How to setup SSL for instance inside the ELB and communicating with a node instance outside the ELB

Question

I have create an architecture on AWS (hope it should not be wrong) by using the ELB, autoscaling, RDS and one node ec2 instance outside the ELB. Now I am not getting, that, how I can implement the SSL on this architecture.

Let me explain this in brief:

1. I have created one Classic Load Balancer.
2. Created on autoscaling group.
3. Assign instances to autoscaling group.
4. And lastly I have created one Instance that I am using for the node and this is outside the Load Balancer and Autoscaling group.

Now when I have implemented the SSL to my Load Balancer, the inner instances are communicating with the node instance on the HTTP request and because the node instance is outside the load balancer so the request is getting blocked.

Can someone please help me to implement the SSL for this architecture.

Sorry if you got confused with my architecture, if there is any other best architecture could be possible then please let me know I can change my architecture.

Thanks,

Answer 1

When you have static content, your best bet is to serve it from Cloudfront using an S3 bucket as its origin.

About SSL, you could set the SSL at your ELB level, follow the documentation .

Your ELB listens on two ports: 80 and 443 and communicates with your ASG instances only using their open port 80. So when secure requests come to the ELB, it forwards them to your server ( EC2 in the ASG ). Then, your server, listening on port 80, receives the request; if the request have the X-FORWARDED-PROTO HTTPS, the server does nothing, otherwise it sets it and forward/rewrite the URL to be a secure one and the process restart.

I hope this helps and be careful of ERR_TOO_MANY_REDIRECTS

Answer 2

"because the node instance is outside the load balancer so the request is getting blocked."

If they're in the same VPC you should check the security group that you've assigned to your instances. Specifically you're going to want to allow connections coming in to the ports 443 and/or 80 on the stand-alone instance to be accessible from the security group assigned to the load balancer instances - let's call those 'sg-load_balancer' (check your AWS Console to see what the actual security group id is).

To check this - select the security group for the stand-alone instance, notice the tabs at the bottom of the page. Click on the 'Inbound' tab. You should see a set of rules... You'll want to make sure there's one for HTTP and/or HTTPS and in the 'Source' instead of putting the IP address put the security group for the load balancer instances -- it'll start with sg- and the console will give you a dropdown to show you valid entries.

If you don't see the security group for the load balancer instances there's a good chance they're not in the same VPC. To check - bring up the console and look for the VPC Id on each node. That'll start with vpc_. These should be the same. If not you'll have to setup rules and routing tables to allow traffic between them... That's a bit more involved, take a look at a similar problem to get some ideas on how to solve that problem: Allowing Amazon VPC A to get to a new private subnet on VPC B?

Answer 3

Have you considered using an Application Load Balancer with two target groups and a listener rule?

If the single EC2 instance is just hosting static content, and is serving content on a common path (e.g. /static), then everything can sit behind a shared load balancer with one common certificate that you can configure with ACM.