I've an app running on AWS.
Currently, my frontend is hosted on S3/cloudfront which communicates with my EC2 instance through a Elastic Load Balancing (ELB).
ELB handles the SSL certificate.
I just have one EC2 instance. So, I don't really need the ELB. My free tier period is over... ELB representer 40% of my bill !
How can I get rid of ELB without losing the SSL configuration ?
Thanks in advance !
The best approach to keep an AWS ACM SSL whilst removing your load balancer would be to instead use CloudFront for your EC2 host.
If this is a different domain to your existing CloudFront distribution, you would need to create a new one which will serve your app traffic. This would have a custom origin that would resolve to the public CNAME of the EC2 host (this will require the EC2 host to be publicly resolvable).
IF it shares the same domain, your CloudFront distribution would need to be updated to include a secondary behaviour that maps to your EC2 hosts public hostname.
Please note for this option your instance must be public, this means that it is possibly to bypass CloudFront to perform this option. If you do not have a valid SSL on this EC2 host you will need to configure the CloudFront distribution to speak to the origin using HTTP.
An alternative (or combined option) would be to use a service such as certbot that can generate a valid SSL for your domain. This will ensure any public ingress to the instance can be encrypted securely over HTTPS.
Related
I'm new to AWS and hoping someone can answer my question here. I've created a web server on an EC2 instance and installed Craft CMS on it. I've requested a public certificate from Certificate Manager, and put the CNAME in the route53 hosted zone for the domain name. The certificate is attached to the Load balancer I attached to my EC2 instance. If I set up cloudfront with all this my website is still showing up as insecure (meaning I'm not doing something right). How should I go about connecting cloudfront to my EC2 instance? With or without the load balancer. I only have one instance running so I don't really need the load balancer either. Thanks!
Just to clarify what you are trying to accomplish: 1) You have one or more EC2 instances, presumably in an auto-scaling group; 2) Those EC2 instances are set as targets for your ELB; 3) You have a certificate that is valid for your ELB hostname, let's call it elb.mydomain.com.
And now you are trying to setup CloudFront with the ELB as the origin?
Starting with the CloudFront certificate: Is the certificate also valid for your CloudFront hostname (let's call it www.mydomain.com)? If not, you will need to create and validate another cert for www.mydomain.com.
Second, the CloudFront distribution must be configured to use a certificate that is valid for the hostname you want to use. You must also include the hostname as an alternate domain name in the CloudFront distribution. Then make sure your route53 CNAME entry points from your desired hostname to the CloudFront distribution, which will be something like d18sdfijsilj.cloudfront.net.
I have a website that I have hosted on an EC2 instance that runs on port 3000. (e.g. 3.27.83.19:3000 - assuming the IP address of the EC2 instance is 3.27.83.19)
I have a domain that I have already bought mydomain.com through AWS that I already see in Hosted Zones.
How can I set-up Route53 so that when someone hits "mydomain.com", it takes them to 3.27.83.19:3000 rather than 3.27.83.19
Thanks!
point domain to instance ip
To point example.com to 3.27.83.19 you simply need to create an A record in route53
point domain to load balancer
To access the website running port 3000 on an EC2 instance through https://example.com, you need a service that accepts traffic on https://example.com and then forward the traffic to the EC2 instance on port 3000. You can easily do it with an AWS application load balancer. I like this approach.
There are many benefits using an application load balancer. The important one is that you can configure the SSL certificate easily. The application load balancer also supports host based routing which allows you to host multiple websites.
If you are looking for less expensive solutions, you can also go for setting up an nginx proxy inside the ec2 instance. I personally don't like this approach because you will need to configure SSL at the application level.
https://aws.amazon.com/premiumsupport/knowledge-center/public-load-balancer-private-ec2/
Hope this helps.
Say I have an AWS ec2 instance that is running a python application on a certain port say 8000. Also imagine I have a domain name say www.abcd.com that I own. What does it take to make my website use https and securely redirect to the app on my ec2 that is listening on port 8000? Is this even possible to do or do I need something like nginx in between?
Firstly you will need to ensure that your EC2 is in a public subnet with a public IP, it will also need its security group open on whatever port you are hitting it on (8000). At this point you should be able to hit your application on public ip:port.
Now if you want to do the above while using a domain you will want to use AWS's Route 53 service. From this you can create a DNS routing using your domain. You will want to create a route from: application.example.com to your instances public ip. After doing so you should be able to visit: application.example.com and hit your application. In doing the following it is possible now to make your EC2 instance private.
Now if you wish to include HTTPS ontop of this, the best way would be to create a public load balancer with a certificate attached, this would accept HTTPS traffic from your user, then forward that traffic over HTTP to your EC2 on a selected port (8000).
After doing this you will want to change your Route53 entry to point to your load balancer instead of directly at your EC2.
Yes, it is totally possible.
