I am trying to add an AWS ALB for my EC2 instances. I created Application Load Balancer for two EC2 instances as well as ALB with auto-scaling group but none of these works. The individual EC2 instance is running OK which I tested but the ALB public IP is getting an error page. I wonder if EC2 nginx need to configured differently and whether adding SSL to ALB or to both EC2 instances. I am hosting an react nodejs app on the ECs. Can anyone give me some direction how to troubleshoot and fix this issue? Thanks
I wonder if EC2 nginx need to configured differently and whether adding SSL to ALB or to both EC2 instances
Usually you add SSL to ALB. There are only few use-cases where SSL on instances would be needed (e.g. strict regulatory reqquirenemnts for end-to-end encryption). So in general case you would have:
Client --- (HTTPS) ---> ALB ---- (HTTP) ---> Instances
Related
I have a Fargate instance running on port 3000. For this service "Service Discovery" is enabled, and corresponding hosted zone is created in Route 53. I have added name servers from this hosted zone in my domain registrar(GoDaddy) DNS setting.
I want to route all traffic from my domain to this Fargate instance. Currently, I don't see a need to add an ALB since the traffic is very little and routing is simple. So I want to know the following
Is it possible to route my traffic from Route 53 to the Fargate instance running on port 3000 without an ALB? If Yes, how can I do it?
Is ALB required for configuring SSL? Or I can do it without an ALB?
See this article under the heading External Networking.
TL;DR is to create a VPC with a public subnet and an attached IP address via an internat gateway, and ensure your Fargate cluster/task is running in that VPC.
If you want to run SSL without a load balancer (which one of it's responsibilities can be for terminating SSL, you will need to terminate the SSL certificates yourself from your Fargate task.
I face an issue in AWS Elastic BeanStalk health checking. I deployed to my NodeJS application to AWS via elastic beanstalk. Then I give permission my elastic load balancer TCP 443 port accessible for only my domain that is routed by Cloudflare. Basically, My elastic load balancer is only accessible by Cloudflare,
Due to the fact that I use Cloudflare, AWS health checks can not be able to access to the endpoint of the load balancer. How can fix this issue? I don't want to open my load balancer TCP 443 port to all world people. I want to open TCP 443 port for the only Cloudflare and, at the same time, I want to use health check of AWS :)
If somebody reads this question in the future, I thought that the health-check is being executed, externally - accessing publicly. But I have just learned that it was not :)). It is being executed directly internally. There is no problem related to Cloudflare or the security group or any other thing!
If there is an error in your ELB regarding this, the problem is probably related to your codebase, not the security group or other configurations.
I have configured the AWS load balancer to secure my website, i.e. to resolve through "https". But when I use(https://www.schoolnskill.com), it gives
503 Service Temporarily Unavailable.
So I have followed the below steps to configure my environment.
I created a domain name in route53 and have been issued with a SSL/TLS certificate through AWS Certificate manager.
For my load balancer I set up listener for https:443 and attached the above certificate with it.
The security group for my ec2 instances allow http and https requests (although I believe the load balancer ec2 target will communicate using http).
I have attached a screenshot with the summary of the configuration.
Then in the ROUTE 53, I edited the 'A' record of 'www.schoolnskill.com'. Below are the changes I made.
Alias:- yes
Alias target:- chosen the application LB
Routing policy:- simple
Then save the settings.
I can see that whenever I type 'http://www.schoolnskill.com', it is redirected as 'https://www.schoolnskill.com'
Health_CHK
Thank you,
The problem was the availability zones. The AZ of my load balancer was different from that of EC2 instance. I matched the AZ of ALB to my EC2, and it worked.
Thank you,
I have installed wordpress site on just 1 EC2 instance which is running on 1AZ (means 1 public subnet). I have bought a domain as well using Route 53. Currently my site is HTTP only which I want to make it HTTPS. I have got SSL certificate from AWS Certificate Manager as well. Using Route 53, currently I have mapped A record IP V4 mapping with my EC2 instance public IP V4 address.
I'm facing issue here in changing my site to HTTPS from current HTTP. Since my site is deployed on just 1 AZ (public subnet), I cannot add Elastic Load Balancer in front of my EC2 instance as it requires minimum 2 public subnets (this is what my understanding is). If my side was deployed on 2 AZs (2 public subnets) then easily I would have configured Application Load Balancer with these 2 subnets and would have used the SSL certificate which is stored in AWS certificate manager but in my case it is just 1 AZ/1subnet.
