PriceClass_100"
+  validation {
+    condition     = contains(["PriceClass_100", "PriceClass_200", "PriceClass_All"], var.price_class)
+    error_message = "Price class must be one of PriceClass_100, PriceClass_200, or PriceClass_All."
+  }
+}
+
+variable "wafv2_acl_arn" {
+  description = "ARN of the WAFv2 ACL for CloudFront"
+  type        = string
+  default     = ""
+}
diff --git a/litellm-terraform-stack/modules/ecs/alb.tf b/litellm-terraform-stack/modules/ecs/alb.tf
index 4eeb171..0456194 100644
--- a/litellm-terraform-stack/modules/ecs/alb.tf
+++ b/litellm-terraform-stack/modules/ecs/alb.tf
@@ -18,13 +18,28 @@ resource "aws_lb" "this" {
    }
 }
 
+# HTTP Listener for CloudFront origin connection
+resource "aws_lb_listener" "http" {
+  load_balancer_arn = aws_lb.this.arn
+  port              = 80
+  protocol          = "HTTP"
+  
+  # Use tg_4000 as the default
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tg_4000.arn
+  }
+}
+
 # HTTPS Listener
 resource "aws_lb_listener" "https" {
   load_balancer_arn = aws_lb.this.arn
   port              = 443
   protocol          = "HTTPS"
   ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-06"
-  certificate_arn   = var.certificate_arn
+  
+  # Use ACM certificate if provided, otherwise use self-signed certificate
+  certificate_arn   = var.certificate_arn != "" ? var.certificate_arn : aws_acm_certificate.self_signed[0].arn
 
   # Instead of a fixed-response 404, use tg_4000 as the default.
   default_action {
@@ -33,6 +48,41 @@ resource "aws_lb_listener" "https" {
   }
 }
 
+# Create a self-signed certificate if no certificate ARN is provided
+resource "tls_private_key" "self_signed" {
+  count     = var.certificate_arn == "" ? 1 : 0
+  algorithm = "RSA"
+  rsa_bits  = 2048
+}
+
+resource "tls_self_signed_cert" "self_signed" {
+  count           = var.certificate_arn == "" ? 1 : 0
+  private_key_pem = tls_private_key.self_signed[0].private_key_pem
+
+  subject {
+    common_name  = "litellm-gateway.local"
+    organization = "LiteLLM Gateway"
+  }
+
+  validity_period_hours = 8760 # 1 year
+
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+  ]
+}
+
+resource "aws_acm_certificate" "self_signed" {
+  count            = var.certificate_arn == "" ? 1 : 0
+  private_key      = tls_private_key.self_signed[0].private_key_pem
+  certificate_body = tls_self_signed_cert.self_signed[0].cert_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
 # Target Group for port 4000 (LiteLLMContainer)
 resource "aws_lb_target_group" "tg_4000" {
   name        = "${var.name}-4000"
@@ -71,6 +121,77 @@ resource "aws_lb_target_group" "tg_3000" {
   }
 }
 
