When we create a cloud run service and run it on GKE it does not seem to be possible to change the URL or to map a custom domain to the service.
The domain is currently http://stacko-gke.default.example.com
and the service is https://console.cloud.google.com/run/detail/cluster/us-central1-a/crun/default/stacko-gke/metrics?project=stack-123456
We had to use the CURL trick to specify a host header and that worked, but I would need to be able to change the host for DNS to work properly, please advise.
You have 2 options on Cloud Run:
Create a domain mapping for each Service, and map your DNS: https://cloud.google.com/run/docs/mapping-custom-domains
If you are using HTTPS, the following considerations apply:
For Cloud Run, a managed certificate for HTTPS connections is automatically issued when you map a service to a custom domain. Note that provisioning the SSL certificate should take about 15 minutes. You cannot upload and use your own certificates.
Change the base domain from example.com to your own domain https://cloud.google.com/run/docs/gke/default-domain and create a wildcard A record (*) pointing to the IP address of your istio-ingressgateway.
For Cloud Run on GKE, only HTTP is available by default. You can install a wildcard SSL certificate to enable SSL for all services mapped to domains included in the wildcard SSL certificate. For more information see Enabling HTTPS.
You can map multiple custom domains to the same Cloud Run service such as example.com or www.example.com
Related
Background
I am trying to deploy a dummy application with React frontend and Django backend interacting via REST api. I have done the following:
Use a S3 bucket to host static website and deploy my react code to it
Put Cloudfront for S3 bucket - set up certificate and changed my domain name (from GoDaddy) to link to this address
Kicked off Elastic Beanstalk environment following the python environment tutorial of AWS
Set up Postgres RDS and linked the Django server with it
So now I can do the following
Access my frontend using https via my domain name (https://www.example.com)
Access django admin site using the path of elastic beanstalk and update items
i.e. each component is up and running
Problem
I am having trouble with:
Making a secure REST API call from the static page to Elastic Beanstalk environment. Before I set up certificates I could easily make REST API calls.
The guides I can find usually involve putting a domain name for Elastic Beanstalk, which I imagine does not apply to my case (or does it?)
I tried to follow this faq and updated configuration in load balancer that accepts 443 https and redirects to 80 http. But I am using same certificate as from CloudFront, which does not sound right to me.
Would appreciate help with
how to solve the above ssl connection issue
or is there a better architecture for what I'm trying to achieve here?
According to Request a certificate in ACM for Elastic Beanstalk backend, it sounds like I have to use a subdomain and request a certificate for that subdomain, and use Cloud 53 to direct requests to that subdomain to Elastic Beanstalk environment. Would that be the case?
Thank you in advance!
By default EB url will HTTP only. To use HTTPS you need to deploy SSL certificate on your ALB.
In order to do that you need a custom domain, because you can only associated an SSL certificates with domains that you control. Thus, normally you would get a domain (you seem to already have one from godaday). So in this case you can setup a subdomain (e.g. api.my-domian.com) on godady. Then you can use AWS ACM to register a free public SSL certificate for api.my-domian.com.
Once the certificate is verified, using either DNS (easier) or email technique, you deploy it on your ALB using HTTPs listener. Obviously you will need to point api.my-domian.com to the EB's https url. You can also redirect on your ALB http traffic from port 80 to 443 to always use https.
Then in your front-end application you only use https://api.my-domian.com, not the original EB url.
There can be also CORS issues alongside this, so have to be vary of them as well.
I am trying to map an external sub domain into my Elastic Beanstalk Environment. I know, the common way is to use Route53 but I see no use of using it when my client's domain provider has already provided CPanel and stuff to set the CName and things. So, I am about to follow the below method to set domain to Beanstalk.
Login to your provider website and select your domain
Click on "Advanced DNS"
Create a CNAME record.
host: www
value: {{enter-your-subdomain}}.elasticbeanstalk.com.
