I'm managing a domain at AWS Route 53 and I have a service exposed as an api on 3 servers spreaded across 3 main zones: us, asia, eu.
I created a traffic policy to redirect clients based on latency to the appropriate zone(s).
So client comes in via api.example.com, enters this latency based policy and exits at the closest server. Which works...with one problem though. I don't know how to enable https so I can have my clients use https://api.example.com.
Any ideas?
SSL (HTTPS) is completely unrelated to all the Route53 stuff you talked about in your question. You need to install an SSL certificate on the server, or on the load balancer if you are using a load balancer. You can also install the SSL certificate at your CDN, if you are using one.
Route53 is a DNS service. Route53 does not manage the protocol of a service, and it does not manage encryption. Route53 (DNS) just allows a client to lookup an IP based on a hostname.
Related
I added my name servers to my google domain and then added my google domain to my route 53 hosted zone. I then requested a certificate through aws certificate manager and added a record for it to route 53 hosted zone. My site is still loading as an unsecure connection. What steps did I miss, thank you for any help.
I have listed above the details of my question.
I then requested a certificate through aws certificate manager and added a record for it to route 53 hosted zone.
It seems like you created an ACM certificate and added the required record to the Route53 Zone.
However, that is not enough to provide an HTTPS connection. You need to make use of that ACM certificate in your service (EC2, Amplify, API Gateway, ...).
In order words, your server needs to handle the TLS/SSL handshake to have a secure connection.
See Services integrated with AWS Certificate Manager for a list of services and how you can use the certificate.
What is the best approach to enable https on ec2 public dns? I just have single instance running so i don't think adding load balancer is good approach and I don't have any domain name to point to my instance. I want to enable https on instance public DNS.
What is the best approach to enable https on ec2 public dns?
You can't do this, as the public DNS provided by AWS does not belong to you. The DNS belongs to AWS and only AWS can have a valid SSL certificate for it.
To have a valid public SSL certificate for HTTPS you need your own domain that you control. Then you have to use a third party service (ACM can't be used on EC2 instances, unless in enclave) to get a SSL cert for your domain. A popular choice is https://letsencrypt.org/ with certbot which provides free SSL certificates. By the way, StackOverlow is using letsencrypt as its SSL cert provider. Having the SSL cert you can setup nginx to server your application using HTTPs, or itegrate SSL certificates directly with your application.
If you don't want to do the above, you have to front your instance with load balancer, CloudFront or API Gateway. Having load balancer allows you to use ACM and easily get and provision SSL certificates You still need your own domain of course. Using load balancer is the easiest to setup. With CloudFront and API Gateway there are more things to consider.
I have an ec2 instance behind Application ELB in AWS. I want to apply SSL to both ec2 instance as well as loadbalancer. For ec2 instance i have purchased ssl and installed it and it is working fine. For load balancer i will be using the free AWS ACM certificate and installing it on load balancer. Will this have any issues? i.e. installing SSL on both places ec2 and elb.
It will not have any issues but it does come with a caveat. The traffic in to the Application Load Balancer (ALB) will be encrypted and the ACM cert will be validated by the client. The traffic to the host from the ALB will also be encrypted but the certificate on the host will not be validated.
It looks like ALB Backend Authentication is on AWS's roadmap per the reference below. The reason given for it not being a priority is summarized in this quote from the AWS Engineer who wrote the first reference:
The role that server certificates play in TLS is to authenticate the server, so that it can’t be impersonated or MITM. ALBs run exclusively on our Amazon VPC network, a Software Defined Network where we encapsulate and authenticate traffic at the packet level.
The upside of this is you can use self-signed certs on your hosts to save money when using an ALB or ELB in front of them.
If you need to ensure the certificate on the host is valid you can use a Classic Elastic Load Balancer (ELB). See the reference for more details.
References
AWS ALB Validation TLS Reply
AWS ELB Configure Backend Authentication
If you use SSl/TSL at ELB, it will handle the encryption/decryption of the HTTPS connections (freeing your EC2 instance's CPU to do other work).
If you use an HTTPS/SSL connection for your back end, you can enable authentication on the back-end instance. This authentication can be used to ensure that back-end instances accept only encrypted communication, and to ensure that the back-end instance has the correct certificates.
Using SSL/TLS on both ELB and Backend can create problems since ELB HTTPS listener does not support Client-Side SSL certificates.
I have considered that you are using a 2-way SSL (Mutual or Client Authentication)
We're currently using Opencart - 2.3.x to serve multiple domains under one AWS Instance with ELB.
We've set HTTPS for one domain but for other domains we're not able to do the same as we cannot make duplicate listeners.
Has anyone faced a similar issue in the past.
There are four common alternatives:
create one ELB for each certificate and associate the instance with all of the ELBs, or
obtain a single certificate for all the domains using Amazon Certificate Manager and associate it with the ELB, or
use the one certificate on the ELB and attach each of the other certificates to its own CloudFront distribution, pointing to the ELB and whitelisting the Host header for forwarding to the origin, or
use a Classic ELB in TCP (not HTTP) mode with SSL disabled; configure SSL on the instance, and install the certificates there, and not the ELB.
For some reason I cannot find a yes or no if this is even possible but I am assuming that it would be. I have a domain through AWS that was purchased through AWS Route53. I also created an SSL Cert through AWS Certificate Manager. Now I'm just trying to add that certificate to the domain. I would think that since it is all interconnected that it would just been applied after I approved it and it finished the setup but alas, it has not. So my question is how/where do I connect my SSL Cert to my Route53 hosted domain?
SSL certificates are not connected to a domain's DNS record (via Route 53).
Instead, they are connected to one or more specific infrastructure components.
SSL certificates that you create from ACM can be used with:
AWS Elastic Load Balancer
AWS CloudFront
Create your infrastructure including one or more of those components and then attach your ACM SSL certificate to that.
See the ACM FAQ: https://aws.amazon.com/certificate-manager/faqs/