sshing in aws load balancer and configuring it for subdomain routing? - ssl

We want to use Amazon Elastic BeanStalk service for deployment in EC2 Boxes.
We want to deploy our Ruby on Rails Application in such a way that we can do sub-domain based routing to different rails app.
And we want to use single SSL Certificate for our load balancer and want to configure our load balancer in susch a away tha subdomain based routing takes place.
HA Proxy does this work well but when we are trying to use Amazon Elastic BeanStalk service for our deployment, aws creates a load balancer but didn't associate it with any Key-Pair.
So we are not able to ssh in load balancer and add our configuration for subdomain based routing.
Can someone please point me to some solution ?
Thanks,
Ankit.

You don't SSH into AWS load balancers, they are basically a black box that you have only a limited set of configuration options for. You probably need to look at the Route 53 services for DNS routing.
Your configuration would have routing based on domain DNS to different load balancers, one for each separate service you need. You can't have a single ELB route traffic to different EC2 instances based on domain or URI fragments.

Related

1 SSL Cert for Multiple Dynamic Elastic Beanstalk Environments

I'm basically trying to setup review apps where our CI spins up a review app such as review-app-<tag>.review.ourdomain.com based on push to a git branch.
Our CI spins up a new elastic beanstalk environment per review app. I currently have a wildcard SSL cert hooked up to our domain, which works properly.
Now, I need to figure out how to get https to work for our review apps. One solution would be to leverage Cloudflare's API to add DNS records that point review-app-<tag>.review to the appropriate elastic beanstalk instance's load balancer. However, DNS takes a while to propagate sometimes so it's not a great solution especially for CI workflows.
How can I get this to work without modifying DNS records? Is there a hack that could be put in place by modifying our Nginx config or using a Shared Application Load Balancer?

Is fronting Tomcat by Apache http server meaningful when we are using aws application load balancer

I know fronting Tomcat by Apache has some security benefits when we are using aws classic load balancer. However, I was wondering if it is meaningful to front Tomcat by Apache http server, when we are using aws application load balancer? Because an application load balancer operates at Layer 7 of the OSI model, and deals with application-level content.
It depends on your intention. Fronting tomcat is not an issue when you go with AWS and ALBs are good way to handle and route your traffic. Therefore, stick to ALB rather than ELB and maintaining an Apache layer.

How to create subdomains using apache and aws elastic api?

In our current configuration we are having one ec2 aws instance. On this we are serving one api server which is developed using laravel and one front end which is developed using angular apache. And for dns resolution we are using godaddy. Now we are having one domain let's take it as example.com.
So what actually I need is serve angular application from example.com and laravel application from apis.example.com.
And I don't want to use aws route53 service as it will be paid service again.
So is there any way through which we can acheive it without using route53 and if not how should this be solved using route53.
The steps would be the same using Godaddy or Route53. There is really no reason to think that Route53 would be required in this case.
Assign an Elastic IP to your EC2 instance
Create A records in Godaddy (or any other DNS service you want to use) for both example.com and apis.example.com that point to the Elastic IP
Configure Apache on your EC2 instance to serve requests for example.com
Configure Apache on your EC2 instance to send requests for apis.example.com to your Laravel app

Does EC2 Elastic Load Balancer remove the need for apache/nginx?

I am striving for a very simple cloud based architecture on Amazon AWS. I would like to have an app layer of several "elastic" EC2 instances where my application (and application servers) run, but I'm wondering what the load balancing will look like.
If I choose to use ELB, does it remove the need for Apache or Nginx?
No. All the loadbalancer does is just that, distributes load across instances. Whatever your stack is running on each instance will still need a nginx or apache or whatever service you want to respond back to the request routed through the load balancer.
I'm assuming you're running a web stack needing some type of server like nginx, apache, or java needing tomcat or something.
However, if you want AWS to take care of nginx and/or apache, look into running as a ElasticBeanstalk application: https://aws.amazon.com/elasticbeanstalk/

HTTPS not working (on AWS Elastic Beanstalk based site)

The site works perfectly fine on HTTP, however, does not work on HTTPS.
I've followed all the steps on this page to create a self-signed certificate and add it to my Elastic Beanstalk environment.
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
I'm also getting a successful certificate response back from IAM using the following command:
aws iam get-server-certificate --server-certificate-name
After updating Elastic Beanstalk with the certificate, I've also added add a rule to the security group that allows inbound traffic from 0.0.0.0/0 to port 443.
Finally, I've also validated that my load-balancer listener has HTTPS set up correctly.
In spite of all that, my calls to https is not resolving, while http is working perfectly fine.
Any other thoughts on this? Any help would be much appreciated.
Please let me know if you need any more information. Desperately looking for some insight/help into this.
Anyway, not being able to resolve this issue with my site/code, I tried to set up HTTPS on the sample site provided on Elastic Beanstalk. Interestingly enough, even that is not working.
I want to provide an update that I was finally able to resolve the issue.
The root-cause was because I missed to set up an Inbound Rule for the Security Group of the Load Balancer.
For whatever reason, when I read the documentation, I understood that the Inbound Rule needed to be set up for the Security Group of the Instance (and not the Load Balancer). Only after I started tracing the Load Balancer did I realize that I should perhaps try setting up the Rule for the Security Group of the Load Balancer. So, the problem is resolved. Below is the setting I used.
HTTPS 443 HTTP 80 <name of the certificate>
I'd have to say that the documentation could be a bit more clear to clearly identify the change required to the Security Group of the Load Balancer (and not the Instance).
Amazon recently released AWS Certificate Manager :
Go to https://console.aws.amazon.com/acm/home
Add your domain and validate it by email
After the certificate is issued, deploy it to your Elastic Load Balancers following the steps (and easily setup your security groups)
It's event better for a performance point of view:
Because ELB supports SSL offload, deploying a certificate to a load
balancer (rather than to the EC2 instances behind it) will reduce the
amount of encryption and decryption work that the instances need to
handle.
follow the doc for more information:
https://aws.amazon.com/fr/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/
I can't believe this...but it goes to show how bad the AWS console is...I had to scroll down and click "Apply" on an invisible button when it shows "Pending create" after add making me think it's working...facepalm.
Hello i was had like this and i follow this steps and works to me:
Generate certificate
the first thing is request a Request certificate on AWS Certificate Manager (ACM)
take a look on this video to create a new one https://youtu.be/bWPTq8z1vFY
Configurations of the Elastic Beanstalk
on the configuration -> load balancer
create a new listener:
in this step i get this :
Creat a new record on route 53
so i use route53 to host my site
go to route 53 ->select your host zone and create a new record
choose the option of alias to select your route traffic in your case Elastic Beanstalk, your region and the name of your application
this works if you use route 53 and EB but in other host providers i thing i woiuld work too.