Create a URL Redirect record.
host: #
value: http://www.{{your-custom-domain}}.com
By doing the above, I expect to have subdomain.example.com instead of subdomain-region.elasticbeanstalk.com
You can see detailed info in this - https://colintoh.com/blog/map-custom-domain-to-elastic-beanstalk-application
I am going to apply this to 2 things.
The REST API which resides in Beanstalk. (Will be used by few mobile and web apps)
The Web Portal app which resides in Beanstalk.
Now, I can see my client already has couple of subdomains for other purposes with SSL enabled. They have purchased SSL from a CA. Therefor, can we enable SSL in CPanel and point the SSL enabled sub domains to Beanstalk? Or we have to reconfigure everything in Route53 and go through their complex process of setting up the SSL?
Using SSL certificates issued by external vendor
From the side of SSL vendor you would need three files : certificate-chain.pem, https-cert.crt and private-key.pem .
Steps would be as follows:
Import certificate to ACM
aws acm import-certificate –certificate file://https-cert.crt
–private-key file://private-key.pem –certificate-chain
file://certificate-chain.pem
Once the import is complete to edit Load Balancer settings in AWS Elasticbeanstalk from Console to choose the imported certificate. For detailed step by step instruction refer https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html .
Using SSL certificates from AWS ACM
Steps would be as follows:
Create a Public Hosted Zone in Route 53 with the subdomain in discussion (say app.mydomain.com). AWS will return multiple ns server names.
Create an SOA record in the existing domain registrar for app.mydomain.com pointing to the ns server names returned in step 1.
Go to ACM and create domain validated certificates for app.mydomain.com .
Edit Load Balancer settings in AWS Elasticbeanstalk from Console to choose the new ACM certificates. For detailed step by step instruction refer https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html .
I created an SSL certificate last night for use with an API (Tomcat, Spring Boot) on AWS Elastic Beanstalk using instructions provided by Amazon Certificate Manager.
When creating the cert, I entered the URL of my static site that calls the API, which is hosted by GoDaddy. ACM sent an email to my URL which I opened and approve and I now see the cert as issued, by Amazon, in my certs. I am also able to select it when I configure HTTPS for my EB load balancer. I am not able to export this cert though as it isn't private.
My question is, how is domain name used? I think I'm a little confused about how to use SSL on both my API and my static site AS WELL as the small bit of static content I'll host out of Tomcat.
Thanks.
ACM certs can only be used with AWS services - Cloudfront (if the cert is issued in us-east-1) and regionally on the classic load balancer and application load balancer.
You cannot export the cert for use in other products, so if you wanted to have Tomcat handle SSL you would need to get either a commercial cert or use something like Let's Encrypt.
If you have multiple host names you want to protect, you have different options.
You can get one cert per hostname if they are running on completely separate infrastructure; you can also have multiple host names in a single cert - even if there are multiple domains; and finally you can get a wildcard cert.
I am not into SSL at all, so bear with me please. I have no idea how to start to actually solve my problem.
Current situation:
1x Webserver with Webspace for a Website and it includes a Domain Administration, also to order SSL Certificates etc.
1x Different Webserver at Amazon Web Services with a PHP-based Software on it with Login etc.
A Subdomain that I created in the Domain Administration is pointing via DNS to the IP of the AWS.
What I need:
I want an https Connection (SSL) for the Subdomain that is pointing to the AWS so that the connection/login is secure.
My question is what I have to do on the side where I have the Domain Administration and after that what I have to do on the side of the AWS.
Thank you so much!
You have several options in hand,
If you already have a SSL certificate purchased, you can include it inside the webserver (e.g; configure apache for SSL).
If you plan to use free SSL certificates from Amazon, you can use one of the following options after creating a SSL certificate in AWS Certificate Manager.
Create a AWS CloudFront Distribution and attach the SSL certificate there while configuring an origin to forward traffic to the specific web server. However, you need to create the SSL certificate in North Virginia region and there won't be any upfront costs for CloudFront). CloudFront acts as a proxy and you can explicitly instruct to cache the static content reducing the load for web server and improving the performance.
