AWS Load Balancer HTTPS Setup with Route 53 and Certificate Manager & HTTP Redirect to HTTPS

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
one of the most popular real world architecture pattern is using a load balancer along with a custom domain url and https or ssl for your application in this video we are going to go over the design as well as a hands-on demo all right let's get started let's first look at the load balancer flow so in this case either a user or another application is invoking the load balancer using the default load balancer url provided and then the load balancer is accepting traffic in http protocol port 80 and then it redirects the traffic back to the application in this case let's say your application is running on kubernetes now extending one step further so you want to invoke your application using a custom domain name uh such as your website name instead of the default load balancer url so in this case you need a dns resolver in between so amazon root 53 is the service for aws so you can register your domain and you can invoke the app using http colon slash slash let's say myapp.com so this myapp.com is registered in amazon 53 but the same flow will work for any external dns registrar as well in route 53 you will have a dns a record pointing to the load balancer and this load balancer will be accepting traffic for http protocol port 80 and then it will redirect it to the backend application now going one step further for load balancer custom domain ssl flow the requester will still invoke it via domain but in this case instead of http they will invoke using https nothing changes in route 53 the dns a record still points to the elb but in this case the load balancer accepts the traffic for protocol https and port 443 so to accept traffic in https protocol you need to have a ssl site for your domain so load balancer can integrate directly with aws certificate manager or sem and you need to provision a certificate for this domain name myapp.com but what if someone invokes this website using http colon slash class myapp.com and not https that's okay as well in that case the traffic will come to http port 80 in load balancer listener but you need to redirect the traffic back to port 443 so that the traffic converts to https and it utilizes the ssl cert all right so that's the design flow now let's jump into aws console and do this hands-on for this demo i'm just running a sample apache web server in ac2 so i spun up ac2 and then i connect from the aws console and once i am there i ran sudo yum install dash y httpd and then i started the httpd server and then what i did was i went to var slash www.html and then i put a index.html here you can put any index.html so i'm going to change this a little bit just going to put hello from cloudwithraj and then save this file so basically at this point uh if i copy this public ip address open a new tab test this it says welcome to my website hello from cloud with raj all right so now what i'm going to do is create a application load balancer and point the load balancer to this ec2 okay i'm in the load balancer screen click create load balancer and then application load balancer click create load balancer name i'm going to give the name web server test internet facing select all the subnets on the ppc uh security group so in the security group actually create a new security group uh name this as lb security group bpc uh so currently the security group has no inbound rules so i'm going to add some rules so i'm going to allow http traffic and also going to allow https traffic all right click create security group description web server security group create security group okay go here refresh this i'm going to select this lb security group remove the default one and now the listener is where the magic happens so the first thing we need to do is protocol http port 80 and then i need to create a target group with that ec2 instance so i'm going to click create target group select instances scroll down target group name put web server test health checks should be slash index.html click next select the sample web server include as pending below click create target group go back to the load balancer refresh the target group web server test there we go scroll down click create load balancer click view load balancer so on the listener we have a port 80 http and then we forwarding to web server test i select this so it take takes a minute or two for it to be healthy so it's running the health test right now all right so our health check has passed so at this point the load balancer should be up and running uh so let's go back to our load balancer web server test click description so the dns name is the system provided url for the load balancer so if i open up a tab paste the dns name all right so now it's going to our website all right so at this point this part is done and now we are going to do load balancer custom domain flow so for this i have a registered domain test ipaddress.com and then you can click this so remember this name servers or take note of this in a notepad and then open the hosted zones and under hosted zone the same domain should be there and click that domain and you should see these two record the name server and then soa and look at this entries for this name server record this entry should exactly match the one under registered domain if it doesn't match then root 53 is not going to work and in that case you can click this add or edit name server and then copy these values from hosted zone and then match it i mean paste it here but by default everything should be good you should only face this error when you delete the hosted zone and you recreate