- Newest
- Most votes
- Most comments
For ALB Cognito setup, you can refer to How do I set up an Application Load Balancer to authenticate users through an Amazon Cognito user pool?
Alternatively, do not enable Cognito on the ALB. Let your EC2 React app handle Cognito authentication. Setup ALB with EC2 in private subnet as target. This option ensures that your EC2 instance is not directly exposed to internet. You can use ACM to request SSL/TLS cert and associate it with ALB, and associate AWS WAF with ALB to protect against web application attacks.
Based on your setup and the issues you're encountering, there are a few points to consider and potential solutions to explore:
-
Using Amazon Cognito with Elastic Load Balancer (ELB): It's generally a good practice to handle authentication at the edge of your network, which in this case would be the ELB. However, the error you're encountering suggests there might be a misconfiguration in how Cognito is integrated with your ELB.
-
ELB and EC2 communication: Ensure that your ELB security group allows incoming traffic from the internet and that the EC2 instance's security group allows incoming traffic from the ELB. Also, check that your VPC routing is correctly set up to allow traffic between the public subnets (where your ELB is) and the private subnet (where your EC2 instance is).
-
Cognito configuration: When using Cognito with ELB, make sure you've correctly set up the Cognito User Pool, App Client, and Domain. The callback URLs in your Cognito App Client should match the URLs that your application will use after authentication.
-
Alternative approach: While it's possible to have the React app handle Cognito authentication directly (as you've found in your second approach), this isn't typically recommended for security reasons. It exposes your Cognito App Client credentials in the frontend code.
-
Recommended approach: A common and secure pattern is to keep your React application on the EC2 instance in the private subnet, use the ELB with Cognito for authentication, and then pass the authenticated requests to your EC2 instance. This way, your application remains secure in the private subnet while still benefiting from Cognito's authentication.
-
Troubleshooting: For the "An error was encountered with the requested page" message, check your ELB logs and EC2 instance logs for more detailed error messages. Ensure that your ELB health checks are passing and that your EC2 instance is correctly responding to requests from the ELB.
-
Microservices consideration: As you plan to deploy microservices on the same Docker instance, consider whether this aligns with best practices for microservice architecture. Typically, microservices are deployed independently for better scalability and isolation.
In conclusion, you don't need to move your React application to a public subnet. The recommended approach is to keep using the ELB in public subnets with Cognito for authentication, while your EC2 instance with the React app and future microservices remains in the private subnet. Focus on correctly configuring the Cognito integration with your ELB and ensuring proper network connectivity between your ELB and EC2 instance.
Sources
Common scenarios - AWS Identity and Access Management
Amazon Cognito is now available in Asia Pacific (Melbourne) Region
This is a bit old but should still be valid example of configuring ALB+Cognito and decode JWT token at backend. In my case I used Lambda function as ALB backend to keep the demo as simple as possible but that shouldn't make a difference.