+# Health check exception rule - highest priority
+# Allows CloudFront to perform health checks without requiring the authentication header
+resource "aws_lb_listener_rule" "health_check_exception" {
+  count        = var.use_cloudfront ? 1 : 0
+  listener_arn = aws_lb_listener.https.arn
+  priority     = 4  # Highest priority we can safely use
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tg_4000.arn
+  }
+
+  # Explicit health check paths - avoid wildcards for clarity
+  condition {
+    path_pattern {
+      values = [
+        "/",                         # Root path
+        "/health",                   # Base health endpoint
+        "/health/liveliness",        # Specific health endpoint
+        "/bedrock/health/liveliness" # Middleware health endpoint
+      ]
+    }
+  }
+}
+
+# CloudFront authentication rule - accepts traffic with the secret header
+# This provides an additional security layer to prevent direct ALB access
+resource "aws_lb_listener_rule" "cloudfront_auth" {
+  count        = var.use_cloudfront ? 1 : 0
+  listener_arn = aws_lb_listener.https.arn
+  priority     = 5  # Second priority, after health checks
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tg_4000.arn
+  }
+
+  # Check for the CloudFront secret header
+  condition {
+    http_header {
+      http_header_name = "X-CloudFront-Secret"
+      values           = ["litellm-cf-${random_password.cloudfront_secret[0].result}"]
+    }
+  }
+}
+
+# Reject requests without CloudFront header when CloudFront is enabled
+# This is the last line of defense for non-health-check paths
+resource "aws_lb_listener_rule" "reject_direct_access" {
+  count        = var.use_cloudfront ? 1 : 0
+  listener_arn = aws_lb_listener.https.arn
+  priority     = 6  # Third priority
+
+  action {
+    type = "fixed-response"
+    fixed_response {
+      content_type = "application/json"
+      message_body = "{\"error\": \"Access denied. Direct access to this endpoint is not allowed.\"}"
+      status_code  = "403"
+    }
+  }
+
+  # Match all paths - since higher priority rules will handle exceptions
+  condition {
+    path_pattern {
+      values = ["/*"]
+    }
+  }
+}
+
+# Default catch-all rule for forwarding traffic when CloudFront is not enabled
 resource "aws_lb_listener_rule" "catch_all" {
   listener_arn = aws_lb_listener.https.arn
   priority     = 99
@@ -296,6 +417,392 @@ resource "aws_lb_listener_rule" "user_new" {
   }
 }
 
