A while ago, I was part of a nice pilot project. It involved a server hosted at Amazon Web Services. It was a pilot, it was just one machine, and the budget was quite limited. So, we decided to do several things on the same machine:
- host the web-facing application
- use an api gateway/proxy infront of the exposed services
- manage SSL certificates (Let's Encrypt)
- expose the machine via a public IP address
Everything has been working like a charm since day 1. Originally, the pilot was supposed to be limited to 6 months and then disappear again. Well, this is going to change now. Instead of vanishing, the setup will have to be enhanced: services shall be running on on more than one machine. The actual application architecture is scalable, so no problem here. I will however now have to change the infrastructure approach. As we'll be holding on to AWS, this is what we'll be doing:
- have a web-facing load balancer to be the entry point for all incoming traffic
- have SSL termination happen on the load balancer
- have a number of application servers (AWS "targets") sitting behind the load balancer
I have to add the fact that the site is accessed via a registered (sub)domain name. The domain registrar is a separate entity (not Amazon), and this is supposed to stay like that.
So, I had to find a way to fulfill all the above requirements. Luckily, this scenario is popular enough to be well-supported by AWS. Amazon offers ACM, Amazon Certificate Manager, a service that will create and manage my SSL certificates, especially renew them when time is up for this. The ELB, Elastic Load Balancer service that I will be using, has access to the ACM-managed certificates. So, the last hurdle is to find a way of using this convenient Amazon-provided environment and still keep control over my domain registered outside of Amazon.
Steps towards a Load balanced Setup
These are the high-level steps to achieve the new load-balanced setup as described earlier:
- duplicate the existing single machine instance to have two or more servers running the hosted application (straight-forward AWS EC2 doing)
- create a new load balancer
- add a (secure) listener to the load balancer
- add my domain and request an ACM SSL certificate for it
- add the instances as targets behind the load balancer
Sounds easy? Well, it actually is as long as you keep a few things in mind.
Duplicate existing Instances
I won't go over this here as this is something that you've probably already done yourself numerous times.
Create a new Load Balancer
Login to the AWS console, go to EC2 and select the "Load Balancers" section. There, you follow the steps that guide you through the process of creating a new load balancer. Please note that Amazon currently offers three different types of load balancers. As the "classic" option is moving towards sunset and the "network" option is rather meant for low-level TCP/UDP-level stuff, select the "application load balancer" category. This one is Amazon's recommendation for HTTP(S) based routing and balancing.
Add a secure Listener
Your next step is to add a listener. Make it secure by choosing https over http.
Add one or more Domains
Now it's time to add your domain(s). Make sure to be as specific as possible, for example add both, "example.com" and "www.example.com" if that's applicable to your scenario. Finally, the console will want to know which SSL certificates to use and where to get them from. You want to use ACM (Amazon Certificate Manager). As you probably have no certificates in place yet, the drop-down list to select from will be empty. So click on "request certificate..." to request an ACM-issued SSL certificate.
Remember: my domain is under the control of a different, non-Amazon registrar. But I want Amazon to issue the SSL certificate. It's free (you only pay for the AWS resources using it), and ACM manages the renewal process. Somehow I need to prove that I am the legitimate owner of the domain. Amazon offers two ways of doing this:
They recommend DNS, and so do I as this is the only one that comes with fully automated certificate renewal moving forward. When you follow the instructions on the screen, you will end up with one or more sets of DNS CNAME record names and values that AWS asks you to store in your DNS database. Amazon will then retrieve those via DNS and hence know that I have control over the domain. Make sure to keep the new CNAME records in the DNS settings as they will be needed every time the certificate is up for renewal.
Add the Load Balancer Address to your Domain
So now that ACM has created an SSL certificate for me, I need to point my application users to the new location (the load balancer). In the load balancer settings screen, Amazon provides a DNS name for the load balancer. Copy it, go back to your domain's DNS settings and add an "A" record with this value. And that's it with the complex part. Clients navigating to the domain will end up at the load balancer, the load balancer will provide the SSL certificate and then look for a healthy target to route traffic to.
Adding the targets (i.e. the application servers behind the load balancer) is the last step in the process.