Using Amazon Certificate Manager (ACM) with EC2 and ELB/ALB

Why connect an EC2 Instance to ACM and ALB?

The standard compute instance on AWS is called EC2 (Elastic Compute Cloud). EC2 instances are a bit like building blocks, even more managed products such as Elastic Beanstalk instances use EC2 instances as a base. While they are very useful and extremely versatile, EC2 instances have something missing for the web: they are not secure. To connect to a plain EC2 instance you get an HTTP endpoint. To connect to the instance with the HTTPS protocol the preferred AWS method would be to use Amazon Certificate Manager (ACM). However, you cannot just connect an ACM SSL certificate straight to an EC2 instance, you have to connect them via a third layer. Here, we'll be using an Application Load Balancer (ALB), which is a type of Elastic Load Balancer (ELB), to connect our SSL certificate to our EC2 instance.

It's similar to putting a Lightsail instance inside a Lightsail Distribution or putting an S3 instance behind CloudFront in order to attach an SSL certificate.

This method of attaching an SSL certificate to a compute instance or simple storage is how AWS intends us to use them. By putting the web traffic through either CloudFront or an ALB we are not only ensuring that the traffic between AWS and the viewer is secure (HTTPS) but we are also adding an extra security layer between the viewer and our files.

The Alternative to using Amazon Certificate Manager

Previously, if I had some hosting that was not on Amazon and I wanted to make it accessible via the HTTPS protocol I could buy a certificate via my hosting company, registrar, or a specialist SSL certificate provider, or I could install a certificate for free using Let's Encrypt. Depending on how I'd installed the certificate, I'd have to make sure the certificate was renewed. If the SSL expired the instance could no longer use HTTPS and as such the website may break.

The benefit of using Amazon Certificate Manager is that it manages the certificates for you outside the compute instance, EC2 in this case. This means that the compute instance is always using HTTP, and different instances can be swapped in and out very easily using a load balancer and no matter which instance is being used at any time it will always be using HTTPS through the load balancer. We can use SSL certificates purchased elsewhere with ACM, but by putting them through ACM we are in effect tying ourselves to the Amazon infrastructure slightly more than if we did not use it.

What is a Load Balancer and why use AWS ALB?

A load balancer as the name suggests can often be used to divert traffic to any of a number of instances depending on how busy each instance is, i.e. balancing the load. We can set it up in this way with multiple instances, or we can have a load balancer in front of one instance if we want to.

There are many different load balancers, and we do not necessarily have to use AWS ALB. We could install our own load balancer if we wanted. For a website in the AWS ecosystem that uses an EC2 instance, using ALB is by far the easiest thing to use, especially as it is one of the main ways to connect an SSL certificate to our EC2 instance. The downside of using all the different AWS products is that if we ever wanted to move, instead of having a server that we can simply set up somewhere else, now we have lots of different products that we either have to move across to similar products on another cloud computing company, or we have to figure out some other way to move from the cloud back to a traditional hosting company.

Setting Up an EC2 Instance with ACM and ALB

Preparing the EC2 Instance

• EC2 instance in a VPS with specific security groups that only allow specific traffic, HTTP should be ON.
• On the EC2 instance itself if any firewall is configured, e.g. UFW, it must also allow HTTP traffic.
• Also, if the EC2 instance has previously been set up with Let's Encrypt, that should be turned off, i.e. EC2 will be speaking to the load balancer in HTTP-only (80).

Setting Up ALB with ACM

You may already have a ACM certificate for the domain to use with CloudFront, if that is the case the certificate will only be usable if it is in the same Amazon Region as the EC2 instance. I believe for CloudFront the certificate must be in North Virginia, so if your EC2 isn't in that region you should make a new ACM for it. For this reason, instead of creating the ACM first, then moving onto the ALB, it's easier to make the certificate as you set up the ALB.

With the ELB/ALB the only thing that should be HTTPS is the load balancer itself, i.e. the listener, everything else should be HTTP.

• Go to EC2, click "Target Groups" in the nav bar.
• Create a new group (HTTP-only) use the same VPS as the EC2 instance and a security group that can access the EC2.
• Add the EC2 instance as a target.
• Go to EC2, click "Load Balancers" in the nav bar.
• Create an ALB load balancer that uses the Target Group we've just created but make sure the listener is HTTPS:443.
• You'll have to choose HTTPS, and you'll have to create a new ACM certificate at this point.

That should all be set up now, assuming the security groups are correct and the EC2 is set up correctly.

Point the domain or Subdomain at the ALB

• Get the domain name of the load balancer in the format: xxx.region.elb.amazonaws.com
• Create a CNAME on the domain/subdomain that points to that domain name.

Hey presto, that should be it.

Troubleshooting EC2, ACM and ALB

• Is the EC2 set up with a webserver on port 80?
• Is the EC2 instance accepting HTTP traffic from everywhere?
• Is the ALB in the correct VPS?
• Does the ALB have the correct permissions from whichever security groups it is attached to?
• Is the ALB talking to the EC2 instance in HTTP?
• Is the ALB listener using HTTPS?
• Is the ACM SSL certificate verified?
• Is the domain pointing at the load balancer?