Connecting an AWS Amplify frontend with a EC2 instance? - amazon-web-services

So, I'm working on a hackathon project right now, and for the demo, I've spun up a NodeJS Express server on an EC2 via Elastic Beanstalk. When testing the server's API with our front-end locally, it worked perfectly fine.
Now we've deployed our front-end to AWS Amplify, setup a domain name in Route53, and hooked everything up. When we go to the domain, our front-end looks great, but when we try using the functionality that would connect to our server's API, we get a net::ERR_SSL_PROTOCOL_ERROR.
Doing some research, it looks like(?) that we have to setup a certificate on the Classic Load Balancer that's in front of the EC2. So I requested a certificate, and created a listener on the Load Balancer as follows:
Load Balancer Protocol
Load Balancer Port
Instance Protocol
Instance Port
HTTPS
443
HTTPS
3000
But now I realize that if setup this way, I still have no idea how to point the React Frontend's API calls to the Load Balancer instead of the EC2, or whether the listener is setup correctly. Would anyone have an idea of what steps we should take here?
For the details of the app, the backend is a pretty straightforward Express App with CORS enabled, and the frontend is a fairly standard React project, nothing special about either of them.

Instance Protocol should be HTTP. So your setup uses HTTPS only between client and CLB:
Client--- (HTTPS) ---> CLB --- (HTTP) ---> EC2
Also for properly setup HTTPS, you need to use your own domain. You can't use default domain provided by EB for your application.

Related

Hosting React page on S3 and making REST api calls to server on Elastic Beanstalk

Background
I am trying to deploy a dummy application with React frontend and Django backend interacting via REST api. I have done the following:
Use a S3 bucket to host static website and deploy my react code to it
Put Cloudfront for S3 bucket - set up certificate and changed my domain name (from GoDaddy) to link to this address
Kicked off Elastic Beanstalk environment following the python environment tutorial of AWS
Set up Postgres RDS and linked the Django server with it
So now I can do the following
Access my frontend using https via my domain name (https://www.example.com)
Access django admin site using the path of elastic beanstalk and update items
i.e. each component is up and running
Problem
I am having trouble with:
Making a secure REST API call from the static page to Elastic Beanstalk environment. Before I set up certificates I could easily make REST API calls.
The guides I can find usually involve putting a domain name for Elastic Beanstalk, which I imagine does not apply to my case (or does it?)
I tried to follow this faq and updated configuration in load balancer that accepts 443 https and redirects to 80 http. But I am using same certificate as from CloudFront, which does not sound right to me.
Would appreciate help with
how to solve the above ssl connection issue
or is there a better architecture for what I'm trying to achieve here?
According to Request a certificate in ACM for Elastic Beanstalk backend, it sounds like I have to use a subdomain and request a certificate for that subdomain, and use Cloud 53 to direct requests to that subdomain to Elastic Beanstalk environment. Would that be the case?
Thank you in advance!
By default EB url will HTTP only. To use HTTPS you need to deploy SSL certificate on your ALB.
In order to do that you need a custom domain, because you can only associated an SSL certificates with domains that you control. Thus, normally you would get a domain (you seem to already have one from godaday). So in this case you can setup a subdomain (e.g. api.my-domian.com) on godady. Then you can use AWS ACM to register a free public SSL certificate for api.my-domian.com.
Once the certificate is verified, using either DNS (easier) or email technique, you deploy it on your ALB using HTTPs listener. Obviously you will need to point api.my-domian.com to the EB's https url. You can also redirect on your ALB http traffic from port 80 to 443 to always use https.
Then in your front-end application you only use https://api.my-domian.com, not the original EB url.
There can be also CORS issues alongside this, so have to be vary of them as well.

Gatsby site serving on EC2 with pm2 node with aws classic load balancer needs https

