As the title says i'd like to deploy from VS2010 AWS toolkit or Jenkins (preferably) an ssl cert to the website running on AWS Win2008/IIS7. Either as a redeployment or new deployment.
I've looked around and there's nothing on this, why? Appears to be possible with ElasticBeanstalk but that's not what i'm running at this stage.
Is it impossible and i'm silly for not knowing that?
If so what options do i have? I'm new to AWS so open to all suggestions!
There is no way to deploy a cert to an EC2 instance from VS2010. I don't believe IIS provides a command line utility to import a certificate, so it would be tough for the AWS toolkit to bootstrap that for you. If you ever get into Cloud Formation, you may find a way to do it with cfn-init and PowerShell. Importing a cert to a Windows instace on bootup and creating an https binding that uses that cert is not something that's going to be quick to set up.
With Elastic Beanstalk, you don't have to deploy your certificate to your instances, you just have to import it to IAM, and then specify the imported certificate when you start beanstalk. Your instance can communicate with Beanstalk's load balancer via http port 80, or you can use a self signed cert on your instance to secure communication between the instances and the load balancer.
Related
Currently I have setup my web application on my 2 instance (ec2). Both instance have same web module and also SSL certificate.
And then I also have setup 1 load balancer for both instance for high availability.
But I was wondering on domain name part. Because both instance have different IP, and right now I only assign 1 IP instance into our domain provider.
So basically do I need provide both instance IP into my domain provider? Sorry I was newbie on this domain part :(
wasabiz, since you are a newbie, I would suggest going with AWS Beanstalk path.
To answer your question.
You can use Route53 to create/import your domain Name. The domain can point to DNS name of the Loadbalancer. From there LB will route the traffic to your EC2 instances. You need to introduce the autoscaling layer and move the EC2 instances inside it. So that the auto scalaing requirements can be fulfilled. All these options are configurable in AWS BeanStalk.
You have options to generate TSL certificates in AWS which is free to be used in AWS infrastructure. Otherwise, if you already have a certificate, you can import the certificate into AWS through AWS Certificate Manager and use it where ever needed, eg:load balancer.
I'm building a small web application for a personal project. It will be an Angular web application which will talk to a Spring-Boot service layer which in turn will read/write stuff to MongoDb.
I hope to host all this on a single EC2 instance in AWS. My question is how to configure a web server (like Apache but doesn't have to be) to 'beautify' the URLs a bit. Example, without touching anything angular will run at something like host:4200 and the service layer at host:8080. I will then have to map a proper domain to host in AWS, but the hiding of ports etc is where it gets murky for me.
I want to be able to hit my web app at domain.com (no ports etc) and I also want my service layer to ideally have a similar setup e.g. domain.com/service (no ports etc).
How do I configure a webservice to do this for me? Examples or pointers to specific examples would be ideal, but even a pointer to the right documentation will be helpful.
This thread is kind of similar to what I want but not too helpful: How to deploy Spring framework backend and Angular 2 frontend application in any online server?
You can use a setup with AWS CloudFront as reverse proxy and CDN cache. You can map the Domain Name and SSL Certificates(You can use AWS issued free SSL Certificates through AWS Certificate Manager) to CloudFront while the EC2 instance is plugged as an origin behind CloudFront as shown in the following diagram.
In the diagram I have optionally added, which is a common practice in designing applications in AWS.
Hosting the Angular App in S3
Using Autoscaling & Loadbalancing for EC2 instances.
You need to use Apache or other web server as a reverse proxy. Start here -
https://devops.profitbricks.com/tutorials/configure-apache-as-a-reverse-proxy-using-mod_proxy-on-ubuntu/
You then will need to setup a custom domain name. The easiest option is to just use an ELB (now called Classic Load Balancer). More details are here -
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/using-domain-names-with-elb.html
I need to deploy my Java application to AWS EC2 Instance using terraform. The catch here, we should not use *.pem file to deploy the application.
I try to create ELB and associate instances using terraform.I can able to deploy the application using ssh and pem file to ec2 instances Private IPs. But we shouldn't use *.pem or *.ppk file, as it'll not be allowed in production servers.
I tried using chef with terraform , but that also requires *.pem to connect to AWS Instances.
Please let me know the detailed steps/suggestions of how to deploy the application using terraform without using pem file.
If you can't make any changes to your instance after creating it (including deploying the application) then you will need to bake any and all changes into the AMI that Terraform deploys.
You might want to look into using Packer to create AMIs with your intended configuration and then use Terraform to deploy these AMIs.
For reference, this strategy is known as "immutable infrastructure" so you might want to do some further reading into this area.
If instead it's simply that SSH connectivity is not allowed and you can make changes over other ports then you should be able to use an AMI that has a Chef client, Puppet agent or Salt minion on it (there may well be other tools that work over a non SSH protocol/port but this restriction rules out Ansible) and then use any of those tools to continue to configure your instance. Obviously you could find a suitable AMI from the AMI marketplace or, once again, use Packer to set up the relevant configuration management client.
I have a Windows/.NET elastic beanstalk instance with an SSL cert setup on the load balancer. By default this creates a port forwarding from https/443 to http/80. I would like to have 443/https on the load balancer forward to 443 https on the beanstalk instance.
I was trying to do what is documented here:
I reconfigured the corresponding EC2 instance EC2-->Load Balancers-->Listeners so that HTTPS forward to HTTPS configured with my SSL cert, the problem is when I try and make an HTTPS request after that it just times out. It seems like the ElasticBeanstalk instance doesn't like me modifying the EC2 Listeners.
