I have an ec2 instance behind Application ELB in AWS. I want to apply SSL to both ec2 instance as well as loadbalancer. For ec2 instance i have purchased ssl and installed it and it is working fine. For load balancer i will be using the free AWS ACM certificate and installing it on load balancer. Will this have any issues? i.e. installing SSL on both places ec2 and elb.
It will not have any issues but it does come with a caveat. The traffic in to the Application Load Balancer (ALB) will be encrypted and the ACM cert will be validated by the client. The traffic to the host from the ALB will also be encrypted but the certificate on the host will not be validated.
It looks like ALB Backend Authentication is on AWS's roadmap per the reference below. The reason given for it not being a priority is summarized in this quote from the AWS Engineer who wrote the first reference:
The role that server certificates play in TLS is to authenticate the server, so that it can’t be impersonated or MITM. ALBs run exclusively on our Amazon VPC network, a Software Defined Network where we encapsulate and authenticate traffic at the packet level.
The upside of this is you can use self-signed certs on your hosts to save money when using an ALB or ELB in front of them.
If you need to ensure the certificate on the host is valid you can use a Classic Elastic Load Balancer (ELB). See the reference for more details.
References
AWS ALB Validation TLS Reply
AWS ELB Configure Backend Authentication
If you use SSl/TSL at ELB, it will handle the encryption/decryption of the HTTPS connections (freeing your EC2 instance's CPU to do other work).
If you use an HTTPS/SSL connection for your back end, you can enable authentication on the back-end instance. This authentication can be used to ensure that back-end instances accept only encrypted communication, and to ensure that the back-end instance has the correct certificates.
Using SSL/TLS on both ELB and Backend can create problems since ELB HTTPS listener does not support Client-Side SSL certificates.
I have considered that you are using a 2-way SSL (Mutual or Client Authentication)
Related
I was reading about backend authentication option in AWS ELB.
What it mentions is there is a instance public key (.pem encoded) to be configured in ELB.
What I could not understand is what is this key or certificate?
Since it is optional will the traffic will still be encrypted between ELB and EC2 instances if port 443 is used.
There is no details mentioned on how to actually do this.
Basically I want end to end encryption from user to elb and elb to ec2.
Basically what this is saying is that if you what encryption in transit for the entire journey you will need to install an SSL certificate on your EC2 instance. The journey will look like the below.
client ---(HTTPS)--> load balancer ---(HTTPS)--> EC2 host
You will need to either purchase an SSL, or use a free option such as certbot on your server.
Then once you have this you will need to configure for the web server software you are running. Below are some instructions for common web servers:
Apache
Nginx
IIS
Tomcat
Ensure that your target group is configured for HTTPS port 443 traffic, to have the load balancer forward requests to HTTPS on your backend.
If the load balancer to EC2 host is not encrypted (plain HTTP) the clients traffic to load balancer will still be encrypted, but after this will be forward in HTTP.
I set up EC2 Ubuntu instance, assigned an elastic IP, got example.com (domain) to the ec2 instance via Route53. Added an SSL certificate using ACM (certificate manager) which says 'issued'.
However, https://example.com raises ERR_SSL_PROTOCL_ERROR. http://example.com is working.
The security group has HTTPS port open.
What's wrong here? Why this is not working? Any clues? curl https://localhost -k shows local port 443 refused.
You can't deploy a public ACM certificate directly to an instance. The "issued" state, just means it's ready to be applied somewhere. It needs to be applied to a service that supports ACM like an ELB, API Gateway, or a CloudFront distribution, which can be used to offload SSL processing. See the faqs for an overview of how they can be used.
For a certificate directly on the instance, you can use letsencrypt to issue free, trusted certs.
Also, this assumes that you've configured the web server to listen on 443.
ACM can only be used with AWS resources such as Elastic Load Balancer, Amazon CloudFront distributions and APIs on Amazon API Gateway.
Make sure that you are using one the above services to serve your website content.
ACM cannot be directly used with EC2 instance, you either need Elastic Load Balancer or CloudFront distribution to used it.
I have an Application Load balancer and 1 EC2 instance currently behind it. Before, I was using another CA for receiving SSL certificates for my domain which was running on the EC2 with nginx. Now, I use SSL from Amazon's Certificate Manager for the load balancer's listener.
Should the domain's certificate be purchased individually on each EC2 instance for https connection to my application after moving it behind the ELB?
Is there any other way to establish https connection without using the separate certificates on the EC2 instances and with just the ACM on the load balancer?
You can use the same certificate on EC2.
But whenever you need to update the certificate you have to change in EC2.
If you have the EC2 in a private subnet (Not accessible to the internet)
you can use the self-signed certificate (self signed certificate nginx).
I encountered this problem and solved it by using the self-signed certificate.
You can use self-signed certificates on the EC2 instances to enable the load balancer to talk to your EC2 instances via https - the load balancer will not to certificate validation, so you do not need commercial certs.
I'm managing a domain at AWS Route 53 and I have a service exposed as an api on 3 servers spreaded across 3 main zones: us, asia, eu.
I created a traffic policy to redirect clients based on latency to the appropriate zone(s).
So client comes in via api.example.com, enters this latency based policy and exits at the closest server. Which works...with one problem though. I don't know how to enable https so I can have my clients use https://api.example.com.
Any ideas?
SSL (HTTPS) is completely unrelated to all the Route53 stuff you talked about in your question. You need to install an SSL certificate on the server, or on the load balancer if you are using a load balancer. You can also install the SSL certificate at your CDN, if you are using one.
Route53 is a DNS service. Route53 does not manage the protocol of a service, and it does not manage encryption. Route53 (DNS) just allows a client to lookup an IP based on a hostname.
I am working with AWS-API-Gateway and an Elastic Beanstalk environment. What I want to make sure in the Elastic Beanstalk environment is that the request is served only for AWS-API-Gateway.
So Amazon suggested for client-side SSL certificate authentication. The problem I'm facing in this is that even if I configure Amazon API gateway to provide a certificate on a https connection, it will give the certificate to the load-balancer and load-balancer will give its certificate to my ec-2 instance.
So in this scenario, I never receive the SSL certificate of API gateway. Please help me here or provide me with a better solution.
I don't want to remove my load-balancer in the scenario as it is helpful for me.
As far as I know, the key with using ELB is to turn the ELB to TCP mode (not HTTP) so the SSL handshake is actually done on the EC2 instances. That way you can verify on the hosts and treat the ELB as just a simple TCP load balancer.
Some helpful info here Support for two-way TLS/HTTPS with ELB