I have installed wordpress site on just 1 EC2 instance which is running on 1AZ (means 1 public subnet). I have bought a domain as well using Route 53. Currently my site is HTTP only which I want to make it HTTPS. I have got SSL certificate from AWS Certificate Manager as well. Using Route 53, currently I have mapped A record IP V4 mapping with my EC2 instance public IP V4 address.
I'm facing issue here in changing my site to HTTPS from current HTTP. Since my site is deployed on just 1 AZ (public subnet), I cannot add Elastic Load Balancer in front of my EC2 instance as it requires minimum 2 public subnets (this is what my understanding is). If my side was deployed on 2 AZs (2 public subnets) then easily I would have configured Application Load Balancer with these 2 subnets and would have used the SSL certificate which is stored in AWS certificate manager but in my case it is just 1 AZ/1subnet.
Question 1) Is it necessary to have 2 public subnets to configure elastic load balancer? Can't I configure load balancer with just 1 subnet like in my case? If yes then please advise how to do it?
Question 2) Is load balancer really necessary between Route 53 and EC2 instance to make the site HTTPS? Can I configure Route 53 and SSL certificate to listen to EC2 instance directly and make the site HTTPS?
Please assist here to make my site HTTPS. Thanks
1) Yes, an ELB requires two subnets - but you dont have to have a server running in both subnets (but obviously you dont get the benefit/cost of dual servers). Within AWS goto the VPC section and create a new subnet inside the correct VPC - you should then be able to create an ELB (it may complain about the 2nd subnet - but if there are no instances inside that subnet it doesnt really matter).
2) No, but if you want to use the free ACM certificate it must be installed at the Load Balencer or CloudFront distribution level. There's nothing stopping you installing your own certificate on your EC2, configuring apache to use it and then renewing it as required. Take a look at LetsEncrypt for free certificates, or buy a cert online.
Few things to bare in mind:
"Best Practise" for TLS/HTTPS is constantly changing. AWS take the headache out of this by providing policies so updating to the latest standard is very simple and requires no changes to your ec2 (as its talking to the ELB via port 80)
If you decide to manage your own certificate, take a look at the SSL Labs certificate tester (https://www.ssllabs.com/ssltest/) to help you ensure your configuration is correct.
Let me answer the questions inline.
Question 1) Is it necessary to have 2 public subnets to configure
elastic load balancer? Can't I configure load balancer with just 1
subnet like in my case? If yes then please advise how to do it?
Yes. You must specify subnets from at least two Availability Zones to increase the availability of your load balancer. This is why you need at least two subnets (Minimum one subnet in each Availability Zone). When you run the EC2 instances, it is also recommended to run them in both Availability Zones (Given to the Load Balancer) with Auto Scaling for high availability and fault tolerance.
Question 2) Is load balancer really necessary between Route 53 and EC2
instance to make the site HTTPS? Can I configure Route 53 and SSL
certificate to listen to EC2 instance directly and make the site
HTTPS?
It is necessory if you are using Amazon Certificate Manager (ACM) Issued SSL certificates. Otherwise, if you use an externally purchased SSL certificate, you can configure the SSL certificate at your EC2 instance web server level.
Note: An alternative approach is to use AWS CloudFront as a proxy (Also for SSL termination using ACM certificate) and proxy the requests to the EC2 instance (If you don't want to pay for the Load Balancer where CloudFront costs are based on the number of requests unlike an hourly charge for Load Balancer).
Related
I've an app running on AWS.
Currently, my frontend is hosted on S3/cloudfront which communicates with my EC2 instance through a Elastic Load Balancing (ELB).
ELB handles the SSL certificate.
I just have one EC2 instance. So, I don't really need the ELB. My free tier period is over... ELB representer 40% of my bill !
How can I get rid of ELB without losing the SSL configuration ?
Thanks in advance !
The best approach to keep an AWS ACM SSL whilst removing your load balancer would be to instead use CloudFront for your EC2 host.
If this is a different domain to your existing CloudFront distribution, you would need to create a new one which will serve your app traffic. This would have a custom origin that would resolve to the public CNAME of the EC2 host (this will require the EC2 host to be publicly resolvable).
IF it shares the same domain, your CloudFront distribution would need to be updated to include a secondary behaviour that maps to your EC2 hosts public hostname.
Please note for this option your instance must be public, this means that it is possibly to bypass CloudFront to perform this option. If you do not have a valid SSL on this EC2 host you will need to configure the CloudFront distribution to speak to the origin using HTTP.
An alternative (or combined option) would be to use a service such as certbot that can generate a valid SSL for your domain. This will ensure any public ingress to the instance can be encrypted securely over HTTPS.