+# HTTP Listener Rules for CloudFront to ALB communication
+# ---------------------------------------------------------------------------
+
+# Health check exception rule for HTTP - highest priority
+resource "aws_lb_listener_rule" "health_check_exception_http" {
+  count        = var.use_cloudfront ? 1 : 0
+  listener_arn = aws_lb_listener.http.arn
+  priority     = 4  # Highest priority we can safely use
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tg_4000.arn
+  }
+
+  # Explicit health check paths - avoid wildcards for clarity
+  condition {
+    path_pattern {
+      values = [
+        "/",                         # Root path
+        "/health",                   # Base health endpoint
+        "/health/liveliness",        # Specific health endpoint
+        "/bedrock/health/liveliness" # Middleware health endpoint
+      ]
+    }
+  }
+}
+
+# CloudFront authentication rule for HTTP
+resource "aws_lb_listener_rule" "cloudfront_auth_http" {
+  count        = var.use_cloudfront ? 1 : 0
+  listener_arn = aws_lb_listener.http.arn
+  priority     = 5  # Second priority, after health checks
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tg_4000.arn
+  }
+
+  # Check for the CloudFront secret header
+  condition {
+    http_header {
+      http_header_name = "X-CloudFront-Secret"
+      values           = ["litellm-cf-${random_password.cloudfront_secret[0].result}"]
+    }
+  }
+}
+
+# Duplicate all path-specific rules for the HTTP listener with header authentication
+
+# bedrock model for HTTP
+resource "aws_lb_listener_rule" "bedrock_models_http" {
+  count        = var.use_cloudfront ? 1 : 0
+  listener_arn = aws_lb_listener.http.arn
+  priority     = 16
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tg_3000.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/bedrock/model/*"]
+    }
+  }
+
+  condition {
+    http_request_method {
+      values = ["POST", "GET", "PUT"]
+    }
+  }
+
+  # Add CloudFront Secret header validation
+  condition {
+    http_header {
+      http_header_name = "X-CloudFront-Secret"
+      values           = ["litellm-cf-${random_password.cloudfront_secret[0].result}"]
+    }
+  }
+}
+
+# OpenAICompletions for HTTP
+resource "aws_lb_listener_rule" "openai_completions_http" {
+  count        = var.use_cloudfront ? 1 : 0
+  listener_arn = aws_lb_listener.http.arn
+  priority     = 15
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tg_3000.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/v1/chat/completions"]
+    }
+  }
+
+  condition {
+    http_request_method {
+      values = ["POST", "GET", "PUT"]
+    }
+  }
+
+  # Add CloudFront Secret header validation
+  condition {
+    http_header {
+      http_header_name = "X-CloudFront-Secret"
+      values           = ["litellm-cf-${random_password.cloudfront_secret[0].result}"]
+    }
+  }
+}
+
+# ChatCompletions for HTTP
+resource "aws_lb_listener_rule" "chat_completions_http" {
+  count        = var.use_cloudfront ? 1 : 0
+  listener_arn = aws_lb_listener.http.arn
+  priority     = 14
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tg_3000.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/chat/completions"]
+    }
+  }
+
+  condition {
+    http_request_method {
+      values = ["POST", "GET", "PUT"]
+    }
+  }
+
+  # Add CloudFront Secret header validation
+  condition {
+    http_header {
+      http_header_name = "X-CloudFront-Secret"
+      values           = ["litellm-cf-${random_password.cloudfront_secret[0].result}"]
+    }
+  }
+}
+
+# ChatHistory for HTTP
+resource "aws_lb_listener_rule" "chat_history_http" {
+  count        = var.use_cloudfront ? 1 : 0
+  listener_arn = aws_lb_listener.http.arn
+  priority     = 8
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tg_3000.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/chat-history"]
+    }
+  }
+
+  condition {
+    http_request_method {
+      values = ["POST", "GET", "PUT"]
+    }
+  }
+
+  # Add CloudFront Secret header validation
+  condition {
+    http_header {
+      http_header_name = "X-CloudFront-Secret"
+      values           = ["litellm-cf-${random_password.cloudfront_secret[0].result}"]
+    }
+  }
+}
+
+# BedrockChatHistory for HTTP
+resource "aws_lb_listener_rule" "bedrock_chat_history_http" {
+  count        = var.use_cloudfront ? 1 : 0
+  listener_arn = aws_lb_listener.http.arn
+  priority     = 9
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tg_3000.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/bedrock/chat-history"]
+    }
+  }
+
+  condition {
+    http_request_method {
+      values = ["POST", "GET", "PUT"]
+    }
+  }
+
+  # Add CloudFront Secret header validation
+  condition {
+    http_header {
+      http_header_name = "X-CloudFront-Secret"
+      values           = ["litellm-cf-${random_password.cloudfront_secret[0].result}"]
+    }
+  }
+}
+
+# BedrockLiveliness for HTTP
+resource "aws_lb_listener_rule" "bedrock_liveliness_http" {
+  count        = var.use_cloudfront ? 1 : 0
+  listener_arn = aws_lb_listener.http.arn
+  priority     = 10
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tg_3000.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/bedrock/health/liveliness"]
+    }
+  }
+
+  condition {
+    http_request_method {
+      values = ["POST", "GET", "PUT"]
+    }
+  }
+
+  # Add CloudFront Secret header validation
+  condition {
+    http_header {
+      http_header_name = "X-CloudFront-Secret"
+      values           = ["litellm-cf-${random_password.cloudfront_secret[0].result}"]
+    }
+  }
+}
+
+# SessionIds for HTTP
+resource "aws_lb_listener_rule" "session_ids_http" {
+  count        = var.use_cloudfront ? 1 : 0
+  listener_arn = aws_lb_listener.http.arn
+  priority     = 11
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tg_3000.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/session-ids"]
+    }
+  }
+
+  condition {
+    http_request_method {
+      values = ["POST", "GET", "PUT"]
+    }
+  }
+
+  # Add CloudFront Secret header validation
+  condition {
+    http_header {
+      http_header_name = "X-CloudFront-Secret"
+      values           = ["litellm-cf-${random_password.cloudfront_secret[0].result}"]
+    }
+  }
+}
+
+# KeyGenerate for HTTP
+resource "aws_lb_listener_rule" "key_generate_http" {
+  count        = var.use_cloudfront ? 1 : 0
+  listener_arn = aws_lb_listener.http.arn
+  priority     = 12
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tg_3000.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/key/generate"]
+    }
+  }
+
+  condition {
+    http_request_method {
+      values = ["POST", "GET", "PUT"]
+    }
+  }
+
+  # Add CloudFront Secret header validation
+  condition {
+    http_header {
+      http_header_name = "X-CloudFront-Secret"
+      values           = ["litellm-cf-${random_password.cloudfront_secret[0].result}"]
