0

I have this flow:

user => Cloudfront with TLS => ALB with TLS => ECS

I encrypted connection between Cloudfront and ALB.

  • Cloudfront has domain MAIN.DOMAIN.NET + TLS cert configured.
  • ALB has also domain WEB.DOMAIN.NET + TLS cert (it seems that for ALB HTTPS listener one also needs TLS cert with valid domain name, that's why I added domain also for ALB).
  • there is S3 Cloudfront origin for static files, let's say FILES.DOMAIN.NET.

I want Cloudfront in front of ALB, and everything seems to work well. But do I really need custom domain for ALB or did I miss something? It seems overly complex to me (it gets harder to use Cloudformation with my current domain provider).

wtdmn
  • 33
  • 2
  • From memory, I don't think so. The default URL should be ok. The great thing about cloud is it's really quick, easy cheap to try things like this. – Tim Jul 26 '22 at 21:48

3 Answers3

0

You do not need a custom domain for the origin domain. For example the CloudFront documentation uses

Elastic Load Balancing load balancer – example-load-balancer-1234567890.us-west-2.elb.amazonaws.com

as an example origin.

Mark Wagner
  • 17,764
  • 2
  • 30
  • 47
  • yes, but you cannot generate tls certificate for this aws domain, so you wouldn't be able to use https alb listener. or am i wrong? – wtdmn Jul 26 '22 at 23:43
  • AWS can generate a certificate for their domain. https is probably available on the domain. Try it and see, it'll take 5 minutes. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#default-certificate – Tim Jul 26 '22 at 23:55
  • @wtdmn I think you are correct. You'll still need the custom domain. I wrongly assumed AWS could create a "foo.us-west-2.elb.amazonaws.com" ssl cert for ALBs for you, but it doesn't. – Mark Wagner Jul 27 '22 at 00:18
  • @MarkWagner Have you tested? I don't have one handy, but I'm pretty sure they've got a *.us-west-2.elb.amazonaws.com certificate for exactly this purpose. – ceejayoz Jul 27 '22 at 00:59
  • @ceejayoz I poked at it for a while and could not find such a cert. There are a bunch of other server fault (and cousins)with similar questions and the answer that it isn't possible. See https://stackoverflow.com/questions/52291193/can-i-use-aws-own-elb-certificate-for-https-ssl-connection – Mark Wagner Jul 27 '22 at 17:49
0

I ended up using custom domain + TLS for ALB (one of pros is, cert rotates automatically). I don't think it's possible to do it otherwise.

  • when configuring ALB https listener, tls cert is required field
  • it's impossible to use ACM to generate certificate for aws-managed domains
  • when using imported certificate in ACM, FQDN is required
  • it seems that for a https alb listener, self-signed cert can't be used. It is totally possible to generate certificate with FQDN like *.eu-east-1.alb.aws.com, but cloudfront returns 502.
wtdmn
  • 33
  • 2
0

  • I tested today after getting stuck a lot of time with cloudfront 502 error code. Indeed Cloudfront needs a valid certificate on its origin here the ALB.

  • On ALB side, you cannot change the DNS name, so it will create a name with suffix domain amazonaws.com and you cannot create certificates for this domain that you don't own (I have tested in ACM, it fails).

  • I think it is possible to put a DNS CNAME record with your owned domain name pointing to the ALB DNS name, then insert the custom cert in the ALB listeners, and finally use the cname name in cloudfront origin DNS name. I Guess that cloudfront will connect to the origin using the CNAME name, cert should be okay (without warning), and should allow the traffic. I will test this in next days, I will post the result.

Sébastien Simonek
  • 1
  • 1
  • Please do, although I already resolved it with custom certificate, I am curious. – wtdmn Sep 15 '22 at 08:54
  • Ok, I tested with the CNAME and custom certificate, it is working. I sum up : 1. Create an ALB with HTTPS listener (with your custom domain name (*..customdomain.tld for example). 2. create Public DNS CNAME alias pointing to your alb DNS name : yourappalb.customdomain.tld IN CNAME alb-xxxxx.aws-zone.amazonaws.com. 3. In cloudfront distribution, configure the origin with the cname name : yourappalb.customdomain.tld with HTTPS only. 4. Enjoy :) – Sébastien Simonek Sep 15 '22 at 13:59