Troubleshoting HTTPS on Elastic Beanstalk

0

I used to have HTTPS working on my Beanstalk environment but in the attempt of allowing access to another service I messed up something and I can't get it working again. ATM my configuration is:

Elastic Beanstalk

  • An active listener on port 443 with the appropriate certificate
  • A process on port 80, Health check path: /

EC2 and Security groups:

  • One security group allowing inbound from 443, 80 and 27017
  • Outbound all ports all IPs

What I think I messed up: How to determine the correct origin for the security groups?

Also, is there anything wrong on this setup? I read many guides, I am not going to terminate the https connections like explained in this guide https://aws.amazon.com/premiumsupport/knowledge-center/elastic-beanstalk-https-configuration/ simply because I haven't done it before and it was working. Do I really need it?

thanks M

3 Answers
1

Hello, thank you for your question!

Termination of HTTPS is important because it guides where the HTTPS connection stops. Assuming Beanstalk automatically created an ALB, the first thing to consider is how you are configuring your HTTPS termination, whether at the Load Balancer or at the Instance.

If at the Load Balancer, please verify that these steps are correctly configured:

  • Choose ‘Add Listener’

  • In the ‘Application Load Balancer listener’ dialog box, configure the following settings:

    • For ‘Port’, type incoming traffic port, typically 443

    • For ‘Protocol’, choose ‘HTTPS’

    • For ‘SSL certificate’, choose your certificate

  • Choose 'Add'

If at the Instance, you must set up certain configuration files, such as .ebextensions/https-instance-securitygroup.config

Once you have successfully configured termination, you can check your Network ACLs and Security Groups once more:

  • Check to see what subnet your instance is a part of (this will determine how you will configure your Route Tables)

  • Verify NACLs allow inbound/outbound traffic as deemed appropriate by your environment

  • Once NACLs are configured, check SGs again, and then attempt to connect again

Note that NACLs control the traffic into and out of the subnet, while Security Groups control traffic into the instance.

Hopefully, this answers your question!

For more detailed troubleshooting, please check out these resources:

Diana_D
answered 8 months ago
0

Yes I opened port 80/443/27017 on a security group that I attached to the instances, not sure where else they need to be opened?

Do I need a security group for the load balancer and a separate one for the instances?

Can you clarify this point please?

answered a year ago
  • Yes the load balancer has it's own security group as well as the instances.

0

So you have opened up access in the security group for your load balancer on port 80/443/27017, have you also made sure that this security group has been added to the security group on the instances running your beanstalk application?

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions