My rest API (node) is set up in AWS ECS behind a load balancer - super-long-aws-lb-url
I also have a domain registered and a subdomain for my backend which is set up as an A-record aliased to the load balancer; I access my rest API at something like data.mydomain.com/api/resource/{:id} - this is working as expected.
There's one endpoint that serves as a reverse proxy for accessing user-generated content - it's public and currently I can access it via
data.mydomain.com/api/content/public/{:id}
What I'd like to do is create a "pretty" url to just that endpoint in route53 so that the public endpoint becomes available via content.mydomain.com/{:content-id}
So far I've tried setting up this subdomain as a CNAME pointing directly to the string value composed of ALB URL + endpoint
content.mydomain.com -> super-long-aws-lb-url/api/content/public/
I expect that this will allow me to access that content at http://content.mydomain.com/{:content-id} but I get a Server Not Found error
Next I tried setting it up as an A-Record with an alias, but since it needs a resource with an IP address, I'm forced to select an AWS resource from a dropdown, and I'm back to using the load balancer without bypassing the global prefix (api) and the resource URL (content/public)
Is there a way to point a subdomain directly to an API endpoint in AWS?
Amazon Route 53 is a Domain Name Service (DNS).
DNS is used to resolve a domain name (eg data.mydomain.com) to an IP address, which allows traffic to be sent to a specific computer.
DNS only covers the domain name. It does not include anything after the slash.
Therefore, you can not use Amazon Route 53 to point to a 'path' (eg /api/content/public/).
Such redirection would be the job of any software running on the target computer. You can likely configure this in your web server software.
Related
I created an Instance (Windows Server 2016) within AWS and the domain URL amazon gave me as below:
ec2-10-212-103-15.us-east-2.compute.amazonaws.com
Then, to create a subdomain I went to Route53 (https://console.aws.amazon.com/route53/home#Dashboard)
Here is the picture of my configurations:
But I still cannot open http://uat.ec2-10-212-103-15.us-east-2.compute.amazonaws.com/
(Note: The IP is made-up)
What do I need more to do?
Thanks
You're getting it wrong. Route53 is for custom domains you purchase from any of source (GoDaddy, Amazon, Namecheap naming a few).
The URL ec2-10-212-103-15.us-east-2.compute.amazonaws.com you've mentioned isn't the domain name. It is actually DNS to your server. If your instance is not behind a NAT gateway then you can directly access it through ec2-10-212-103-15.us-east-2.compute.amazonaws.com else you need to place a load balancer with public accessibility or place instance behind an internet gateway.
I have create a AWS elastic search domain in Virginia and got a Endpoint url.
Now I wanted to configure the Route53 behavior around it, so that a caller can use the same url, even though there is some change in elastic search or in case of a disaster recovery.
So,
Virginia Route 53 -- 1 Points to -- Virgina Elastic Search Domain URL
Oregon Route 53 -- 2 Points to -- Oregon Elastic Search Domain URL
Main Route 53 -- 3 Points to -- Route 53 1 or 2
I have already create these and also created and uploaded SSL certificate with correct SAN entries. But when I execute,
curl https://mainroute53/health
curl https://virginiaroute53/health
curl https://oregonroute53/health
I am getting this error,
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
But when I am calling the Elastic Search URL directly its working. So I understand this is a issue with the way I am using the certificate. Any help appreciated.
Your Elastic Search endpoint will always return the Elastic Search SSL certificate.
So when you create a Route 53 "alias" for it, you may be connecting to it via your custom DNS entry, but Elastic Search will still use the Elastic Search SSL certificate.
Since the DNS endpoint you're using does not match the SSL certificate, you get that error.
You could use the --insecure curl flag to have it not check the SSL certificate, however, there are risks of doing that.
You can probably work around this by setting up a proxy server in front of the Elasticsearch domain, although it's kind of silly since there appears to also be an ELB inside the Elasticsearch domain. Ah well.
The domain Amazon ES creates for you includes the nodes in the Elasticsearch cluster and resources from several AWS services. When Amazon ES creates your domain, it launches instances into a service-controlled VPC. Those instances are fronted by Elastic Load Balancing (ELB), and the endpoint for the load balancer is published through Route 53. Requests to the domain pass through the ELB load balancer, which routes them to the domain’s EC2 instances.
https://aws.amazon.com/blogs/database/set-access-control-for-amazon-elasticsearch-service/
One way you can access Elasticsearch using your custom domain name is to use an API Gateway as an HTPP proxy. But then you have to deal with the authentication part since the Cognito cookies for ES will be pointing to the original domain (*.es.amazonaws.com).
In my experience this is doable and you should be able to use API Gateway (plus Custom Domain Names and Route 53) to achieve what you want (having a custom domain name over ES). It's just that it requires some Cognito knowledge and most likely, some coding (to handle the cookie problem).
You can use the http endpoint instead of the https one
i.e
curl **http**://mainroute53/health
This works around the fact that AWS does not allow providing custom domain certificate in its managed Elastic service
We had the same issue, wanted to be redirected to Kibana with a more friendlier DNS name and we used the solution with S3 bucket and the redirection as described here.
The steps:
Create a S3 bucket with any name.
In the bucket properties, enable “Static Website hosting”.
In the Static WebSite hosting properties, select the option to “Redirect Requests”.
