- Newest
- Most votes
- Most comments
If your main requirement is to enable SSL, you can forgo the Cloudfront distribution entirely.
Simple provision an application load balancer with an AWS-provided certificate within the same region as your EC2 instance then create a CNAME record point to the application load balancer's public domain.
-
Creating an Application Load Balancer with a target group -> https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-application-load-balancer.html
-
Requesting a certificate -> https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
-
Routing Traffic to the load balancer -> https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html (This describes Route 53 but you can do a similar record in any domain provider)
A web application using CloudFront, ALB, and EC2 is a fairly common configuration.
The ACM certificate to be set up for CloudFront must be issued in us-east-1 as described in this document.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-aws-region
The following documents may be helpful in troubleshooting CloudFront and ALB access.
https://repost.aws/knowledge-center/custom-origin-cloudfront-fails
Relevant content
- Accepted Answerasked 8 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
Thank you and very helpful. I had determined that it was likely that CloudFront was unnecessary, but I greatly appreciate your confirmation. I think I am getting hung up with specifying the target group and having the certificate in in us-east-1 when my EC2 instances are in us-east-2. I will take another crack at it.
Unfortunately, my DNS is IONOS but I think I have this part figured out. However, will I need a certificate at the DNS for might sites to be deemed secure, or will the certificate on the load balancer suffice?
You do not need a certificate at the DNS provider. The certificate assigned to the load balancer will sure your connections to the EC2 instances. DNS only routes the traffic to the relevant endpoint and SSL termination happens at this endpoint in this instance it would be the application load balancer.
Thanks again. At this point I remain stuck on the requirement that my ACM Certificate must be in us-east-1 and my EC2 instances and load balancer are (or need to be) in us-east-2. If I create my load balancer in the us-east-2 (Ohio) I can't reach my certificate in us-east-1. If I create my load balancer in us-east-1 (Virginia), I can't reach the EC2 instances us-east-2. What am I missing?
You can simply request a new certificate in us-east-2 so all your resources would be in the same region. The us-east-1 requirement for an ACM certificate is only when you need to configure CloudFront.
Yes, thanks again for your response. I have successfully initiated a load balancer, attached my certificates, and attached my EC2 instances. My domain names now point to the AWS load balancer instance and this works properly in the sense that my web pages are served. However, my domains are still shown as not secure when I access them with http://example.com, example.com, or www.example .com (I am using example.com in place of my actual domain names). When I use https://example.com, I get a Web page with the message that "The connection for this site is not secure." My domain is being forwarded to the load balancer. In the https listener I am forwarding traffic to my EC2 instance. Do I need to set up authentication in the listner? If so how is the accomplished. There is a lot about OIDC but it is not clear what might be required. Is there another parameter that must be tweaked?