I'm confused about this for a while.
I have an API application hosted on ECS and an ALB with a target of this ECS.
I need to setup Cognito for ALB but the ALB needs to be SSL-ed.
I also how a primary domain registered on a different DNS (not R53).
The AWS documentation says that there are two ways to route traffic to a LB. With CNAME or Alias record set.
My questions are:
Do I need a primary domain on R53 to create an alias record set for ALB? Do I need a registered domain at all or will alias automatically create a free one (since AWS says that alias is free)?
Can I create a subdomain CNAME on R53 of a primary domain hosted on another DNS?
Will I be able to pass paths from my alias or cname to the ALB, example:
If I enter a path in my ALB amazon given DNS name like this: "{DNS-ALB-name}.amazon.com/api/path1 this will GET that from the API application.
but if I have an Alias or CNAME how can i pass {CNAME-domain}.com/api/apth1 or {alias-domain}.com/api/path1 to the ALB domain which will in the end pass that path to API. Or do I need some sort of revers proxy server?
Can I SSL an alias record set?
Can I integrated a primary domain from another DNS to AWS R53 ss it is as if R53 has that TLD?
you need to either migrate the domain to Route53 or delegate it
if I understand your questions correctly - yes
assuming that I understand your questions correctly: the path and domain names do are separate things, unless you redirect. in this case CNAME will simply point the request at the load balancer, so domain does not actually matter
SSL is added to a resource such as load balancer ot ec2 server, not DNS entry. Once you create an alias and point it at e.g. application load balancer, you will be able to add certificate to it. it integrates well with AWS Certificate Manager
that's called DNS delegation, and yes it is possible
Related
I have a handful of domains registered for brand protection reasons that are currently managed in a rather manual registrar, but it currently handles redirection to the main domain.
I am moving DNS from this provider over to Route53 using Terraform. I'm setting up a redirector for the brand protection domains using S3, but running into a catch-22:
If I want a single S3 bucket to handle the redirects I need to put CloudFront in front of it, which means I need an SSL cert valid for the various domains, which means I need DNS to already be in Route53 for the validation.
If I want to avoid breaking the redirects during this migration, I can't move the DNS until the redirector is in place.
This means I think I have the following options:
Migrate the domains into Route53 first, then create the CloudFront distribution. Redirects will break until this is complete.
Create multiple S3 buckets for each domain, which won't cover wildcard domains (e.g. *.aliasdomain.com), but can at least do the apex and www for instance (and http only).
Manually create the necessary certificate and import it into Terraform.
Have I missed an obvious alternative? Ideally I would create a single redirector that would handle all http traffic to begin with, then sort out https later.
I have a simple website that I wanted to be on a custom dns. I had it running on elastic beanstalk but due to elastic beanstalk wanting me to setup a load balancer and two EC2's just to have a custom DNS, I decided to give lightsail container services a try. However.....
I created my container, deployed and it worked fine. I can access the public domain but for some reason, google has marked my website as dangerous? This wasn't the case on elastic beanstalk.
I then tried to create my custom domain. So I registered a domain name on Route 53 i.e. test.com, created the certificate on lightsail and then went back to route 53 to add a new cname record. The lightsail status changed to "Status:Valid, in use"
But my custom domain does not redirect to the public domain at all, I just get "This site can’t be reached" when navigating to "test.com" (not my real dns name)
You can do that with the below steps:-
1. Create a certificate with CNAME.
2. Add your Name and value in the R53 Hosted zone that will validate your certificate.
3. Now Choose a certificate to validate your custom domain.
I have a external domain which I want to use for a static website on aws.
I found a couple of examples using S3 + CloudFront + Route 53
But is it possible to keep the name server of my domain and work with the external nameserver? (No Route 53?)
Yes, it is possible, Route53 isn't mandatory to use CloudFront and S3. You can have CNAME configured in your DNS provider. However, there is a RFC limitation on CNAME restriction for naked/apex domain(as you cannot have a CNAME record and another DNS record of a different type) so Route53 provides an alternate record called alias record, as long as your DNS provider provides this feature, you're good to go. e.g: CloudFlare provides CNAME flattening
https://support.cloudflare.com/hc/en-us/articles/200169056-Understand-and-configure-CNAME-Flattening
Amazon Route53 alias:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html
I am developing a SaaS web application (https://mywebsite.example) which will be hosted in AWS and will have subdomains for individual customers like https://customer1.mywebsite.example , https://customer2.mywebsite.example.
As a second step I would like to introduce custom domain names and map it with the subdomains of mywebsite.com through cname records
https://customer1.example --> https://customer1.mywebsite.example
Here is what I have analysed till now.
Using Certificates in AWS loadbalancer for the custom domains as a SAN in the certificate. However the AWS Loadbalancer certificate limits are lesser than the number of customers I am expecting to add.
CloudFlare DNS setup for mywebsite.example and its subdomains, with ssl certificates configured in cloudflare. However Cloudflare allows thirdparty (custom domain) cname redirections only in the Enterprise Plan.
Are there any other alternative service or are there is an alternate way of achieving this use case?
it seems that this solution available in AWS EC2 marketplace should solve your problem
You can try, there is some trial available, called Kilo SSL
https://aws.amazon.com/marketplace/pp/prodview-nedlvgpke4hdk?sr=0-1&ref_=beagle&applicationId=AWSMPContessa
Also it is possible to map your customer's domains to your saas. Algorithm is:
you create EC2 instance. Allocate and associate public IP to it
create domain name which points to this instance. You will use this domain name as CNAME when pointing your own subdomains in your DNS provider (but there is limit of 50 certificates per week per one domain, so you can create only 50 domains like customer1.yourdomain.com ... customer50.yourdomain.com per week)
For customers who want to use their own domains (like app.customer1.com), you also provide them your CNAME and ask customer to set DNS record. After they will do it, you will be able to create certificate for their domain using this service.
Also this service allows to point different domains to different URLs. We started to use this in our SAAS application for URL shortening (we have several hundreds of customers who use their own domains. So we automatically able to create certificate for them, and everything is automated via API). Also we use the same machine to support SSL for all our company's domains.
available API methods: https://docs.kilossl.com/
Microsoft docs say to use something like clustername.eastus.cloudapp.azure.com, but what about custom DNS for the cluster?
Will the certificate properly validate or should the custom DNS (i.e. clustername.domain.com) be used?
The dns provided by the docs is just an example, I don't think you will be able to register a certificate against a domain you don't own like .azure.com.
In this case, you will register a certificate against a domain you own, and you either:
Register a CNAME record on your damain to redirect to the cluster domain clustername.eastus.cloudapp.azure.com or
Configure the DNS A Record to point to you cluster Load Balancer IP
In the demo, the Commom Name is just used to identify the certificate installed in the node(vm) certificate store.
The following links describes the use of certificates in more details:
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-creation-via-portal
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-security-update-certs-azure
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-windows-cluster-x509-security