In the target domain set the Kibana URL that is given from your elasticsearch domain: i.e. https://vpc-es-randomstring.us-east-1.es.amazonaws.com/_plugin/kibana/
Set Protocol to https
Then follow the steps from Step 5 on the guide above
I am attempting to add HTTPS to my AWS Elastic Load Balancer.
I obtained a certificate through AWS Certificate Manager:
I have enabled HTTPS on the load balancer:
I made sure the security group for the load balancer accepts 0.0.0.0/0 on 443:
When going to my domain on HTTP, it works.
However, when trying to load my domain with HTTPS, it does not work ("ERR_CONNECTION_TIMED_OUT")
EDIT and UPDATE:
It is the API that I am attempting to get HTTPS working for, not necessarily the domain. The domain serve's a static file (angular web app) from S3, and it is angular that is calling the load balancer (to transfer the request to an EC2 instance) for DB data.
When angular calls the api directly via the load balancer domain name over HTTP, the request responds as expected.
When angular makes the same api call over HTTPS, I get the following error:
You enabled HTTPS for your domain name, not the ELB domain which Amazon owns. You can only create SSL certificates for domains that you own. You can't enable SSL for "mydomain.com" and then excpect that to somehow work on a completely different domain. You need to change your AngularJS code to reference the API by your custom domain name which you have created an SSL certificate for. You need to point the domain to the ELB and install the SSL certificate for the domain on the ELB.
Mark B provided the almost full solution.
As my javascript code is calling the elastic load balancer (ELB) via it's DNS name provided by AWS, I can't obtain an SSL certificate for the domain I don't own.
As Mark B pointed out, I need to point my javascript code to the domain I do own, and have an SSL cert for.
So I can create a sub domain (e.g. api.mydomain.com) of the domain I own that then points to the ELB.
An A Record (e.g domain pointing to an IP) looks like it could fit the need.
However, an A Record can't point to the ELB because it's IP could change.
The missing step was to use AWS Route 53 to point the A Record to an alias (Route 53 allows you to do this) that represented my AWS Elastic Load Balancer.
I have a web service running on EC2 behind an elastic balancer. I would like to allow my clients to point their A record to my web service so they could have their domain on my server. Similar to shopify or github pages.
However, I don't want to give them the IP of the web service, I'd like the request to go though the load balancer. How can I achieve this? Should I create a small server to forward requests? How does that work?
Many thanks!
If you are running your service behind an Elastic Load Balancer, you usually do not want to use ELB DNS name (which is something like your-service-ELB-1122334455.us-east-1.elb.amazonaws.com). Instead you will configure (probably using Route53, but any DNS service will do) CNAME or ALIAS record with some friendly name, like yourservice.yourdomain.example (this way, name will be easier to remember, and you have the freedom to change load balancer if needed).
All your customers have to do is to create CNAME DNS record pointing their name to your friendly service DNS name, like:
foo-service.theirdomain.example CNAME yourservice.yourdomain.example.
You also need to be aware that HTTP requests will have Host: header containing name entered by user (in case your server/service relies on that info)
You need to consider using Route53 as your clients's DNS service provider might not be supporting this feature beacuse of DNS rule.
See s3.6.2 of RFC 1034
Amazon created a new aliasing system for Route 53. You can now map the apex of a hosted zone to an Elastic Load Balancer using an Alias record. When Route 53 encounters an Alias record, it looks up the A records associated with the target DNS name in the Alias, and returns the IP addresses from that name.
In order to allow all of our customers to benefit from this new feature, there is no charge for queries to alias records when the target is an Elastic Load Balancer.
Associating Your Custom Domain Name with Your Load Balancer Name.
You can also create a Subdomain That Uses Amazon Route 53 as the DNS Service without Migrating the Parent Domain.
I am new in the Amazon EC2 world, I just created an app, that is located URL like this:
http://ec2-54-123-45-678.compute-1.amazonaws.com:8080
This is generated URL by Amazon EC2.
Now I would need to use my own domain name, so when I would access www.my-domain-name.com, I would like to see the content from
http://ec2-54-123-45-678.compute-1.amazonaws.com:8080
I bought the domain name on Godaddy.
Is there any way to do this in Amazon AWS dashboard or do I need to set it up in Godaddy system?
Thanks
I am answering on a more general level because I stumbled upon this thread when setting my custom domain.
In Amazon I created an instance and associated an IP to that instance. You were able to access it by typing in the amazon url
I actually used Media Temple not GoDaddy, but it will be similar. I went to the zone file and added that public url to the www
And as you can see, here is my blog actually working on the custom domain.
I set the wildcard because that way, no matter what someone types, if it is not set, then they will still see the site.
EDIT
For the root URL you should be entering your elastic IP and setting that as an A record.
First you need to set an ElasticIP for associated to that instance.
Then point the DNS entry of "www" for "my-domain-name.com" to the IP assigned in the step above.
Where you manage your DNS is another thing, can be in GoDaddy or in AWS Route53. You must adjust the delegation DNS in the "my-domain-name.com" register. Ex: your domain can be registered with GoDaddy but its delegation DNS point to Route53 so you can manage the domain from your AWS Console.
In order to setup DNS mapping you can map the existing IP 54.123.45.678 to ex: www.my-domain-name.com.
However, as you are running tomcat which is running at 8080 you need to forward the the request to the tomcat using Apache. So that you can visit www.my-domain-name.com without port 8080. If you are using linux box install Apache, apache-modjk and then configure sites.