Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How can I add TLS listeners to an Elastic Beanstalk configuration's Network Load Balancer?

0

TLS termination has been supported by ELB's Network Load Balancers for a few years, however there does not appear to be a way to configure an NLB created with Elastic Beanstalk to use TLS listeners without annoying workarounds.

For context, I have an Elastic Beanstalk environment that is set up & launched entirely from CI scripts - this process has to be automated and can't involve manual steps on the AWS Console. The environment's source bundle contains some .ebextensions, one of which is a CloudFormation Resource snippet for adding Listeners to the environment's Network Load Balancer. Setting the Protocol in the listener resource to "TLS" (as documented in the CloudFormation reference here) results in the following errors when creating the environment:

SSL options are not supported for Network Load Balancers.
Value is not one of the allowed values: [HTTP, HTTPS, TCP]
Only TCP Protocols are supported for Network Load Balancers.

If I use the exact same resource snippet for the listener directly in a CloudFormation template, the listener is created correctly, so the error here appears to be artifically introduced by Elastic Beanstalk.

The only workaround we've found to work so far is to create TCP listeners in the Elastic Beanstalk resource, wait for the environment to be created, then fetch the EB-created CloudFormation stack and upload a changeset to swap the protocol from TCP to TLS. This isn't an ideal workflow, especially considering TLS listeners are directly supported in every other NLB context.

Are there any other configuration options here that would support creating TLS listeners in the Elastic Beanstalk environment creation without jumping through additional hoops?

Topics
Management & GovernanceComputeNetworking & Content Delivery
Tags
Network Load BalancerElastic Load BalancingAWS CloudFormationAWS Elastic Beanstalk
Language
English
asked a year ago263 views
1 Answer
0

To add TLS listeners to a Network Load Balancer (NLB) in an Elastic Beanstalk environment without manual steps, you might need to adjust your approach. Elastic Beanstalk doesn't natively support configuring TLS listeners directly, so a common workaround is to first let Elastic Beanstalk create the environment with the default TCP listeners. Once the environment is up, you can then use additional automation tools or scripts to modify the NLB and add TLS listeners.

For a more streamlined process, you could consider separating the NLB configuration from the Elastic Beanstalk deployment. After Elastic Beanstalk sets up the environment, you can use AWS CLI or a Lambda function to update the NLB with TLS settings. Alternatively, you could pre-configure the NLB with TLS listeners before linking it to Elastic Beanstalk, though this might involve some custom scripting.

In essence, while Elastic Beanstalk simplifies app management, configuring advanced NLB features like TLS listeners usually requires additional steps or separate handling to integrate smoothly into your CI/CD pipeline.

EXPERT
answered a year ago
AWS
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content