How do I set up end-to-end HTTPS connectivity with AWS PrivateLink?
2 minute read
0
I need end-to-end HTTPS connectivity between clients in a consumer VPC to applications running behind the Network Load Balancer in a service provider VPC.
Resolution
Create a self-signed X509 certificate for your application with OpenSSL. Then, install it on the required Amazon Elastic Compute Cloud (Amazon EC2) instances. Note: This certificate is used only between the Elastic Load Balancer and target EC2 instances. It's a best practice to use a trusted Certificate Authority to sign a certificate. It's a best practice to use self-signed certificates only in a test environment or for encryption between an Elastic Load Balancer and Amazon EC2 targets. The load balancer does not validate these certificates. Traffic between the ELB and the targets is authenticated at the packet level.
Create a TLS target group for your Network Load Balancer. Then, register the EC2 instances as targets. The load balancer automatically uses the self-signed certificate installed on the targets to encrypt the backend traffic.
Request a public certificate for your domain name using AWS Certificate Manager (ACM). This certificate is used between the load balancer and clients. Important: Verify that the domain name that you specify matches the domain name of your website. If this entry doesn't match the domain name that users see when they visit your site (for example, www.example.com), they might receive a certificate error.