I am running a Gatsby site in development mode as a dev server on EC2 with a loadbalancer pointing from port 80 to 8000. I have setup a cname on my domain dns to point to the load balancer this works fine. However I need to display this page as an iframe in sanity.io as a web preview and it requires https.
I've read through this https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html and most of it is pretty straight forward for the most part.
What I have done so far is created a listener for 443 https on the loadbalancer and added https 443 to the security group. i have succsufully issued a certificate to the subdomain I am using with aws and attached it to the loadbalancer listener.
Gatsby has a article about custom certs for development mode here https://www.gatsbyjs.org/docs/local-https/#custom-key-and-certificate-files What I am looking for is the cert file, the authority file and the key file in order to pass this command below
Where in the aws certificate manager do I find these files. I think that is the last piece I need to get https working, correct me if I am wrong.
thanks ahead of time.
gatsby develop --https --key-file ../relative/path/to/key.key --cert-file ../relative/path/to/cert.crt --ca-file ../relative/path/to/ca.crt
This is the process I used to request my certficate and it says it's issued
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
But how do I use it with the custom https command with gatsby?
There is a export option but it says only for private keys. Do I need to create a private key and then I can export these files I need?
Do I even need to run https on gatsby's side. I watched a video using apache and no change was made to the apache server to get https working with the loadbalancer.
Here is a screenshot of my loadbalancer listenr
Here is a image of my security groups
If I run the --https for gatsby develop it breaks my site I can no longer visit it via the loadbalancer or port 8000. So not sure what to do here.
I would suggest not to encrypt the connection between your ELB and the EC2 instances. If your EC2 instances are not publicly reachable, but only through the load balancer instead, it is best practice to terminate the SSL connection on the load balancer. No need to encrypt HTTP requests inside an AWS VPC (i.e. between ELB and target instances).
You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted. [1]
There is some discussion (e.g. on the blog of Kevin Burke) whether it is necessary to encrypt traffic inside a VPC. [2] However, most people are probably not doing it.
What it means for you: Use the same instance protocol for your targets as before: HTTP via port 8000 for both listeners. Do not set up SSL for your Gatsby service. Use a plain HTTP server config instead. No changes are necessary to ELB targets when using SSL termination on the load balancer.
References
[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
[2] https://acloud.guru/forums/aws-certified-security-specialty/discussion/-Ld2pfsORD6ns5dDK5Y7/tlsssl-termination?answer=-LecNy4QX6fviP_ryd7x

How to assign self signed certificate to AWS elastick beanstalk application

We have developed web api using .net core 3.0 along with swagger. And, for testing purpose we have deployed this api on aws on EC2 instance using EBS. However, while deploying we have noticed that by default it takes only http, but we to expose the api using https.
So, for the same we have created self signed certificate on aws virtual machine and tried to configure to the hosted API and added bindings to Https by selecting the certificate. Our aws vm using IIS 10.
However, after doing this out api is stopped working and it gives lot of errors. We have tried to add the certificate in Certificate manager and after that modifying the load balancer also. But it doesn't seems to be working at all.
So, can anyone what exactly we are missing here? What are correct steps needs to be taken to configure self signed certificate to AWS deployment.
Thanks for the help !
What I've typically done is put the SSL certificate on the load balancer, so the path essentially becomes:
https traffic -> Load Balancer (HTTPS Port, does handshake) -> Application (HTTP Port)
So essentially the user send an https request that is encrypted up to the load balancer, but the load balancer does the handshake for us and passes the packet off via HTTP inside our VPC.

Deploying Node Express on AWS Recommendations

I have a node.js server I would like to deploy to AWS. My main site is example.com while the node server is on api.example.com
I am only using one EC2 instance (no load balancing) because I am only building an MVP and don't want to make things complicated.
I used Amazon Certificate Manager to register my domain name and I need to register api.example.com to also use https.
I right now have to put a CloudFront in front of my EC2 instance just so that I can use the ACM. This seems a little overkill since I don't need any of the caching benefits.
Is there any other way to do this?
You have 3 options:
Use CloudFront with SSL certificate from Amazon which doesn't bring any benefits for API that won't benefit from caching
Use Elastic Load Balancer with SSL certificate from Amazon. Load balancer will mantain HTTPS connection with client and communicate via HTTP with your EC2 server. You can follow this tutorial https://hackernoon.com/getting-a-free-ssl-certificate-on-aws-a-how-to-guide-6ef29e576d22
Or you can set up your certificate at EC2 instance directly. Here is how to do this with Nginx for example https://www.digicert.com/csr-ssl-installation/nginx-openssl.htm
EDIT: I have just realized that you could probably also use AWS API Gateway to point to your EC2 server API GateWay to server in ec2

How to get HTTPS to work on a website - specifically an Elastic Beanstalk site in AWS

I am really struggling to get my basic website (literally just a template without any changes, just running ASP.NET) to work with HTTPS. I am using an Elastic Beanstalk environment to host the site, and the site EC2 virtual machine is behind a load balancer (classic).
I have followed the guide here
And believe I have everything configured correctly, however when I browse to https://www.playground.cloudy-skies.org/ or even the http:// version, I get a HTTP ERROR 503.
I have created an SSL certificate using AWS certificate manager:
I have the load balancer in AWS configured like so:
As per the website documentation, my domain name is pointing to the elastic beanstalk instance, not the load balancer. I've checked the AWS official doco and it says to do pretty much this. Where am I going wrong? if I browse the site with Fiddler active I get:
Please help? I'm a software developer more than I am a network guy, so I'm doing my best here but I'm struggling and have yet to successfully create a site that uses HTTPS.
First thing if you are using Beanstalk your Route 53 will be pointing to your Beanstalk Url only. You can change even force it your Loadblancer also but it doesn't make any change.
As your HTTPS (Port 443) is not working, just check the Security Group of EC2 instance and ELB (Elastic Load Balancer). Sometimes it happens Security Group block your Port.
So in Your Inbound Rules, (for both ELB and EC2) 443 port should be included