By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How to add an SSL (ACM) to ElasticBeanstalk with a Network Load Balancer

0

I'm using ElasticBeanstalk and need a static IP for our application, so I use a Network Load Balancer instead of an application load balancer. The problem is that when I "Select the check box for the 443 listener and choose Actions, Add SSL certificates for SNI, " it is disabled.

I also tried to manually add the certificate via https-nlb.config option_settings: aws:elbv2:listener:443: ListenerEnabled: 'true' Protocol: TLS SSLCertificateArns: **************** aws:elasticbeanstalk:environment:process:https: Port: '443' Protocol: HTTPS

But I'm getting this error: Invalid option value: 'HTTPS' (Namespace: 'aws:elasticbeanstalk:environment:process:https', OptionName: 'Protocol'): Only TCP Protocols are supported for Network Load Balancers.

5 Answers
0

To add an SSL certificate (ACM) to Elastic Beanstalk with a Network Load Balancer (NLB), you need to make some adjustments to your configuration. The issue you're encountering is because Network Load Balancers operate at the transport layer (Layer 4) and only support TCP and TLS protocols, not HTTP or HTTPS directly.

Here's how you can configure it correctly:

  1. First, ensure that your ACM certificate is available in the same region as your Elastic Beanstalk environment.

  2. Modify your configuration file (e.g., https-nlb.config) as follows:

option_settings:
aws:elbv2:listener:443:
ListenerEnabled: 'true'
Protocol: TLS
SSLCertificateArns: arn:aws:acm:region:account-id:certificate/certificate-id
aws:elasticbeanstalk:environment:process:https:
Port: '443'
Protocol: TCP

Note the changes:

  • The listener protocol is set to TLS (not HTTPS)
  • The process protocol is set to TCP (not HTTPS)
  • Replace the placeholder in SSLCertificateArns with your actual ACM certificate ARN
  1. The Network Load Balancer will handle the TLS termination, and then forward the decrypted traffic to your instances using TCP.

  2. Your application should be configured to listen on port 443 for the incoming TCP traffic.

  3. If you need to handle HTTP traffic as well, you can add another listener for port 80:

aws:elbv2:listener:80:
ListenerEnabled: 'true'
Protocol: TCP
aws:elasticbeanstalk:environment:process:http:
Port: '80'
Protocol: TCP

Remember that with a Network Load Balancer, you're responsible for SSL/TLS handling at the application level if needed, as the NLB doesn't process the HTTP layer.

By making these adjustments, you should be able to successfully add your SSL certificate to your Elastic Beanstalk environment using a Network Load Balancer while maintaining the static IP address benefit.
Sources
Configuring a Network Load Balancer - AWS Elastic Beanstalk
Configuring HTTPS Termination at the load balancer - AWS Elastic Beanstalk
Server certificates - AWS Elastic Beanstalk

profile picture
answered 2 months ago
  • Hi Vinod, We need a static IP for a 3rd party integration that only allows a static IP to be whitelisted. That's why I used an NLB instead of an ALB.

0

Hi John,

you can use the below settings to use an SSL certificate via ACM via ACM to ensure we can use port 443 with a valid certificate?

option_settings: aws:elbv2:listener:443: DefaultProcess: https ListenerEnabled: 'true' aws:elasticbeanstalk:environment:process:https: Port: '443' SSLCertificateArns: <ARN>

Sharing the Reference urls https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-nlb.html https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-elbv2-listener

Please let me know if you need any additional help.

profile pictureAWS
answered a month ago
  • Hi Vinod,

    I created a config file in the root directory- .ebextensions/https-nlb.config option_settings: aws:elbv2:listener:443: DefaultProcess: https ListenerEnabled: 'true' SSLCertificateArns: ************* aws:elasticbeanstalk:environment:process:https: Port: '443'

    Getting this error now: Invalid option value: 'null' (Namespace: 'aws:elbv2:listener:443', OptionName: 'SSLCertificateArns'): SSL options are not supported for Network Load Balancers.

0

I am still getting errors after updating my settings to: option_settings: aws:elbv2:listener:443: DefaultProcess: https ListenerEnabled: 'true' Protocol: TLS SSLCertificateArns: ********* aws:elasticbeanstalk:environment:process:https: Port: '443' Protocol: TCP

Enter image description here

answered a month ago
  • Hi John,

    Can you try using the below one , In the meanwhile May i know any specific reason u have used NLB here instead of ALB

    option_settings: aws:elbv2:listener:443: DefaultProcess: https ListenerEnabled: 'true' aws:elasticbeanstalk:environment:process:https: Port: '443'

0

Hi John,

Error indicates that in your configuration files you are using https instead of TCP, Network Load Balancers operate at the transport layer (Layer 4) and only support TCP and TLS protocols, not HTTP or HTTPS directly.

can you please modify the configurations accordingly and redeploy the same and do let us know if you are still facing any issues.

profile pictureAWS
answered 2 months ago
0

Hi, I already fixed that error by adding a TLS protocol, the issue now is how do I use an SSL certificate via ACM to ensure we can use port 443 with a valid certificate?

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions