- Newest
- Most votes
- Most comments
Your NLB's target is your ALB. Your ALB is presenting a certificate for *.mycustomdomain.com to the NLB.
Does the ALB have a CNAME in mycustomdomain.com, and does NLB talk to the ALB as my_alb_cname.mycustomdomain.com, or does it talk to as something like my_alb-1234567890.my-region.elb.amazonaws.com ?
If it's the latter then that's where your problem is - NLB is talking to something at elb.amazon.aws.com but getting a cert back for *.mycustomdomain.com.
The domain may not match the certificate set for ALB.
https://repost.aws/knowledge-center/api-gateway-500-error-vpc
Make sure that the endpoint domain name matches the certificate that's returned by the TLS enabled load balancer target.
My custom domain is d.<custom-domain>.com, the certificate if for <custom-domain>.com - with an additional subject name for *.<custom-domain>.com.
When I curl d.<custom-domain>.com with verbose output I see that it does match the certificate
....
- subjectAltName: host "d.<custom-domain>.com" matched cert's "*.<custom-domain>.com"
- issuer: C=US; O=Amazon; CN=Amazon RSA.,....
- SSL certificate verify ok. ....
However I still get an internal server error at the end of the curl response and testing from one of my methods directly on the API gateway console I get the Execution failed due to configuration error....
Relevant content
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
I am a little confused. Shouldn't my CNAME record point to my API Gateway domain since that is the first layer that is communicating with my NLB via a VPC link?
Are you saying I should change my CNAME record for d.<custom-domain>.com to point to my ALB dns? I think did that earlier but it was not working.
Thanks for helping btw I have been at this for far too long!
My NLB has a target group - listening on TCP and forwarding requests to my ALB - do I need to do something else to have my NLB talk to my ALB using my custom domain? I can only have one CNAME DNS record that maps to the subdomain?
If your ALB is presenting a cert for *.mycustomdomain.com then then whatever is making to the connection to the ALB has to connect to the ALB with a name that matches the wildcard in the cert.
Could you do the SSL offloading on the NLB https://aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/ and then just pass through plain HTTP to the ALB, and then to ECS beyond that?
I did something now where I added a CNAME record for my alb as my-alb.<custom-domain>.com, and another CNAME record for my nlb as my-nlb.<custom-domain>.com.
I then update my API Gateway vpc proxy integration to use the my-alb.<custom-domain>.com dns instead of the alb dns.
When I send a test request from the method from the console I can see a valid response now!
... So in total I have three CNAME records with different subdomains
My API Gateway has a subdomain that I want to hit from my clients - d.<my-custom-domain>.com
My NLB has my-nlb.<my-custom-domain>.com My ALB has another one my-alb.<my-custom-domain>.com
I then from my methods in my API gateway VPC proxy - use my-alb.<my-custom-domain>.com
And now it works - but I am not sure if this is just some really wonky work around
Not really subdomains, just records in the mycustomdomain.com zone. Important thing is their names are matching the cert that they are presenting whenever a TLS connection is made to them.
It sounds a bit over-engineered in that everything in the chain API -> NLB -> ALB is doing TLS.
The entry point is the API Gateway, definitely protect this with HTTPS and a cert (TLS will terminate on the API Gateway, it can't be passed through to the NLB).
Fair enough if you want to protect the traffic leaving the API Gateway through its entry to the VPC and to the NLB, use HTTPS again and the NLB needs a CNAME and has to present a cert.
Beyond that, if the only way to reach the ALB is from the NLB, and you already trust the NLB, then just plain HTTP would be enough (no cert or CNAME needed).