I have a running private EC2 instances (Windows Server 2012 IIS) behind a public Application Load Balancer. while I can access the web services in the internet via port 80/HTTP, I wanted to allow 443/HTTPS as well but I wanted my third party WAF to offload the SSL (Such as Cloudflare, Akamai).
I've already setup the SSL offloading on the WAF, on the AWS ALB I've enabled the ALB security group to allow port 443/HTTPS from 0.0.0.0/0 but to no avail (although I can still access the web via port 80/HTTP). will really appreciate if you could point me on what steps do I need in AWS ALB to allow HTTPS behind a WAF. I tried also to create a 443 Listener to the AWS ALB, however it still requires me to have my SSL cert imported as well hence redundant since in essence the ALB will SSL offload as well.
This is the basic overview of my design
Cloudflare WAF ---> AWS ALB ----> Private EC2 Instances/Servers
Really appreciate all your feedbacks! Thank you
To make the infrastructure, you should remove the HTTPS(443) listener from ALB and use HTTP(80) traffic between third party WAF and ALB.
However, the traffic between WAF and ALB will be insecure in this way. I am also building similar infrastructure and still trying to figure out a more secured solution.
Related
I have the cert applied on the load balancer, and https works fine, but i am wondering if I need to add the certs to nginx itself, which seems overkill but i am not sure.
No, one of the benefit of using a Load Balancer is you can hide your EC2 from public internet, making it less open and more secured.
Therefore, it is normal practice to use HTTP between your EC2 and load balancers, since they are in the same AWS Region (a safe and trusted internal environment).
By doing this you will also increase performance, because the https network overhead is only executed once in the load balancer, not twice. Your EC2 will focus the CPU resources on running the application logic instead.
Load Balancer is also Highly Available and can be configured to work with CloudFront and WAF for security and anti-DDoS controls.
No, you don't have to do this. The reason is that your load balancer (LB) is going to termiante the https connection, decrypt it using a SSL certificate you've deployed on it, and then forward HTTP connection to your ec2 instance(s).
Therefore, typical connections for LB with HTTPS have the following form:
client ---(HTTPS)---->LB---(HTTP)--->EC2 instance
This configuration is suited for most use-cases as HTTP traffic is happening withing AWS private network, not over the internet.
I am trying to use the AWS application load balancer in my application with WAF support in it. At the same time, I also need support for reverse proxy. Does the AWS application load balancer handle reverse proxy?
Not sure if we talk about the same thing, but in my understanding, AWS ALB's are reverse proxy servers.
You add your actual application server(s) in a targetgroup to an ALB listener, and then, external clients connecting to the ALB over http/https will see your application as if it was served by the ALB.
You can add HTTP request filtering to the ALB listener, so you can configure which requests go to which targetgroup, both by domain name and http paths.
ALB's also do SSL offloading, i.e. it handles https handshakes with a server certificate registered in the ALB, so your own application server doesn't need to do that anymore.
No, it can't.
To do reverse proxy in AWS, you can set a NAT Gateway in your VPC. This way, all connections from your servers to a specific IP (or the public internet) will be a single IP.
I have an ec2 instance behind Application ELB in AWS. I want to apply SSL to both ec2 instance as well as loadbalancer. For ec2 instance i have purchased ssl and installed it and it is working fine. For load balancer i will be using the free AWS ACM certificate and installing it on load balancer. Will this have any issues? i.e. installing SSL on both places ec2 and elb.
It will not have any issues but it does come with a caveat. The traffic in to the Application Load Balancer (ALB) will be encrypted and the ACM cert will be validated by the client. The traffic to the host from the ALB will also be encrypted but the certificate on the host will not be validated.
It looks like ALB Backend Authentication is on AWS's roadmap per the reference below. The reason given for it not being a priority is summarized in this quote from the AWS Engineer who wrote the first reference:
The role that server certificates play in TLS is to authenticate the server, so that it can’t be impersonated or MITM. ALBs run exclusively on our Amazon VPC network, a Software Defined Network where we encapsulate and authenticate traffic at the packet level.
The upside of this is you can use self-signed certs on your hosts to save money when using an ALB or ELB in front of them.
If you need to ensure the certificate on the host is valid you can use a Classic Elastic Load Balancer (ELB). See the reference for more details.
References
AWS ALB Validation TLS Reply
AWS ELB Configure Backend Authentication
If you use SSl/TSL at ELB, it will handle the encryption/decryption of the HTTPS connections (freeing your EC2 instance's CPU to do other work).
If you use an HTTPS/SSL connection for your back end, you can enable authentication on the back-end instance. This authentication can be used to ensure that back-end instances accept only encrypted communication, and to ensure that the back-end instance has the correct certificates.
Using SSL/TLS on both ELB and Backend can create problems since ELB HTTPS listener does not support Client-Side SSL certificates.
I have considered that you are using a 2-way SSL (Mutual or Client Authentication)
I am working with AWS-API-Gateway and an Elastic Beanstalk environment. What I want to make sure in the Elastic Beanstalk environment is that the request is served only for AWS-API-Gateway.
So Amazon suggested for client-side SSL certificate authentication. The problem I'm facing in this is that even if I configure Amazon API gateway to provide a certificate on a https connection, it will give the certificate to the load-balancer and load-balancer will give its certificate to my ec-2 instance.
So in this scenario, I never receive the SSL certificate of API gateway. Please help me here or provide me with a better solution.
I don't want to remove my load-balancer in the scenario as it is helpful for me.
As far as I know, the key with using ELB is to turn the ELB to TCP mode (not HTTP) so the SSL handshake is actually done on the EC2 instances. That way you can verify on the hosts and treat the ELB as just a simple TCP load balancer.
Some helpful info here Support for two-way TLS/HTTPS with ELB
If I would like to expose a web-app to external internet what steps I need to follow in aws?
Create cloudfront or static ip or route 53? Not sure what needs to
be exposed
Create WAF?
Create ELB?AWS ELB or nginx
Enforce https through webserver?
Any other requirements please point me through?
Route53 is not a requirement at all. You can use Route53 for DNS, or you can use a third-party DNS service, or you can just use a static ip (AWS Elastic IP).
WAF is not needed just for exposing an API.
ELB is only needed if you are running this on multiple servers.
You could enforce HTTPS at the web server, or you could just leave port 80 closed and only open port 443.
At an absolute minimum you just need to deploy your application to an EC2 server, open the appropriate port(s) in the Security Group, and assign the server an Elastic IP.