+    }
+  }
+}
+
+# UserNew for HTTP
+resource "aws_lb_listener_rule" "user_new_http" {
+  count        = var.use_cloudfront ? 1 : 0
+  listener_arn = aws_lb_listener.http.arn
+  priority     = 13
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tg_3000.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/user/new"]
+    }
+  }
+
+  condition {
+    http_request_method {
+      values = ["POST", "GET", "PUT"]
+    }
+  }
+
+  # Add CloudFront Secret header validation
+  condition {
+    http_header {
+      http_header_name = "X-CloudFront-Secret"
+      values           = ["litellm-cf-${random_password.cloudfront_secret[0].result}"]
+    }
+  }
+}
+
+# DEFAULT CATCH-ALL with CloudFront header for HTTP
+resource "aws_lb_listener_rule" "catch_all_http" {
+  count        = var.use_cloudfront ? 1 : 0
+  listener_arn = aws_lb_listener.http.arn
+  priority     = 98
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tg_4000.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/*"]
+    }
+  }
+  
+  # Add CloudFront Secret header validation
+  condition {
+    http_header {
+      http_header_name = "X-CloudFront-Secret"
+      values           = ["litellm-cf-${random_password.cloudfront_secret[0].result}"]
+    }
+  }
+}
+
+# Reject requests without CloudFront header - LAST PRIORITY
+resource "aws_lb_listener_rule" "reject_direct_access_http" {
+  count        = var.use_cloudfront ? 1 : 0
+  listener_arn = aws_lb_listener.http.arn
+  priority     = 99  # Make sure this is the last priority
+
+  action {
+    type = "fixed-response"
+    fixed_response {
+      content_type = "application/json"
+      message_body = "{\"error\": \"Access denied. Direct access to this endpoint is not allowed.\"}"
+      status_code  = "403"
+    }
+  }
+
+  # Match all paths - since higher priority rules will handle exceptions
+  condition {
+    path_pattern {
+      values = ["/*"]
+    }
+  }
+}
+
 ###############################################################################
 # (11) Application Auto Scaling (CPU & Memory)
 ###############################################################################
diff --git a/litellm-terraform-stack/modules/ecs/cloudfront.tf b/litellm-terraform-stack/modules/ecs/cloudfront.tf
new file mode 100644
index 0000000..dc6d35b
--- /dev/null
+++ b/litellm-terraform-stack/modules/ecs/cloudfront.tf
@@ -0,0 +1,123 @@
+# Generate a random secret for CloudFront-to-ALB authentication
+# This secret is used for secure origin authentication between CloudFront and ALB
+resource "random_password" "cloudfront_secret" {
+  count   = var.use_cloudfront ? 1 : 0
+  length  = 32
+  special = false
+  
+  # Add keepers to prevent regeneration unless explicitly changed
+  keepers = {
+    name = var.name  # Only regenerate if the name changes
+  }
+  
+  # Prevent updates to the secret's properties during regular deployments
+  lifecycle {
+    ignore_changes = [length, special, min_lower, min_upper, min_numeric]
+  }
+}
+
+# CloudFront Distribution
+resource "aws_cloudfront_distribution" "this" {
+  count               = var.use_cloudfront ? 1 : 0
+  enabled             = true
+  is_ipv6_enabled     = true
+  comment             = "${var.name}-distribution"
+  default_root_object = ""
+  price_class         = var.cloudfront_price_class
+  
+  origin {
+    domain_name = aws_lb.this.dns_name
+    origin_id   = "ALB"
+    
+    # Add a custom origin header for security
+    # This replaces the IP-based security group approach
+    # ALB should be configured to only accept requests with this header
+    custom_header {
+      name  = "X-CloudFront-Secret"
+      value = "litellm-cf-${random_password.cloudfront_secret[0].result}"
+    }
+    
+    # Security note on CloudFront-ALB communication:
+    # 
+    # By setting origin_protocol_policy = "http-only", communication between CloudFront and ALB 
+    # is unencrypted. However, security is maintained through:
+    #
+    # 1. Custom header authentication (X-CloudFront-Secret) that prevents direct access to the ALB
+    # 2. Communication between end users and CloudFront remains encrypted with HTTPS
+    # 3. The ALB is configured to reject requests without the secret header
+    #
+    # This approach eliminates certificate validation issues while maintaining a strong security posture.
+    custom_origin_config {
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "http-only"
+      origin_ssl_protocols   = ["TLSv1.2"]
+    }
+  }
+  
+  # Default cache behavior for API requests
+  default_cache_behavior {
+    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cached_methods   = ["GET", "HEAD", "OPTIONS"]
+    target_origin_id = "ALB"
+    
+    forwarded_values {
+      query_string = true
+      headers      = ["Authorization", "Host", "Origin"]
+      
+      cookies {
+        forward = "all"
+      }
+    }
+    
+    viewer_protocol_policy = "redirect-to-https"
+    min_ttl                = 0
+    default_ttl            = 0
+    max_ttl                = 0
+    compress               = true
+  }
+  
+  # Use the provided certificate if Route53 is enabled with a custom domain
+  dynamic "viewer_certificate" {
+    for_each = var.use_route53 && var.certificate_arn != "" ? [1] : []
+    content {
+      acm_certificate_arn = var.certificate_arn
+      ssl_support_method  = "sni-only"
+      minimum_protocol_version = "TLSv1.2_2021"
+    }
+  }
+  
+  # Use CloudFront default certificate if no Route53 or certificate is provided
+  dynamic "viewer_certificate" {
+    for_each = !var.use_route53 || var.certificate_arn == "" ? [1] : []
+    content {
+      cloudfront_default_certificate = true
+    }
+  }
+  
+  # Add aliases only if Route53 is used
+  aliases = var.use_route53 ? [format("%s.%s", var.record_name, var.hosted_zone_name)] : []
+  
+  # Associate WAF Web ACL if provided - commented out due to regional WAF scope issue
+  # CloudFront requires global WAF WebACLs, but the current WAF is regional
+  # web_acl_id = var.wafv2_acl_arn
+  
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  # Enable logging to the ALB access logs bucket - commented out to avoid S3 ACL issues
+  # logging_config {
+  #   include_cookies = false
+  #   bucket          = aws_s3_bucket.access_log_bucket.bucket_domain_name
+  #   prefix          = "cloudfront-logs/"
+  # }
+
+  tags = {
+    Name = "${var.name}-cloudfront-distribution"
+  }
+
+  depends_on = [aws_lb.this]
+}
diff --git a/litellm-terraform-stack/modules/ecs/outputs.tf b/litellm-terraform-stack/modules/ecs/outputs.tf
index ba74297..7a5104b 100644
--- a/litellm-terraform-stack/modules/ecs/outputs.tf
+++ b/litellm-terraform-stack/modules/ecs/outputs.tf
@@ -11,7 +11,35 @@ output "LitellmEcsTask" {
   description = "Name of the ECS Service"
 }
 
