Set up SSL (enable https) on a Elastic Beanstalk Application without Load Balancer.

Now that you have your Elastic Beanstalk Application up and running (following the steps in the previous blog : here), lets now move to the next step of enabling https for your web app. If you are running multiple instances of your app and your use case forces you to have a Elastic Load Balancer for your Beanstalk app, then its fairly simple to add your ACM certificate to the ALB and this would enable https for your webapp. But if you are running a single instance application, then using a Load balancer is an over kill and ELB is not cheap either. Below process can help bypass the need of a ELB by adding a cloud front distribution. The project architecture in a nutshell is as mentioned in the diagram.

Step 1 : Login to Route 53 and register a domain of your choice. You can also transfer in your existing domains from another registrar if you want to have a domain managed by Route 53. Pricing depends on your chosen domain. You can choose to auto renew on expiration.

Step 2 : Create a public hosted zone for your domain. A public hosted zone determines how traffic is routed on the internet. This will create the NS and SOA records for the hosted zone.

Step 3 : Request a public SSL/TLS certificate from Amazon. By default, public certificates are trusted by browsers and operating systems. We can do this using AWS Certificate Manager (ACM).

• • Make sure you request your certificate in US East - N. Virginia region. Cloud front needs the certificate only in this region to enable SSL.
  • You need to request the certificate for your domain name. Make sure you also add a separate entry for the www subdomain. (i.e www.yourdomain.xyz)
  • Key algorithm of RSA 2048 would just do fine.
  • You can use DNS validation method for validating that you are the domain owner, before AWS issues you the certificate. If your domain and hosted zone are already in Route 53 (which it is in our case), you can click on the create records in route 53, and the validation process and automated.
  • Wait until your certificate status changes to issued to proceed further. You can have a memunic coffee break at this point of time.

Step 4 : Now we move on to Cloud Front and create a new Distribution there.

• • Under the origin domain, enter the domain name as you see in your elastic beanstalk environment (something like xyz.<aws-region>.elasticbeanstalk.com) and protocol as HTTP only with port no as 80.
  • In Default Cache behaviour, make sure you have viewer protocol policy as “HTTP and HTTPS”.
  • In Default Cache behaviour, make sure you have “GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE” as the allowed HTTP methods.
  • Under Cache Keys and origin requests use the below:
    • Check “cache policy and origin request policy”
    • Use the Cache policy as recommended for Elastic Beanstalk (UseOriginCacheControlHeaders)
    • User Origin Request Policy as recommended for Elastic Beanstalk (AllViewer)

• • Under Web Application Firewall make sure you donot enable security protections (carries additional charges).
  • Under Settings, under Alternate Domain Name (CNAME), enter the domain name that you registered in Route 53. Another CNAME entry for the www subdomain.
  • Add your ACM managed certificate under the SSL certificate column in settings.
  • You can leave all other fields as defaulted by AWS and click on Create Distribution.
  • Wait until your distribution is enabled and deployed.

Step 5 : Now login back to Route 53 and inside the Hosted zone, create a A type record.

• • In subdomain enter “www”.
  • Enable the alias toggle and enter “Alias to CloudFront Distribution” in “Route Traffic to” field. An alias to a CloudFront distribution and another record in the same hosted zone are global and available only in US East (N. Virginia).
  • Select your cloudfront distribution domain.
  • You can leave the routing policy as “Simple routing” and then create the record.
  • You can create another type A record the same way but without a “www” subdomain.

With this now your domain should be https enable and should be directing to your elastic beanstalk app.