Right now I have a domain (example.com) that I have hosted on Google Domains, but uses Amazon's Route 53 DNS servers, and I've created a hosted zone & registered an SSL certificate for free with ACM. So I got it to take requests for example.com and forwards them to a target group (EC2 instance).
I'd like to expand this into:
staging.example.com
prod.example.com
where each has its own target group it points to.
Is this possible with an ALB? How would I encode this into the load balancer's routing rules?
(Also: would I have to re-verify the SSL cert for the subdomains?)
You route each subdomain to different target group using Listener Rules
When you add a Listener Rule, set a condition for Host header and select the subdomain you want to use e.g. staging.example.com and select Forward to as your target group.
Regarding SSL, you won't need to create a new certificate as long as you have the certificate for *.example.com attached to the listener (see View/Edit certificates)
Yes, it is possible. Just create another recordset in your hosted zone (presumably the same way you did it for example.com) for staging and for prod. As for the certificate issue, you will need a wildcard certificate if you want to use the same certificate for all 3 hosts (example.com, staging.example.com and prod.example.com).
Related
I would like to make the following structure for my web application
Visitor ==>>> CloudFront-> ALB -> ASG (nginx servers)
I have only one HTTPS certificate for my domain name. I will upload it to ACM but where to attach?
To the Cloudfront? Or to the ALB? Maybe to the hosts? Or everywhere the same?
Can I use the same in all places?
I tried to add it only to the NGINX but it can be used only locally and others from acm
Firstly you can use SSL on all levels (cloudfront, ALB, and Nginx Servers).
For Cloudfront, you need to upload your cert to ACM on us-east-1 region.
On clodfrount configuration page select alternate domain and put your domain to be used, then it will ask cert you need to select it from selection options.
For ALB you need upload it to ACM on ALB region.
While you go to listeners, then you configure listener for 443 or another you can select SSL cert on there.
For Nginx, you can use configure your nginx.conf to use cert. It will ask cert and key, you will put them on somewhere at disk.
BTW, You can configure only on cloudfront for visitors and you don't need to use SSL for internal communication if your data is not too important (Credit card etc.)
My client has a domain example.com hosted somewhere.
We need to create a subdomain cloudfront.example.com in my AWS cloud in order to make my Cloudfront Distribution accessible on that subdomain.
CF requires an SSL certificate to work with a custom domain.
I was only able to find a solution which leads to 4th level subdomains via creating an AWS Hosted Zone (3rd level domain) in my AWS account where I can then create another subdomain (4th level).
Is it possible to register a single record in my client's DNS table to point to my CF Distro?
Yes, you can use the client's DNS. What you need to do:
Use ACM to create an SSL certificate for cloudfront.example.com. You will see a necessary CNAME to confirm the SSL certificate
Add CNAME to your client's DNS that will validate the certificate
In CloudFront, define alternate domain name (CNAME) as cloudfront.example.com
In the client's DNS add a CNAME for cloudfront.example.com to point to your CloudFront distribution domain name (it's going to be some-hash.cloudfront.net)
I have my main domain www.example.com hosted on Route 53 on AWS.
I've created the custom domain on Google Cloud sub.example.com and set the appropriate NS records.
What I want to do now is create a new managed SSL certificate for this subdomain as shown below:
Is this possible? Is it good practice given that I want to continue adding more subdomains like sub1.example.com and creating a certificate for each one? Since I am keeping example.com hosted at Route 53, I don't think I can create a single managed SSL certificate for all of the possible subdomains that I may have on Google Cloud?
I have my main domain www.example.com hosted on Route 53 on AWS.
Good choice. Route 53 is a very good service for DNS. If your services will be hosted in AWS even better. If your services will be hosted in Google Cloud, consider changing the Name Servers to Google DNS. All depends on which services you plan to use and where they are located (e.g. cloud vendor, not geo location).
I've created the custom domain on Google Cloud sub.example.com and set
the appropriate NS records.
I hope you mean that you changed NS records at the registrar and not within Route 53.
What I want to do now is create a new managed SSL certificate for this
subdomain as shown below: Is this possible?
Depends. Google Managed SSL certificates can only be used with Google services such as load balancers. However, the backend services can be anywhere provided that they have public IP addresses. AWS also offers managed SSL certificates for their services such as load balancers, CloudFront, etc. If your goal is to use Google Managed SSL certificates directly on your compute instances, etc. you cannot. Google does not provide the private key that is required for installation and setup of SSL.
Is it good practice given that I want to continue adding more
subdomains like sub1.example.com and creating a certificate for each
one?
Depends. For Google self-managed SSL certificates you can create a single SSL certificate with wildcards and / or specific domain names. If you are a typical user, wildcard certificates are fine (*.example.com). Multiple names are also fine (site1.example.com, site2.example.com, etc.). You can also create individual SSL certificates for each domain name. For the www domain name, typically you want to create a certificate with two names (example.com and www.example.com). For financial institutions, etc. usually EV (Extended Validation) certificates are used (which Google does not offer).
Google Managed SSL certificates have limitations over standard SSL certificates:
Wildcards are not supported.
Only DV (Domain Validation) SSL certificates are issued.
Single hostname per certificate.
Load balancers support up to 10 certificates.
Since I am keeping example.com hosted at Route 53, I don't think I can
create a single managed SSL certificate for all of the possible
subdomains that I may have on Google Cloud?
Route 53 had no impact on your choice or stategy for SSL certificates. Route 53 is a DNS server that resolves dns names. SSL (TLS / HTTPS) is a protocol that is not affected by or managed by Route 53.
