Let's face it, SSL encryption is important for any website even if you're not handling credit card transactions. There are a few challenges with SSL though; it can be expensive, renewals are a pain and there is a lot of server configuration required to make everything work well.
When you're using Amazon Web Services another challenge comes up which can be difficult to mitigate with traditional SSL certs; when you want to start autoscaling your infrastructure you could end up with an AMI that has an expired cert on it quite easily.. Fortunately Amazon has thought of this and is here to help us out... welcome the Amazon Classic Load Balancer with an HTTPS Listener..
What is a Classic Load Balancer?
The load balancer serves as a single point of contact for clients. This allows for high availability of distributing load across multiple servers and gives you the opportunity to add and remove instances from your load balancer as your needs change, without disrupting the overall flow of requests to your application.
In addition, you can even get redundancy across multiple EC2 instances in multiple Availability Zones. This further increases the fault tolerance of your applications.
What is an HTTPS Listener?
The listener is part of your load balancer that listens on both the HTTP (80) and HTTPS (443) ports. What makes this interesting for us is that we can listen on an HTTPS (443) port and route traffic to any of our EC2 instances who are listening on HTTP (80).. this means we do not need to manage SSL on any of our web servers because all their traffic is routed through the listener.
Setting up the Load Balancer
Amazon has a great article on this so I'm going to refer you to that to get things setup and start taking advantage of this great service.
Setting up a Certificate
So, here is the magic.. you need to request a certificate for your load balancer using the AWS Certificate Manager. ( https://aws.amazon.com/certificate-manager/) This removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates. With AWS Certificate Manager, you can quickly request a certificate, deploy it on AWS resources such as Elastic Load Balancers or Amazon CloudFront distributions, and let AWS Certificate Manager handle certificate renewals. SSL/TLS certificates provisioned through AWS Certificate Manager are free. You pay only for the AWS resources you create to run your application.
Once you setup a certificate you can associate it to your HTTPS Listener and your in business.. no more third-party certificates needed.. all basically for free. Here is some direction to get you started: http://docs.aws.amazon.com/acm/latest/userguide/gs-elb.html
Tip: Updating your DNS
Because the set of IP addresses associated with a LoadBalancer can change over time, you should never create an "A" record with any specific IP address. If you want to use a friendly DNS name for your load balancer instead of the name generated by the Elastic Load Balancing service, you should create a CNAME record for the LoadBalancer DNS name, or use Amazon Route 53 to create a hosted zone
Shane Quigley is an expert in data warehousing, business intelligence, systems analysis, and solution architecture.
QC Technology Decisions Inc.
Quigley and Company Technology Decisions Inc. is a group of experienced professionals who offer open and practical advice and technology solutions by applying critical thinking to our designs.