The standard compute instance on AWS is called EC2 (Elastic Compute Cloud). EC2 instances are a bit like building blocks, even more managed products such as Elastic Beanstalk instances use EC2 instances as a base. While they are very useful and extremely versatile, EC2 instances have something missing for the web: they are not secure. To connect to a plain EC2 instance you get an HTTP endpoint. To connect to the instance with the HTTPS protocol the preferred AWS method would be to use Amazon Certificate Manager (ACM). However, you cannot just connect an ACM SSL certificate straight to an EC2 instance, you have to connect them via a third layer. Here, we'll be using an Application Load Balancer (ALB), which is a type of Elastic Load Balancer (ELB), to connect our SSL certificate to our EC2 instance.
It's similar to putting a Lightsail instance inside a Lightsail Distribution or putting an S3 instance behind CloudFront in order to attach an SSL certificate.
This method of attaching an SSL certificate to a compute instance or simple storage is how AWS intends us to use them. By putting the web traffic through either CloudFront or an ALB we are not only ensuring that the traffic between AWS and the viewer is secure (HTTPS) but we are also adding an extra security layer between the viewer and our files.
Previously, if I had some hosting that was not on Amazon and I wanted to make it accessible via the HTTPS protocol I could buy a certificate via my hosting company, registrar, or a specialist SSL certificate provider, or I could install a certificate for free using Let's Encrypt. Depending on how I'd installed the certificate, I'd have to make sure the certificate was renewed. If the SSL expired the instance could no longer use HTTPS and as such the website may break.
The benefit of using Amazon Certificate Manager is that it manages the certificates for you outside the compute instance, EC2 in this case. This means that the compute instance is always using HTTP, and different instances can be swapped in and out very easily using a load balancer and no matter which instance is being used at any time it will always be using HTTPS through the load balancer. We can use SSL certificates purchased elsewhere with ACM, but by putting them through ACM we are in effect tying ourselves to the Amazon infrastructure slightly more than if we did not use it.
A load balancer as the name suggests can often be used to divert traffic to any of a number of instances depending on how busy each instance is, i.e. balancing the load. We can set it up in this way with multiple instances, or we can have a load balancer in front of one instance if we want to.
There are many different load balancers, and we do not necessarily have to use AWS ALB. We could install our own load balancer if we wanted. For a website in the AWS ecosystem that uses an EC2 instance, using ALB is by far the easiest thing to use, especially as it is one of the main ways to connect an SSL certificate to our EC2 instance. The downside of using all the different AWS products is that if we ever wanted to move, instead of having a server that we can simply set up somewhere else, now we have lots of different products that we either have to move across to similar products on another cloud computing company, or we have to figure out some other way to move from the cloud back to a traditional hosting company.
You may already have a ACM certificate for the domain to use with CloudFront, if that is the case the certificate will only be usable if it is in the same Amazon Region as the EC2 instance. I believe for CloudFront the certificate must be in North Virginia, so if your EC2 isn't in that region you should make a new ACM for it. For this reason, instead of creating the ACM first, then moving onto the ALB, it's easier to make the certificate as you set up the ALB.
With the ELB/ALB the only thing that should be HTTPS is the load balancer itself, i.e. the listener, everything else should be HTTP.
That should all be set up now, assuming the security groups are correct and the EC2 is set up correctly.
Hey presto, that should be it.