Google Managed SSL certificates are limited to one name per certificate. Google Self-managed SSL certificates can have multiple names per certificate.
I used the AWS certificate manager to create an ACM certificate.
I followed this guide: https://medium.com/#arcdigital/enabling-ssl-via-aws-certificate-manager-on-elastic-beanstalk-b953571ef4f8#.kjh1mqdzq to configure the load balancer using the aws cli.
When I look at my load balancers, I now see 443(HTTPS, ACM Certification:[arn]) forwarding to 80 (HTTP) under Port Configuration
However, if I type in https in my browser I get the "your connection is not private" message from chrome.
Is there another step that I'm missing?
You haven't given this info, but I'm assuming you have a CNAME for www.yourdomain.com that is resolving to loadbalancer.amazonaws.com.
You are getting the ERR_INSECURE_RESPONSE error because you are using a CNAME which is resolving to loadbalancer.amazonaws.com. Since your certificate is for www.yourdomain.com, it is giving a valid error. CNAME and Alias operate slightly differently. With a CNAME the traffic is not a valid alias of your domain so if you're trying to secure it, you will receive errors. However, when you create an A record for www and alias that to loadbalancer.amazonaws.com now any traffic from loadbalancer.amazonaws.com on www.yourdomain.com is valid traffic for your domain and you will no longer have those errors.
In order to terminate secure traffic for www.yourdomain.com at loadbalancer.amazonaws.com you need to have an A record that will alias there. Unfortunately, ELB's only provide a DNS entry, no IP address, but many DNS providers (ie GoDaddy) will not allow you to have a DNS A record that is aliased to a DNS address; they require you to alias to an IP address. Which makes life a bit more complex.
There are a couple ways to accomplish this (URL forwarding and masking is not supported by SSL), but the easiest solution is to use Route 53. Use of Route 53 doesn't require you to register or transfer your name to AWS and a hosted zone is just $0.50/month per domain.
To use Route 53 follow these steps:
Create a Hosted Zone for yourdomain.com. When you create a Hosted Zone in Route 53 it will complete a few default records (like an A, NS, and SOA records). Note the NS records as you'll need them later.
Next copy your existing zone file entries (like MX records) from your current DNS provider to your new hosted zone.
When it comes to a record that you want to direct traffic for to your ELB you'll enter the name, say www, and then just below the type option field you'll see a radio option that says "Alias: yes no". - - When you select yes, the value field will disappear and you'll see an option that says "Alias Target: Enter Target Name". When you click that field you'll receive a drop down list of resources in your account that you can alias to. Simply select your load balancer.
Click create, and you're done with Route 53.
Now that all your dns records are copied over, and you'll go to your registrar and change the nameservers to the ones that Route 53 provided you.
Now Route 53 is handling your DNS for you. And loadbalancer.amazonaws.com is a valid alias of www.mydomain.com. Since loadbalancer.amazonaws.com is now a valid alias of www.yourdomain.com when you visit www.yourdomain.com your ELB at loadbalancer.amazonaws.com will terminate the traffic as www.yourdomain.com and your error will be resolved.
If i use Cloudfront to sit in front of a webserver, which itself is behind an ELB, would the following apply?
I use Route53 to create a domain name record for the CF domain and apply an SSL certificate to that domain to secure the distribution
If CF can not serve the content from the cache then the SSL connection is forward to the the ELB (which fronts the webserver as an origin server)
Therefore i also need to use the same domain name (FQDN) on the ELB (via Route53 CNAME) and apply the same cert there too?
When CF forwards the request through the ELB the SSL is terminated
Is that right ? Will one FQDN cert suffice or better to use a wildcard? Is it better to use the origin server domain name instead?
As i can now use the new AWS certificate manager tool (ACM) to add these certs, does anyone know if CF still require the cost for use of custom SSL cert if using ACM (which makes CF an expensive AWS service)?
If CF can not serve the content from the cache then the SSL connection is forward to the the ELB (which fronts the webserver as an origin server)
The SSL connection is not "forwarded". A new SSL connection is established between CloudFront and the ELB.
The SSL connection between the user and CloudFront is a completely different connection than the one between CloudFront and the ELB. Therefore, there is not requirements on matching the domain names used on the ELB and CloudFront.
Therefore i also need to use the same domain name (FQDN) on the ELB (via Route53 CNAME) and apply the same cert there too?
The only restriction is that the SSL certificate on the ELB must match the domain name used on the ELB. It can be a different SSL cert and domain name than those used on CloudFront.
If you want to use the "Custom SSL" feature and support "All Clients", not just those that support SNI, then yes, you must still pay the extra charges, even is you are using ACM.
Example 1
You can create Route 53 records for www.domain.com and origin.domain.com and an SSL cert for *.domain.com. From these, you would assign www.domain.com to the CloudFront distribution, origin.domain.com to your ELB, and use the wildcard cert on both.
Example 2
You can create Route 53 records for www.domain.com and origin.domain.com and separate SSL certs for www.domain.com and origin.domain.com. From these, you would assign www.domain.com to the CloudFront distribution using the www.domain.com cert, and origin.domain.com to your ELB using the origin.domain.com cert.
Example 3
You can create Route 53 records for www.domain1.com and origin.domain2.com and separate SSL certs for www.domain2.com and origin.domain2.com. From these, you would assign www.domain2.com to the CloudFront distribution using the www.domain2.com cert, and origin.domain2.com to your ELB using the origin.domain2.com cert.