this or something you don't click something like confirm something then you might get this error anyway by default everything should be good and then click create record and don't worry about the cname thing yet this got created because of certificate i'm going to go over it in a second you don't need the cinema entry for this demo to work so click create record simple routing click next click define simple record and then under drop down select application and classic load balancer select your region in our case we have usos 2 and then select the load balancer and then click define simple record click create records all right so at this point uh any traffic that's coming to test ipaddress.com should be diverted to the load balancer and that load balancer should send the traffic to our apache web server so let's open another tab and then we are going to put test ipaddress.com all right so this one is working as well and as you can see this is not secure all right so now we are going to create a certificate and then create the https so i'm going to go to certificate manager and then request a certificate request a public certificate and then fully qualified domain name so i'll give the domain name test ipaddress.com dns validation click requests so you can see for test ipaddress.com status is spending validation so since we chose the dns validation click that go here and then select create records in route 53 so this will put an entry in there this validates that we actually own this url or the domain so that we are not trying to add something to someone else's website click create records and then if we go to root 53 refresh this okay you see a cname record for the validation and note that this cname record is just for validation it doesn't do anything on the traffic flow alternatively you can also do email validation so don't think that this synonym entry is doing something to the traffic flow all right after we added those record so our certificate is issued as if we go back to route 53 we don't need to change anything we can keep this cnam as is so we have to go to load balancer so in load balancer under listeners now we have to add https so i'm going to click add listener and then select https action should be forward uh to the same target group web server test okay and then we have to select a ssl certificate for https so select the certificate test ipaddress.com click add view listeners so at this point we should be able to handle https traffic so i'm going to create another tab and now i'm going to give https colon slash test ipaddress.com all right so test ip address is also working and you can see this lock symbol that means our website is https uh but if we go back to http colonslusstestipaddress.com see this one still works and we don't want that so in that case what we need to do is go back to our load balancer and for http 80 click view edit rules click edit up top click edit here and delete this rule click add action and redirect to https 443 so basically even if the traffic comes to port 80 http protocol we're going to redirect it for https protocol click update all right go back to rules okay so for http 80 we are redirecting it to https http is all set so let's go back here test ip address uh let's refresh this all right so even if we refreshed http you could see it redirected me to https and you could tell it by this lock symbol another thing to keep in mind so if i put www.testipaddress.com so this is not going to work because in our route 53 we only create a record for test ipaddress.com if we want www to go to the same destination as test ip address you need to create another a record dub dub dub so let me show you that so click create record simple routing define simple record and here you need to put www and then here select application load balancer region us west 2 the same load balancer define simple record create records all right so now we have two a record one is for just test ipaddress.com and another is for www so now if we type in www.testipaddress.com okay so now it works right um because now dub dub dub is also handled so this is like a little bit of trick so what if you want to do instead of www you want to do alb dot test dot all right so similarly you can create record click next define simple record and then alb select the load balancer choose your region choose load balancer define simple record create records so now if we type alb dot test ip address dot com okay so now our website works but it says not secure why why is this not secure alb the test ip address doesn't work because our certificate only covers test ipaddress.com or www.testipaddress.com it doesn't cover anything else so if you want alb.testipaddress.com to be https you either need to create another certificate for alb.test.ipaddress.com or you can create a generic certificate with asterix dot test ipaddress.com but sometimes it is not recommended so that you can actually specify what exact prefix you can use with your website alright folks uh if you want to see more videos like this please click the subscribe button only 15 of my viewers are subscribed uh so help me out here click the subscribe click the like button i comment something on the video it really helps youtube algorithm to grow my channel also all my highest rated and best-selling courses are on discount uh this week i'll give the link down so check it out if interested that's it for this one i'll see you guys and girls in the next video bye
Info
Channel: Cloud With Raj
Views: 62,624
Rating: undefined out of 5
Keywords:
Id: JQP96EjRM98
Channel Id: undefined
Length: 15min 12sec (912 seconds)
Published: Mon Apr 04 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.