2

All of the tutorials I read pertain to an Elastic Beanstalk Load Balancer, which I am not using with a Single Instance.

I can access my app deployed through Elastic Beanstalk by either using the environment url or simply redirecting my Route 53 Type A record to either the Elastic Beanstalk environment or the ec2 public domain.

I want my webapp use HTTPS, so I created an SSL Cert through ACM and attempted to deploy the cert on my webapp through CloudFront. I created a CloudFront distribution domain but this is where I am stuck: I cannot use my Elastic Beanstalk environment as an Origin Domain, only an S3 bucket.

How do I get CloudFront to talk to Elastic Beanstalk/EC2?

Directly accessing S3 is not an option, not only do I get 403 errors but my project is an Angular App and .NET WebApi, which needs to be deployed and run, not simply accessed from an S3 folder. I also cannot bypass CloudFront and put the cert in my project, because you cannot download ACM certs.

Brandon Miller
  • 327
  • 1
  • 4
  • 11
  • Why not deploy SSL cert on your ALB? Do you really want to use CF? – Marcin Oct 08 '22 at 05:46
  • I do not have a Load Balancer, I am using Single Instance. – Brandon Miller Oct 08 '22 at 06:10
  • In that case, even if you setup CF, entire traffic between CF and EB will be HTTP (not https). So its still very insecure setup. Do you have SSL setup on your EB instance? – Marcin Oct 08 '22 at 06:21
  • what do you mean? I'm already telling CloudFormation to use HTTPS so it should communicate with ElasticBeanstalk in HTTPS right? I don't think I can use SSL on ElasticBeanstalk because there's no way to add the ACM cert to that instance – Brandon Miller Oct 08 '22 at 06:34

1 Answers1

1

it should communicate with ElasticBeanstalk in HTTPS right?

Sadly this is not how it works. To have HTTPS between CF and EB, you must have valid, public SSL certificate on your EB instance. You can't use self-signed certificates nor EB gives you any SSL by default. If you do not have ALB on EB, you have to get SSL certificate from a third party (not ACM), such as LetsEncrypt and deploy in on the instance. You also must have your own domain for that to work.

Only if the above is satisfied, you will have HTTPS on the entire path:

Client --- (https) --> CF ---- (https) ----> EB

Otherwise, you can only have:

Client --- (https) --> CF ---- (http) ----> EB

Which is a security risk as you use http (plain text) over the internet.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Is it truly over the internet if these are both AWS Technologies existing within my VPC? Is there really no other way to get an ACM Cert onto an EB instance? I would rather not use a Load Balancer as my project is pretty small and will never need that functionality. Is there a reason why Load Balancer accepts certs but EB Single Instance does not? – Brandon Miller Oct 08 '22 at 06:51
  • sorry for all the Q's, this is the first time I've gotten to talk to a human instead of the Documentation – Brandon Miller Oct 08 '22 at 07:00
  • @BrandonMiller CF is not in your VPC. It communicates with your EB over the internet. – Marcin Oct 08 '22 at 07:13