+output "alb_dns_name" {
+  value       = aws_lb.this.dns_name
+  description = "The DNS name of the ALB"
+}
+
+output "alb_zone_id" {
+  value       = aws_lb.this.zone_id
+  description = "The zone ID of the ALB"
+}
+
+output "cloudfront_distribution_id" {
+  value       = var.use_cloudfront ? aws_cloudfront_distribution.this[0].id : ""
+  description = "The ID of the CloudFront distribution"
+}
+
+output "cloudfront_domain_name" {
+  value       = var.use_cloudfront ? aws_cloudfront_distribution.this[0].domain_name : ""
+  description = "The domain name of the CloudFront distribution"
+}
+
 output "ServiceURL" {
-  description = "Equivalent to https://var.record_name"
-  value       = "https://${var.record_name}"
-}
\ No newline at end of file
+  description = "The service URL"
+  value = var.use_route53 ? "https://${var.record_name}.${var.hosted_zone_name}" : (
+    var.use_cloudfront ? "https://${aws_cloudfront_distribution.this[0].domain_name}" : "https://${aws_lb.this.dns_name}"
+  )
+}
+
+output "cloudfront_auth_secret" {
+  description = "The CloudFront authentication secret (only shown once after creation)"
+  value       = var.use_cloudfront ? random_password.cloudfront_secret[0].result : null
+  sensitive   = true
+}
diff --git a/litellm-terraform-stack/modules/ecs/route53.tf b/litellm-terraform-stack/modules/ecs/route53.tf
index 85f824c..cea0a16 100644
--- a/litellm-terraform-stack/modules/ecs/route53.tf
+++ b/litellm-terraform-stack/modules/ecs/route53.tf
@@ -1,16 +1,23 @@
+# Only lookup the Route53 zone if use_route53 is true
 data "aws_route53_zone" "this" {
+  count        = var.use_route53 ? 1 : 0
   name         = var.hosted_zone_name
   private_zone = !var.public_load_balancer
 }
 