I have configured the AWS load balancer to secure my website, i.e. to resolve through "https". But when I use(https://www.schoolnskill.com), it gives
503 Service Temporarily Unavailable.
So I have followed the below steps to configure my environment.
I created a domain name in route53 and have been issued with a SSL/TLS certificate through AWS Certificate manager.
For my load balancer I set up listener for https:443 and attached the above certificate with it.
The security group for my ec2 instances allow http and https requests (although I believe the load balancer ec2 target will communicate using http).
I have attached a screenshot with the summary of the configuration.
Then in the ROUTE 53, I edited the 'A' record of 'www.schoolnskill.com'. Below are the changes I made.
Alias:- yes
Alias target:- chosen the application LB
Routing policy:- simple
Then save the settings.
I can see that whenever I type 'http://www.schoolnskill.com', it is redirected as 'https://www.schoolnskill.com'
Health_CHK
Thank you,
The problem was the availability zones. The AZ of my load balancer was different from that of EC2 instance. I matched the AZ of ALB to my EC2, and it worked.
Thank you,
i want to have few domains for ec2 instances with ssl behind alb, 2 of them in private zone,.
i have pretty simple config but have no idea how to resolve this
What i have:
1 ec2 instance for Frontend app with nginx frontend.example.com
1 ec2 instance for Backend app backend backend.example.com
1 ec2 instance for Frontend DEV with nginx frontend.devexample.com
1 ec2 instance for Backend app backend backend.devexample.com
all instances are in 1 vpc
1 ALB for ssl (with few certs for domains)
route53 for domains
at present moment, all 4 instance are in public zone, so domains as aliases point to alb, alb terminates SSL for all domains, alb based on hosts redirects to each instance
what i want:
hide backend instances in private zone, but still i want to have access with domain name and still with ssl
as i see this for now:
domains through Route 53 point to ALB
ALB points to 2 vpc
each vpc has front in public subnet and back in private subnet
but in this case i can't write rules for alb to point to host, because it should point to vpc.
please help me, any suggestion will be really appreciated.
It is quite common to use separate VPCs for Development and Production. This ensures that the two systems do not impact each other.
The typical configuration is:
A Load Balancer in the public subnet(s)
EC2 instances in the private subnet(s)
Normally, a Load Balancer is used to distribute traffic to multiple EC2 instances. If you only have one Front-end instance, then you do not really need a Load Balancer.
I have a website that I have hosted on an EC2 instance that runs on port 3000. (e.g. 3.27.83.19:3000 - assuming the IP address of the EC2 instance is 3.27.83.19)
I have a domain that I have already bought mydomain.com through AWS that I already see in Hosted Zones.
How can I set-up Route53 so that when someone hits "mydomain.com", it takes them to 3.27.83.19:3000 rather than 3.27.83.19
Thanks!
point domain to instance ip
To point example.com to 3.27.83.19 you simply need to create an A record in route53
point domain to load balancer
To access the website running port 3000 on an EC2 instance through https://example.com, you need a service that accepts traffic on https://example.com and then forward the traffic to the EC2 instance on port 3000. You can easily do it with an AWS application load balancer. I like this approach.
There are many benefits using an application load balancer. The important one is that you can configure the SSL certificate easily. The application load balancer also supports host based routing which allows you to host multiple websites.
If you are looking for less expensive solutions, you can also go for setting up an nginx proxy inside the ec2 instance. I personally don't like this approach because you will need to configure SSL at the application level.
https://aws.amazon.com/premiumsupport/knowledge-center/public-load-balancer-private-ec2/
Hope this helps.
I've reviewed the Lightsail load balancer and unlike ACM, you cannot add wildcard SSL's.
For example on ACM, this can done:
example.com
*.example
And then attached to an EC2 Loadbalancer.
But for Lightsail, the wild card is not accepted. When we issue only on the apex domain to the load balancer:
example.com
When we resolve demo.example.com, we get a cert invalid error.
As we don't know ahead of time the sub-domains in use, and the limit of 9 is too few, is there a workaround?
I came up with a solution but I can't say for sure it is the only one.
TL;DR - Use an EC2 Load Balancer and add it's target as your LighSail instance. To this load balancer attach a standard ACM certificate. Don't use the LightSail load balancer at all.
Outline Steps
Launch a load balancer in EC2 and attach your LightSail instance as a target (Remember to use the private IP of your LightSail instance and check your security settings, zone and region prior to set up)
Open ACM and provision your certificate. To protect your entire domain, you will require two entries on this cert i.e. example.com and *.example.com
Validate the certificate (DNS etc) and attach it to the load balancer in EC2.