Any ideas?
To get SSL to work in between the LoadBalancer and the Elastic beanstalk I need several things:
Configure the EC2 LoadBalancer to forward port 443 to port 443 (on SSL). I already had this part in the question above.
Configure the IIS on the EC2 instance like any other site with SSL:
a). Install SSL Cert on EC2 instance in IIS.
b). Add https/443 binding with the SSL cert.
The problem was I was expecting #2 for free. On Windows Azure this is pretty much free when you configure certificates on your instance, but as of now this is not the case on AMZN ElasticBeanstalk for windows.
I also would expect #2 to be scriptable so I could scale up or down instances without have to manually do #2. I was looking for some easy way to tie in power-shell scripts on my EB instances but they apparently don't have this feature either.
My final solution was to create a custom vm images (AMI) with the SSL cert installed an the https binding already added. If I do this I can deploy the ElasticBeanstalk image with my SSL stuff already setup. Doing this then allows me to scale up or down without any configuration.
This was a particular problem for me with my ASP.NET MVC project with various OAuth providers. Basically anything that should use https was broken under Elastic Beanstalk. I tried coding around it by looking for the X-Forwarded-Proto HTTP header, but it was pretty nasty. So I really wanted SSL straight through to my EC2 instances.
It probably took me 3h to figure out how to do this without using an AMI, so hopefully this helps someone.
I've previously tried the custom AMI approach and, though it works, it presents two problems:
I have to patch and maintain my own AMI which is time consuming. If I use a standard image, I can just rebuild the environment when a newer image is available.
I can't source-control my configuration settings - they are just embedded in an opaque AMI somewhere in the cloud.
I adapted this from this post.
First of all, you need to add a directory to the root of your visual studio web project called: .ebextensions.
Inside it, create a text file called environment.config - we're going to use YAML here, so don't edit it in Visual Studio in case it thinks it's an Application Config file and adds tabs - YAML is whitespace sensitive. The syntax for the file is documented on Amazon.
My file has a bunch of other settings for tuning IIS, but the relevant bit looks like this:
container_commands:
site_add_ssl_binding:
command: PowerShell -ExecutionPolicy Bypass -File "C:\\inetpub\\wwwroot\\.ebextensions\\ssl.ps1"
This will execute a custom PowerShell script called ssl.ps1. So let's create that inside the .ebextensions directory:
# If there is no existing SSL binding
if ( -not(Get-WebBinding "Default Web Site" -Port 443) ) {
# Import the .pfx file into the certificate store
$securepwd = ConvertTo-SecureString -String "YOUR_PFX_PASSWORD_HERE" -Force -AsPlainText
$cert = Import-PfxCertificate -FilePath C:\inetpub\wwwroot\.ebextensions\my-certificate.pfx cert:\localMachine\my -Password $securepwd
# Create site binding in IIS
New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https
New-Item IIS:SslBindings\0.0.0.0!443 -value $cert
}
When executed, this command will import a .pfx file into the certificate store, and then create the SSL binding on port 443 of your website.
With the original code that I referenced, I had all kinds of issues with dodgy character encodings. So if you copy/paste this sample and it doesn't work, you can test it by remoting into your EC2 instance, opening a command prompt and executing the command directly: PowerShell -ExecutionPolicy Bypass -File "C:\inetpub\wwwroot\.ebextensions\ssl.ps1"
You'll need to add your .pfx file to the .ebextensions directory too. In Visual Studio, make sure that all of the files are included in the project, and have a Build Action of Content (tip select the file in the Solution Explorer and press F4). The solution explorer should look like:
web-project.csproj
.ebextensions
environment.config
my-certificate.pfx
ssl.ps1
...
Then using the AWS Toolkit for Visual Studio, right-click on your project and select Publish to AWS and follow the prompts. This will upload your deployment package to your Elastic Beanstalk environment, and install it. Your customisations will be executed during a deployment, or whenever a new EC2 instance is provisioned.
Following a successful execution, the .ebextensions directory gets deleted.
If you don't want to include the .pfx file inside your Visual Studio project, the original example uses PowerShell to download the .pfx file from an S3 instance. You can also avoid embedding the password in the .ps1 by referencing an Elastic Beanstalk environment variable.
To get this working end-to-end you'll also need to:
Configure your load-balancer to forward 443 traffic to port 443 on your EC2 instances - the default switches to port 80.
Configure the security group out of the load-balancer to allow 443 traffic.
Configure the security group into the EC2 instances to allow 443 traffic.
With some instance types, you can configure Elastic Beanstalk app servers via configuration files. You can use this technique to enable SSL.
See Serve HTTPS From Elastic Beanstalk Application Instances for example configuration.
I have a free Amazon EC2 instance. And I installed Apache web server on it. I have the DNS record for my domain point to the ip for the EC2 instance. I can not access to my website. Then I looked up and allow the http inbound. But I still failed to access my web? What might be the reason. Anybody gives me a clue?
Go to the AWS management console and look at the Security Group the instance is in. Then make sure you have the port open that you are trying to connect to (most likely 80). To open it to the world set the ip range to 0.0.0.0/0 and to open it to a specific ip (like only your house) set it to xxx.xxx.xxx.xxx/32.
That is almost always the reason people have problems connecting when they are new to AWS. I wrote this post, which should help get you setup.