The other option is to create a Application Load Balancer (ALB) and attach the SSL certificate there ( Create the SSL certificate in the same region) while forwarding traffic to the web server. However, this will add a monthly reoccurring costs for the ALB.
All you need to do is, on AWS ACM (AWS Certificate Manager) procure a certificate for your subdomain and use AWS ELB to use the certificate and point to the AWS webserver.
After this use the ELB IP in the DNS settings.
There are other options too like procuring the subdomain certificate and installing it on the webserver on AWS.
My iOS software platform runs on AWS Elastic Beanstalk and has a URL we'll call "something.elasticbeanstalk.com". I have a website we'll call "website.com" I purchased and operate the DNS records for through Namecheap. I need to make the URL my iOS client apps use to connect to the server HTTPS since Apple is requiring this soon due to App Transport Security.
WHAT I THINK I'M SUPPOSED TO DO
What I think I'm supposed to do is, create an SSL certificate for "website.com" and apply that SSL certificate to the AWS EB load balancer. Then I need to create a subdomain for "website.com" that redirects traffic to "something.elasticbeanstalk.com". Client apps connect to the subdomain of "website.com" which is now HTTPS and redirects to "something.elsastic.beanstalk.com". Is that correct?
WHAT I'VE DONE SO FAR
So far, I created a SSL certificate for "website.com" using AWS Certificate Manager. For this I had to verify my email address associated with "website.com". I then applied that SSL certificate to my environment's load balancer int the AWS Management Console. After that, I went into Namecheap and followed this guide in the 'Domain Name & AWS 53 Management' section to do it.
I read in this article that I needed to create an alias and/or set up Nameservers in AWS Route53. I tried doing that but don't know what I'm doing and it seems to conflict with the Medium article I linked above that I followed telling me to change the CNAME record for the URL and the Redirect URL record for "website.com".
QUESTION
What do I do from here?
SITUATION
-I have a Parse Server on Elastic Beanstalk with URL “something.elasticbeanstalk.com”
-I have a domain with Namecheap called “website.com”
WHAT I NEEDED
I needed to make my client app connect to an HTTPS address since Apple is requiring it shortly with App Transport Security. Since I couldn’t get an SSL certificate using AWS certificate manager for “something.elasticbeanstalk.com”, I created one for “website.com”. I then needed to have my client app connect to the HTTPS “website.com” which would forward it over to “something.elasticbeanstalk.com”. This satisfied the HTTPS requirements of Apple.
HOW TO DO IT
Make an SSL certificate for “website.com” using AWS Certificate Manager. You will need to confirm the domain via a confirmation email to the administrator for it.
Apple the SSL certificate for “website.com” to the AWS EB Load Balancer. Go to your AWS EB Console, click "configuration", click "Load Balancing" under the "Network Tier" category. Now under the first category which is "Load Balancer", select the SSL record you made and apply it in the "SSL certificate ID" section.
Set a CNAME record for “website.com” with a host of whatever subdomain of “website.com” you want. I chose “data” as my host value and subdomain (so my subdomain is “data.website.com”). Set the value of the CNAME record to “something.elasticbeanstalk.com”. Wait for it to propagate. It’s usually pretty fast but not always.
(I’m unsure if this particular step is proper but it worked for me) Set the serverURL of Parse-Server to “https://something.elasticbeanstalk.com” and the publicServerURL to “https://data.something.com”
In the Parse “initializeWithConfiguration” method in your client app that enables the app to connect to the server, change the server URL to “https://data.something.com/parse”. NOTE: include the “/parse” which is the MOUNT PATH of the parse-server. This value MAY BE DIFFERENT for you depending on how you set it but I set it to “/parse” since that’s what I saw in the Parse-Server docs.
NOTES
-I deleted all Route53 records since they are irrelevant here since “something.com” DNS services are controlled by Namecheap.
-A Redirect URL record in Namecheap is unnecessary