Here is step wise procedure to do it :-
you need to create hosted zone on Route-53 services of amazon
Then it use ns to connect with your domain ( wherever you have registered)
Then you need to connect your ec2 instance ip with your hosted zone
Now you can access your ec2 instances using this domain, but it will be not https
For https, you need certificate, which you can avail from aws certificate-manager
After obtaining the certificate, Follow the steps from this blog How to set up HTTPS for your domain on AWS.
NOTE:- This is just uber point, follow it and look for more insight to how you exactly do it in your case. I followed this step while deploying using elastic-beanstalk.
I set up EC2 Ubuntu instance, assigned an elastic IP, got example.com (domain) to the ec2 instance via Route53. Added an SSL certificate using ACM (certificate manager) which says 'issued'.
However, https://example.com raises ERR_SSL_PROTOCL_ERROR. http://example.com is working.
The security group has HTTPS port open.
What's wrong here? Why this is not working? Any clues? curl https://localhost -k shows local port 443 refused.
You can't deploy a public ACM certificate directly to an instance. The "issued" state, just means it's ready to be applied somewhere. It needs to be applied to a service that supports ACM like an ELB, API Gateway, or a CloudFront distribution, which can be used to offload SSL processing. See the faqs for an overview of how they can be used.
For a certificate directly on the instance, you can use letsencrypt to issue free, trusted certs.
Also, this assumes that you've configured the web server to listen on 443.
ACM can only be used with AWS resources such as Elastic Load Balancer, Amazon CloudFront distributions and APIs on Amazon API Gateway.
Make sure that you are using one the above services to serve your website content.
ACM cannot be directly used with EC2 instance, you either need Elastic Load Balancer or CloudFront distribution to used it.
I have installed wordpress site on just 1 EC2 instance which is running on 1AZ (means 1 public subnet). I have bought a domain as well using Route 53. Currently my site is HTTP only which I want to make it HTTPS. I have got SSL certificate from AWS Certificate Manager as well. Using Route 53, currently I have mapped A record IP V4 mapping with my EC2 instance public IP V4 address.
I'm facing issue here in changing my site to HTTPS from current HTTP. Since my site is deployed on just 1 AZ (public subnet), I cannot add Elastic Load Balancer in front of my EC2 instance as it requires minimum 2 public subnets (this is what my understanding is). If my side was deployed on 2 AZs (2 public subnets) then easily I would have configured Application Load Balancer with these 2 subnets and would have used the SSL certificate which is stored in AWS certificate manager but in my case it is just 1 AZ/1subnet.
Question 1) Is it necessary to have 2 public subnets to configure elastic load balancer? Can't I configure load balancer with just 1 subnet like in my case? If yes then please advise how to do it?
Question 2) Is load balancer really necessary between Route 53 and EC2 instance to make the site HTTPS? Can I configure Route 53 and SSL certificate to listen to EC2 instance directly and make the site HTTPS?
Please assist here to make my site HTTPS. Thanks
1) Yes, an ELB requires two subnets - but you dont have to have a server running in both subnets (but obviously you dont get the benefit/cost of dual servers). Within AWS goto the VPC section and create a new subnet inside the correct VPC - you should then be able to create an ELB (it may complain about the 2nd subnet - but if there are no instances inside that subnet it doesnt really matter).
2) No, but if you want to use the free ACM certificate it must be installed at the Load Balencer or CloudFront distribution level. There's nothing stopping you installing your own certificate on your EC2, configuring apache to use it and then renewing it as required. Take a look at LetsEncrypt for free certificates, or buy a cert online.
Few things to bare in mind:
"Best Practise" for TLS/HTTPS is constantly changing. AWS take the headache out of this by providing policies so updating to the latest standard is very simple and requires no changes to your ec2 (as its talking to the ELB via port 80)
If you decide to manage your own certificate, take a look at the SSL Labs certificate tester (https://www.ssllabs.com/ssltest/) to help you ensure your configuration is correct.
Let me answer the questions inline.
Question 1) Is it necessary to have 2 public subnets to configure
elastic load balancer? Can't I configure load balancer with just 1
subnet like in my case? If yes then please advise how to do it?
Yes. You must specify subnets from at least two Availability Zones to increase the availability of your load balancer. This is why you need at least two subnets (Minimum one subnet in each Availability Zone). When you run the EC2 instances, it is also recommended to run them in both Availability Zones (Given to the Load Balancer) with Auto Scaling for high availability and fault tolerance.
Question 2) Is load balancer really necessary between Route 53 and EC2
instance to make the site HTTPS? Can I configure Route 53 and SSL
certificate to listen to EC2 instance directly and make the site
HTTPS?
It is necessory if you are using Amazon Certificate Manager (ACM) Issued SSL certificates. Otherwise, if you use an externally purchased SSL certificate, you can configure the SSL certificate at your EC2 instance web server level.
Note: An alternative approach is to use AWS CloudFront as a proxy (Also for SSL termination using ACM certificate) and proxy the requests to the EC2 instance (If you don't want to pay for the Load Balancer where CloudFront costs are based on the number of requests unlike an hourly charge for Load Balancer).