I am provisioning a 3-broker kafka cluster on AWS EC2, and I need them to be reachable on an internal VPC at URLs like 1.kafka.private.com, etc. If I do not attach a cert, I know that systems using kafka (and maybe the brokers themselves) will give "SSL Handshake" errors.
I have the cert in ACM for *.private.com (that's an example) but I know you cannot attach ACM certs directly to EC2 instances, just loadbalancers and cloudfront.
I set up a similar cluster in a public zone and used letsencrypt certbot to issue certs, but I cannot do that know since this private dns is not publically resolvable.
How can I set this up? I would prefer not to put each of the 3 brokers behind 3 loadbalancers, and I'm not even sure if that would work.
Related
I am running a Spring Boot application in EC2. I want to make the API calls as HTTPS instead of HTTP.
This is what I did:
Brought a domain in godaddy and configured it in Route 53.
Created a cert from AWS certificate manager.
Created a Load Balancer and added the cert.
In route 53 directed my traffic to ELB.
Above things are working fine now. I have only one instance. Use of ELB is only for SSL. But I want to get rid of ELB as it is costing me more
Is there any other way I can make the API calls as HTTPS for spring boot application running on ec2 without ELB?
ELB can be quite expensive, and most of all useless if you have only one instance.
Try to put CloudFront in....well...front of your instance. You get the benefit of managing AWS certificates in the same way you are doing with the LB, and also you can take advantage of caching and edge locations.
You can also redirect Route53 to CloudFront, just add a CNAME to your hosted zone that reference the cloud front DNS.
Currently I have setup my web application on my 2 instance (ec2). Both instance have same web module and also SSL certificate.
And then I also have setup 1 load balancer for both instance for high availability.
But I was wondering on domain name part. Because both instance have different IP, and right now I only assign 1 IP instance into our domain provider.
So basically do I need provide both instance IP into my domain provider? Sorry I was newbie on this domain part :(
wasabiz, since you are a newbie, I would suggest going with AWS Beanstalk path.
To answer your question.
You can use Route53 to create/import your domain Name. The domain can point to DNS name of the Loadbalancer. From there LB will route the traffic to your EC2 instances. You need to introduce the autoscaling layer and move the EC2 instances inside it. So that the auto scalaing requirements can be fulfilled. All these options are configurable in AWS BeanStalk.
You have options to generate TSL certificates in AWS which is free to be used in AWS infrastructure. Otherwise, if you already have a certificate, you can import the certificate into AWS through AWS Certificate Manager and use it where ever needed, eg:load balancer.
I'm working for a client that has a simple enough problem:
They have EC2s in two different Regions/VPCs that are hosting microservices. Up to this point all EC2s only needed to communicate with EC2 instances that were in the same subnet, but now we need to provision our infrastructure so that specific ec2s in VPC A's public subnet can call specific ec2s in VPC B's public subnet (and vice versa). Communications would be calling restful APIs over over HTTPS/TLS 2.0
This is nothing revolutionary but IT moves slowly and I want to create a Terraform proof of concept that:
Creates two VPCs
Creates a public subnet in each
Creates an EC2 in each
Installs httpd in the EC2 along with a Cert to use SSL/TLS
Creates the proper security groups so that only IPs associated with the specific instance can call the relevant service
There is no containerization at this client, just individual EC2s for each app with 1 or 2 backups to distribute the load. I'm working with terraform so I can submit different ideas to them for consideration, such as using VPC Peering, Elastic IPs, NAT Gateways, etc.
I can see how to use Terraform to make these infrastructural changes, but I'm not sure how to create EC2s that install a server that can use a temp cert to demonstrate HTTPS traffic. I see a tech called Packer, but was also thinking I should just create a custom AMI that does this.
What would the best solution be? This doesn't have to be production-ready so I'm favoring creating a fast stable proof-of-concept.
I would use the EC2 user_data option in Terraform to install httpd and create your SSL cert. Packer is great if you want to create AMIs to spin up, but since this is an POC and you are not doing any complex configuration that would take long to perform, I would just use user_data.
I am hosting Tableau Server on Amazon Web Services (AWS) EC2. My domain name is ec2-xx-xx-xxx-xx.xx-xxxx-x.xxxxxxx.amazonaws.com. I would like to convert http to https, so I want to get a SSL certificate. When I asked a certificate authority (CA), they told me that my domain includes "amazonaws.com", so I couldn't get a SSL certificate. I then tried to get a SSL certificate from AWS, I received an error message.
Error message.png
This was due to the fact that I couldn't request a certificate for Amazon-owned domain name ending in "amazonaws.com".
Does anyone know how to deal with this issue?
Sincerely,
Kazumi
Looks like you need to understand the basics of the process of purchasing a domain name, assigning an IP address to the domain name, purchasing an SSL certificate etc.
Below steps are the easiest and the cheapest way to make your endpoint be served by SSL on AWS infrastructure:
Purchase a domain name eg. knozawa.com from AWS Route 53
Create a new SSL certificate free of cost using AWS
Certification Manager (ACM)
Add your EC2 instance which hosts the Tableau server behind an ELB. The ELB
should be configured to accept traffic over port 443 only. Select
the certificate created using ACM to serve for SSL traffic over port
443.
Go to Route 53, and created a hosted zone entry like
tableau.knozawa.com and add the ELB alias to the entry.
And you are done! You can now access your Tableau installation on your own domain name, serving traffic over SSL on the link https://tableau.knozawa.com
This will probably cost you and additional USD 12.00/year for the domain name, $10-$20 per month for ELB based on traffic.
I had a running instance, and then I became unable to connect to it via http(80) and ssh(22). I tried to reboot the instance, but nothing went up. This has happened to me twice in the past month.
Why does it happen? Can I do anything to fix and/or prevent it from happening?
If I launch a new instance in same region, and it works.
Things to check when trying to connect to an Amazon EC2 instance:
Security Group: Make sure the security group allows inbound access on the desired ports (eg 80, 22) for the appropriate IP address range (eg 0.0.0.0/0). This solves the majority of problems.
Public IP Address: Check that you're using the correct Public IP address for the instance. If the instance is stopped and started, it might receive a new Public IP address (depending on how it has been configured).
VPC Configuration: Accessing an EC2 instance that is launched inside a Virtual Private Cloud (VPC) requires:
An Internet Gateway
A routing table connecting the subnet to the Internet Gateway
NACLs (Network ACLS) that permit through-traffic
If you are able to launch and connect to another instance in the same subnet, then the VPC configuration would appear to be correct.
The other thing to check would be the actual configuration of the operating system on the instance itself. Some software may be affecting the configuration so that the web server / ssh daemon is not working correctly. Of course, that is hard to determine without connecting to the instance.
If you are launching from a standard Amazon Linux AMI, ssh would work correctly anytime. The web server (port 80) would require installation and configuration of software on the instance, which is your responsibility to maintain.