Setting up load balancer at my EC2 instance at AWS

0
votes

I set up load balancer to my instances. My instances are inside an Auto Scaling Group.

My load balancer has HTTPS listener with SSL certificate from AWS. For load balancer's security group has inbound rule set to https with port 443 and outbound rule set to https with port 443 and EC2 instance's security group.

Then EC2 instance has https inbound rule set to load balancer's security group and outbound rule is open to all. This scenario doesn't work and I can't load my website.

Then I added http inbound with 0.0.0.0/0 to EC2 instance's security group and I can load my website.

Why I can't set load balancer's outbound fix to ec2's security group and ec2's inbound fix to load balancer's security group?

I have SSL certificate with my domain name. But I can't load my website with https. Using http is fine. Why?

1
securityamazon-web-servicessslamazon-ec2elastic-load-balancer
Couple of questions: Are you using an ELB or an ALB? In either case, you need to terminate HTTPS at the load balancer, or in other words -- traffic on 443 reaches your load balancer, and then continues on to your instance as something else like HTTP 80 or whatever port your application listens on. Can you check that your "Instance Port" in your load balancer/target group configuration is not 443?Anthony Neace
@AnthonyNeace Thanks. I use ELB. What do you mean "Instance Port"? I have this on the load balancer's port configuration. 443 (HTTPS, ACM Certificate: ---------------------------------) forwarding to 443 (HTTPS)batuman

1 Answers

1
votes

Quick sanity checks:

  • You can check that HTTPS is working correctly by simply visiting your ELB endpoint (not the route 53 address; the raw ELB DNS endpoint) with HTTPS via a web browser.

  • If your application does not manage SSL, your ELB should not forward HTTPS traffic to your EC2 instance. Let the ELB terminate HTTPS and forward it as HTTP.

Check that your Instance Port is Correct

A common pattern with ELBs is to allow the ELB to manage HTTPS for you; HTTPS is terminated at the load balancer, and the load balancer forwards traffic to your EC2 instances as HTTP. Unless your application is specifically managing your SSL, this is what you want and you'll need to configure your EC2 layer to accept HTTP traffic.

This HTTPS termination is managed in the ELB Load Balancer Listeners, by accepting HTTPS on the load balancer protocol/port, and HTTP on the instance protocol/port. Example:

enter image description here

It sounds like your ELB is attempting to forward traffic to your application as HTTPS, and on the HTTPS port, while your application is configured to accept HTTP. Simply edit this "Instance Port" to accept traffic on the port that your application expects HTTP traffic on. Example: port 80

You can additionally restrict HTTP inbound traffic on your EC2 instance's security group to only be allowed from your ELB's security group, instead of 0.0.0.0/0.

Associate your Route 53 Record with your ELB

To associate a route 53 record with your ELB, simply create an IPv4 Record that is aliased to your load balancer. Your load balancer should show up as one of the resources in the alias drop-down menu.

enter image description here

Further Reading