2 Answers
- Newest
- Most votes
- Most comments
1
Hello.
Is an SSL certificate deployed on the EC2 instance of Elastic Beanstalk?
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html
The following documents should also be read together.
https://repost.aws/knowledge-center/elastic-beanstalk-ssl-configuration
0
AWS Can you confirm if this is correct?
- HTTP traffic from client reaching ALB on VPC public subnet is automatically rerouted to use port HTTPS
- ALB decrypts the HTTPS traffic and forwards to VPC instance private subnet using the port on defaullt process (80)
- Internally to the VPC the information is being processed unencrypted using port 80, and is returned to ALB using port 80. Therefore VPC has ingress port 80 with source traffic from ALB, end all egress traffic from VPC private subnets uses port 80 as well.
- The ALB receives unencrypted traffic from VPC instance private subnet , re-encrypts the traffic and returns to the encrypted traffic to the client using port 443 HTTPS. Therefore it seems to me that ALB SG needs HTTP and HTTPS egress entries. IS THIS CORRECT?
answered a year ago
Relevant content
- Accepted Answerasked a year ago
- Accepted Answerasked a year ago
- asked a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 6 months ago
- I host a website on an EC2 instance. How do I allow my users to connect on HTTP (80) or HTTPS (443)?AWS OFFICIALUpdated 2 months ago
Thank you for sharing this additional information. What about if I only want to re-encrypt the traffic leaving the ALB?
recap: ingress today has listeners for HTTP and HTTPS , with HTTP traffic being re-routed to port 443 at the Load Balancer. The default process being used is using HTTP, port 80. How can I make enforcing that traffic is re-encrypted at the ALB prior to returning to client?
According to Elastic Beanstalk Documentation the ALB is capable of handling the encryption, decryption and re-encryption automatically even when traffic forward to instances using Port 80. So why it is defaulting the ALB egress as Port 80? https://aws.amazon.com/blogs/security/hardening-the-security-of-your-aws-elastic-beanstalk-application-the-well-architected-way/