+# Only create Route53 records if use_route53 is true
 resource "aws_route53_record" "alb_alias" {
-  zone_id = data.aws_route53_zone.this.zone_id
+  count   = var.use_route53 ? 1 : 0
+  zone_id = data.aws_route53_zone.this[0].zone_id
   name    = var.record_name
   type    = "A"
 
   alias {
-    name                   = aws_lb.this.dns_name
-    zone_id                = aws_lb.this.zone_id
+    # If CloudFront is enabled, point to CloudFront, otherwise point to ALB
+    name                   = var.use_cloudfront ? aws_cloudfront_distribution.this[0].domain_name : aws_lb.this.dns_name
+    zone_id                = var.use_cloudfront ? aws_cloudfront_distribution.this[0].hosted_zone_id : aws_lb.this.zone_id
     evaluate_target_health = true
   }
+
+  depends_on = [aws_cloudfront_distribution.this]
 }
diff --git a/litellm-terraform-stack/modules/ecs/security-groups.tf b/litellm-terraform-stack/modules/ecs/security-groups.tf
index e76fe35..4acf70b 100644
--- a/litellm-terraform-stack/modules/ecs/security-groups.tf
+++ b/litellm-terraform-stack/modules/ecs/security-groups.tf
@@ -1,6 +1,10 @@
 ###############################################################################
 # (7) Security Groups & Ingress for Redis and RDS
 ###############################################################################
+
+# CloudFront security is implemented using origin custom headers instead of IP ranges
+# This avoids hitting AWS security group rule limits (60 rules per security group)
+# CloudFront has hundreds of IP ranges globally, which would exceed the limit
 # Security group for ECS Service tasks
 resource "aws_security_group" "ecs_service_sg" {
   name        = "${var.name}-service-sg"
@@ -64,13 +68,32 @@ resource "aws_security_group" "alb_sg" {
   description = "Security group for ALB"
   vpc_id      = var.vpc_id
 
-  # Allow inbound HTTPS from anywhere (adjust as necessary)
+  # Public load balancer: Allow HTTPS traffic with WAF protection
+  # Security is provided by:
+  # 1. When CloudFront is enabled: Custom origin header authentication via ALB listener rules
+  # 2. When CloudFront is disabled: WAF rules on the ALB
+  # 3. When private: Only accessible from private subnets
   ingress {
-    description = "Allow HTTPS in"
+    description = "HTTPS traffic"
     protocol    = "tcp"
     from_port   = 443
     to_port     = 443
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = var.public_load_balancer ? ["0.0.0.0/0"] : var.private_subnets_cidr_blocks
+  }
+  
+  # Add HTTP ingress for CloudFront origin connections
+  # Security for HTTP is provided by custom header authentication
+  ingress {
+    description = "HTTP traffic for CloudFront origin"
+    protocol    = "tcp"
+    from_port   = 80
+    to_port     = 80
+    cidr_blocks = var.public_load_balancer ? ["0.0.0.0/0"] : var.private_subnets_cidr_blocks
+  }
+
+  tags = {
+    Name = "${var.name}-alb-sg"
+    SecurityModel = var.use_cloudfront ? "CloudFront-Protected" : (var.public_load_balancer ? "Public-WAF-Protected" : "Private-VPC-Only")
   }
 
   # Allow all outbound
diff --git a/litellm-terraform-stack/modules/ecs/variables.tf b/litellm-terraform-stack/modules/ecs/variables.tf
index 2cc97c2..712bcd2 100644
--- a/litellm-terraform-stack/modules/ecs/variables.tf
+++ b/litellm-terraform-stack/modules/ecs/variables.tf
@@ -199,6 +199,7 @@ variable "okta_issuer" {
 variable "certificate_arn" {
   description = "ARN of the ACM certificate"
   type        = string
+  default     = ""
 }
 
 variable "wafv2_acl_arn" {
@@ -209,11 +210,31 @@ variable "wafv2_acl_arn" {
 variable "record_name" {
   description = "Record name for the ingress"
   type        = string
+  default     = ""
 }
 
 variable "hosted_zone_name" {
   description = "Hosted zone name for the ingress"
   type        = string
+  default     = ""
+}
+
+variable "use_route53" {
+  description = "Whether to use Route53 for DNS management"
+  type        = bool
+  default     = false
+}
+
+variable "use_cloudfront" {
+  description = "Whether to use CloudFront in front of ALB"
+  type        = bool
+  default     = true
+}
+
+variable "cloudfront_price_class" {
+  description = "The price class for CloudFront distribution"
+  type        = string
+  default     = "PriceClass_100"
 }
 
 variable "vpc_id" {
@@ -300,6 +321,12 @@ variable "public_subnets" {
   type        = list(string)
 }
 
+variable "private_subnets_cidr_blocks" {
+  description = "CIDR blocks of the private subnets"
+  type        = list(string)
+  default     = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] # Default private address spaces
+}
+
 variable "disable_swagger_page" {
   type    = bool
   description = "Whether to disable the swagger page or not"
@@ -323,4 +350,4 @@ variable "langfuse_secret_key" {
 variable "langfuse_host" {
   type    = string
   description = "the hostname of your langfuse deployment."
-}
\ No newline at end of file
+}
diff --git a/litellm-terraform-stack/outputs.tf b/litellm-terraform-stack/outputs.tf
index 5b5f782..d7f1232 100644
--- a/litellm-terraform-stack/outputs.tf
+++ b/litellm-terraform-stack/outputs.tf
@@ -18,9 +18,21 @@ output "eks_deployment_name" {
   value       = try(module.eks_cluster[0].eks_deployment_name, "")
 }
 
+output "cloudfront_distribution_id" {
+  description = "The ID of the CloudFront distribution"
+  value       = var.use_cloudfront ? try(module.ecs_cluster[0].cloudfront_distribution_id, "") : ""
+}
+
+output "cloudfront_domain_name" {
+  description = "The domain name of the CloudFront distribution"
+  value       = var.use_cloudfront ? try(module.ecs_cluster[0].cloudfront_domain_name, "") : ""
+}
+
 output "ServiceURL" {
-  description = "Equivalent to https://var.record_name"
-  value       = "https://${var.record_name}"
+  description = "The service URL"
+  value = var.use_route53 ? "https://${var.record_name}.${var.hosted_zone_name}" : (
+    var.use_cloudfront ? "https://${try(module.ecs_cluster[0].cloudfront_domain_name, "")}" : "https://${try(module.ecs_cluster[0].alb_dns_name, "")}"
+  )
 }
 
 output "vpc_id" {
@@ -31,4 +43,12 @@ output "vpc_id" {
 output "ConfigBucketName" {
   description = "The Name of the configuration bucket"
   value       = module.base.ConfigBucketName
-}
\ No newline at end of file
+}
+
+# Added to expose the CloudFront authentication secret once after creation
+# This allows for troubleshooting and verification if needed
+output "cloudfront_auth_secret" {
+  description = "The CloudFront authentication secret (only shown once after creation)"
+  value       = var.use_cloudfront ? try(module.ecs_cluster[0].cloudfront_auth_secret, null) : null
+  sensitive   = true
+}
diff --git a/litellm-terraform-stack/variables.tf b/litellm-terraform-stack/variables.tf
index 61abc3d..65ee16a 100644
--- a/litellm-terraform-stack/variables.tf
+++ b/litellm-terraform-stack/variables.tf
@@ -182,19 +182,44 @@ variable "okta_issuer" {
   type        = string
 }
 
+variable "use_route53" {
+  description = "Whether to use Route53 for DNS management. If false, no Route53 resources will be created."
+  type        = bool
+  default     = false
+}
+
+variable "use_cloudfront" {
+  description = "Whether to use CloudFront for content distribution. If false, only ALB will be used."
+  type        = bool
+  default     = true
+}
+
+variable "cloudfront_price_class" {
+  description = "The price class for CloudFront distribution"
+  type        = string
+  default     = "PriceClass_100"
+  validation {
+    condition     = contains(["PriceClass_100", "PriceClass_200", "PriceClass_All"], var.cloudfront_price_class)
+    error_message = "Price class must be one of PriceClass_100, PriceClass_200, or PriceClass_All."
+  }
+}
+
 variable "certificate_arn" {
-  description = "ARN of the ACM certificate"
+  description = "ARN of the ACM certificate. Required if use_route53 is true."
   type        = string
+  default     = ""
 }
 
 variable "record_name" {
-  description = "record name for the ingress"
+  description = "Record name for the ingress. Required if use_route53 is true."
   type        = string
+  default     = ""
 }
 
 variable "hosted_zone_name" {
-  description = "Hosted zone name for the ingress"
+  description = "Hosted zone name for the ingress. Required if use_route53 is true."
   type        = string
+  default     = ""
 }
 
 variable "create_private_hosted_zone_in_existing_vpc" {
@@ -355,4 +380,4 @@ variable "langfuse_host" {
   type    = string
   description = "the hostname of your langfuse deployment. Optional, defaults to https://cloud.langfuse.com"
   default = "https://cloud.langfuse.com"
-}
\ No newline at end of file
+}
diff --git a/media/architecture.png b/media/architecture.png
new file mode 100644
index 0000000..5fb79f5
Binary files /dev/null and b/media/architecture.png differ
diff --git a/undeploy.sh b/undeploy.sh
index 28dafeb..1dfea12 100755
--- a/undeploy.sh
+++ b/undeploy.sh
@@ -28,10 +28,10 @@ if [[ (-z "$LITELLM_VERSION") || ("$LITELLM_VERSION" == "placeholder") ]]; then
     exit 1
 fi
 
-if [ -z "$CERTIFICATE_ARN" ] || [ -z "$RECORD_NAME" ]; then
-    echo "Error: CERTIFICATE_ARN and RECORD_NAME must be set in .env file"
-    exit 1
-fi
+# if [ -z "$CERTIFICATE_ARN" ] || [ -z "$RECORD_NAME" ]; then
+#     echo "Error: CERTIFICATE_ARN and RECORD_NAME must be set in .env file"
+#     exit 1
+# fi
 
 echo "Certificate Arn: " $CERTIFICATE_ARN
 echo "RECORD_NAME: " $RECORD_NAME