Question 1) Is it necessary to have 2 public subnets to configure elastic load balancer? Can't I configure load balancer with just 1 subnet like in my case? If yes then please advise how to do it?
Question 2) Is load balancer really necessary between Route 53 and EC2 instance to make the site HTTPS? Can I configure Route 53 and SSL certificate to listen to EC2 instance directly and make the site HTTPS?
Please assist here to make my site HTTPS. Thanks
1) Yes, an ELB requires two subnets - but you dont have to have a server running in both subnets (but obviously you dont get the benefit/cost of dual servers). Within AWS goto the VPC section and create a new subnet inside the correct VPC - you should then be able to create an ELB (it may complain about the 2nd subnet - but if there are no instances inside that subnet it doesnt really matter).
2) No, but if you want to use the free ACM certificate it must be installed at the Load Balencer or CloudFront distribution level. There's nothing stopping you installing your own certificate on your EC2, configuring apache to use it and then renewing it as required. Take a look at LetsEncrypt for free certificates, or buy a cert online.
Few things to bare in mind:
"Best Practise" for TLS/HTTPS is constantly changing. AWS take the headache out of this by providing policies so updating to the latest standard is very simple and requires no changes to your ec2 (as its talking to the ELB via port 80)
If you decide to manage your own certificate, take a look at the SSL Labs certificate tester (https://www.ssllabs.com/ssltest/) to help you ensure your configuration is correct.
Let me answer the questions inline.
Question 1) Is it necessary to have 2 public subnets to configure
elastic load balancer? Can't I configure load balancer with just 1
subnet like in my case? If yes then please advise how to do it?
Yes. You must specify subnets from at least two Availability Zones to increase the availability of your load balancer. This is why you need at least two subnets (Minimum one subnet in each Availability Zone). When you run the EC2 instances, it is also recommended to run them in both Availability Zones (Given to the Load Balancer) with Auto Scaling for high availability and fault tolerance.
Question 2) Is load balancer really necessary between Route 53 and EC2
instance to make the site HTTPS? Can I configure Route 53 and SSL
certificate to listen to EC2 instance directly and make the site
HTTPS?
It is necessory if you are using Amazon Certificate Manager (ACM) Issued SSL certificates. Otherwise, if you use an externally purchased SSL certificate, you can configure the SSL certificate at your EC2 instance web server level.
Note: An alternative approach is to use AWS CloudFront as a proxy (Also for SSL termination using ACM certificate) and proxy the requests to the EC2 instance (If you don't want to pay for the Load Balancer where CloudFront costs are based on the number of requests unlike an hourly charge for Load Balancer).
I can't seem to find any documentation that deals with this scenario in a VPC.
I have an EC2 in a private subnet.
I have an internet facing ELB in a public subnet
ELB has SSL cert and accepts https connections
What are the steps to set up https communication between ELB and EC2? If https is terminated at ELB do i need to set up certs for ELB > EC2?
Thanks in advance,
So it turns out this setting is on the ELB but you only see it on creation. Once the ELB has been created it's no longer visible.
When creating the ELB you need to select 'Backend Authentication' and then you have the option there to upload your SSL certs. If the SSL is incorrect for whatever reason than any secure health checks will fail.
Under this scenario SSL is terminated on the ELB and then the ELB initiates a new SSL connection with the backend servers.
I don't see how this is any different from any other ELB setup. The fact that the EC2 instance is in a private subnet has no bearing on the SSL certificate.
If you want communication between the ELB and the EC2 instance to use SSL, then you would need to install an SSL certificate on the EC2 instance. How you do that depends entirely on what web server or other server software you are running on the EC2 instance.
If https is terminated at ELB do i need to set up certs for ELB > EC2?
If you only care about securing communication from the internet into your VPC, then no you don't need this. If you care about securing the communication within your VPC then you would need this. I'm having trouble thinking of a reason that you would care about that, since the communication between the ELB and the EC2 instance is entirely contained within your VPC.
Wouldn't you just terminate the SSL on the ELB and then use the ELB itself to choose which underlying web server traffic is routed to (via Http)?
If that's in a private subnet (which it should be) then you,ll have needed to set up the route tables / NACLs and security groups accordingly (which you would need to do anyway) to ensure the http traffic can be routed accordingly inbound and outbound