We have a web application that serves both secure and public endpoints. We are currently deploying it with elastic beanstalk.
From now on, we want to apply client certification for secure endpoints. i.e. for some endpoints, certification check is needed.
However, elastic load balancer has not any configuration to assign different ssl certificates for different routes.
The only solution that we found is; setting up nginx instances before the application load balancer and check certificates in here.
Is there a way to achive this on AWS?
Although I have not personally used one yet, I believe the new Application Load Balancers might be able to handle this. You can do different types of listeners depending on the request. So it's definitely worth looking into before you go the nginx route:
https://aws.amazon.com/elasticloadbalancing/
You can test one out by going into your EC2 services panel, and create a new load balancer. Choose the Application Load Balancer type and see if you can configure it as needed.
Authenticating clients with client certificates require all of the SSL to be handled by the instances themselves.
Load balancing such a setup requires either a Classic ELB in TCP mode (transparent, no HTTP interpretation, with SSL not configured on the balancer)... or a Network Load Balancer, which would probably be the optimal configuration since it is handled by the network infrastructure itself, and is essentially infinitely scalable with no warm-up required.
Elastic Beanstalk recently announced support for Network Load Balancer.
Related
I have instance in VPN on which some external consultants are working on. I need expose the app they are developing to the internet but I don't want them to have access to the private key of our SSL cert.
I am thinking I can put the SSL cert into ACM and then use some AWS component in front of the instance to handle the client connections and TLS encryption. I believe that an application load balancer can do this - will this work and is the best and cheapest option? I don't actually need load balancing just yet but may do in the future.
Yes load balancer is one of the option.
Another choice is using a CDN, CloudFront for the SSL, you simply set the origin to the EC2 instance.
Depending on your use case you need to consider what is the right caching policy (if applicable) though.
CloudFront charge by bandwidth, while Load Balancer charge by hour, so you need to consider the type of workload as well.
My instance is a single instance, no load balancer.
I cannot seem to add a load balancer to my existing app instance.
Other recommendations regarding Elastic Load Balancer are obsolete - there seems to be no such service in AWS.
I do not need caching or edge delivery - my application is entirely transactional APIs, so probably don't need CloudFront.
I have a domain name and a name server (external to AWS). I have a certificate (generated in Certificate Manager).
How do I enable HTTPS for my Elastic Beanstalk Java application?
CloudFront is the easiest and cheapest way to add SSL termination, because AWS will handle it all for you through its integration with certificate manager.
If you add an ELB, you have to run it 24/7 and it will double the cost of a single instance server.
If you want to support SSL termination on the server itself, you're going to have to do that yourself (using your web container, such as apache, nginx, tomcat or whatever you're running). Its not easy to setup.
Even if you don't need caching, CloudFront is going to be worth it just for handling your certificate (which is as simple as selecting the certificate from a drop-down).
I ended up using CloudFront.
That created a problem that cookies were not being passed through.
I created a custom Caching Policy to allow the cookies, and in doing so, I also changed the caching TTLs to be very low. This served my purposes.
We have an internal facing application load balancer in AWS VPC. This is being accessed by a web app running in a public subnet. The web app is behind a custom domain url and it uses SSL certificate for security.Since, the API load balancer is not applied with SSL, communication from web app to API LB is failing.
Is it possible to get a SSL certificate for an internal facing load balancer in AWS?
Yes this is entirely possible using the AWS ACM service, there are two options, you can use Amazon's public service to generate certs but I assume that is not what you want to do here. So you can alternatively create a Private CA through this service and distribute your certificates from there which can then be placed on Loadbalancers etc. You will most likely want to look at these pages:
https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
https://aws.amazon.com/certificate-manager/
Have a read first before diving right in but it's a pretty nifty feature for this sort of thing, once the CA is setup then creating certs is so fast and instantly attachable to resources.
I have set up two elastic load balancers with two target groups in a similar configuration. One is a "network" ELB and the other is an "application" ELB. I've registered the SPN for each, set up IIS app pools appropriately, etc. The network ELB works but the application ELB makes the client browser present an authentication challenge prompt.
In both cases the server returns a WWW-Authenticate: Negotiate response initially.
Can someone explain to me what about the way Kerberos works makes these two scenarios different?
I am trying to configure an AWS Application Load Balancer (vs. a Classic Load Balancer) to distribute traffic to my EC2 web servers. For compliance reasons I need end to end SSL/HTTPS encryption for my application.
It seems to me the simplest way to ensure that traffic is encrypted the entire way between clients and the web servers is to terminate the HTTPS connection on the web servers.
My first question: Is it possible to pass through HTTPS traffic through an AWS Application Load Balancer to the web servers behind the load balancer in this manner?
From what I've gathered from the AWS documenation, it is possible to pass traffic through in this manner with a Classic Load Balancer (via TCP pass through). However, the Application Load Balancer looks like it wants to terminate the HTTPS connection itself, and then do one of the following:
send traffic to the web servers unencrypted, which I can't do for compliance reasons
create a new HTTPS connection to the web servers, which seems like extra work load
My second question: is that understanding of the documentation correct?
Terminating the SSL connection at the web servers requires you to change the load balancer listener from HTTPS to TCP. ALB doesn't support this, only classic ELB. Further, if you were terminating the SSL at the web server the load balancer wouldn't be able to inspect the request since it wouldn't be able to decrypt it, so it wouldn't be able to do all the fancy new routing stuff that the ALB supports.
If you actually want to use an ALB for the new features it provides, and you need end-to-end encryption, you will have to terminate SSL at the ALB and also have an SSL certificate installed on the web servers. The web server certificate could be something like a self-signed cert since only the ALB is going to see that certificate, not the client.
I assume you need end-to-end encryption for compliance reasons (PCI, HIPAA, etc.). Otherwise there isn't a very compelling reason to go through the hassle of setting it up.