SSL/TLS DNS Validation
Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates are used to secure network communications and establish the identity of websites over the internet. Before issuing a certificate for your website, Amazon must validate that you control the domain name for your site. You can now use AWS Certificate Manager (ACM) Domain Name System (DNS) validation to establish that you control a domain name when requesting SSL/TLS certificates with ACM.
In DNS validation, you write a CNAME record to your DNS configuration to establish control of your domain name. After you have configured the CNAME record, ACM can automatically renew DNS-validated certificates before they expire, as long as the DNS record has not changed. To make it even easier to validate your domain, ACM can update your DNS configuration for you if you manage your DNS records with Amazon Route 53.
SSL/TLS provides encryption for sensitive data in transit and authentication by using certificates to establish the identity of your site and secure connections between browsers and applications and your site. DNS validation and SSL/TLS certificates provisioned through ACM are free.
Step 1: Request a certificate
To get started, sign in to the AWS Management Console and navigate to the ACM console.
From the ‘Certificates’ page, select ‘Request a Certificate’, the choose the default “Request a Public Certificate” and click ‘Request a Certificate’ button.
Step 2: Add Domain Names
Type the name of your domain in the Domain name box and choose Next.
Example: acvitsdemo.com and *.acvitsdemo.com
Step 3: DNS Validation
From Select Validation Method page, select DNS validation and click ‘Review’ button.
Step 4: Review
Review your entries and click ‘Confirm and Request’ button.
Step 5: Validation
After a brief delay while CM populates your domain validation information, choose the down arrow to display all the validation information for your domain.
Click on ‘Create Record in Route 53’ button for each domain entries and click ‘Create’ button.
It typically takes 30 minutes status to change from ‘Pending Validation’ to ‘Issued’.
Configure a Load Balancer
Step 1: Create a Load Balancer
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
3. Choose Create Load Balancer.
4. For Application Load Balancer, choose Create.
5. For Name, type a name for your load balancer. For example, acvits-alb.
6. For Scheme, choose “Internet-facing” for load balancer to routes requests from clients over the Internet to targets.
7. For Listeners, the default is a listener that accepts HTTP traffic on port 80. Choose Add to add another listener a HTTPS listener.
8. For Availability Zones, select at least two Availability Zones from your VPC.
9. Choose Next: Configure Security Settings.
Step 2: Configure Security Settings for an HTTPS Listener
When you use HTTPS for your load balancer listener, you must deploy an SSL certificate on your load balancer. The load balancer uses this certificate to terminate the connection and decrypt requests from clients before sending them to the targets. For more information, see SSL Certificates. You must also specify the security policy that the load balancer uses to negotiate SSL connections with the clients. For more information, see Security Policies.
To configure a certificate and security policy
1. For Select default certificate, do one of the following:
• If you created or imported a certificate using AWS Certificate Manager, select Choose a certificate from ACM, and then select the certificate from Certificate name.
• If you uploaded a certificate using IAM, select Choose a certificate from IAM, and then select the certificate from Certificate name.
2. For Security policy, we recommend that you keep the default security policy.
3. Choose Next: Configure Security Groups.
Step 3: Configure a Security Group
The security group for your load balancer must allow it to communicate with registered targets on both the listener port and the health check port. The console can create a security group for your load balancer on your behalf with rules that allow this communication.
To configure a security group for your load balancer
1. Choose Select an existing security group.
2. Your CloudFormationTemplate has created a security group. You can find the certificate name from CloudFormationTemplate ‘Resources’ tab. Select the security group from the listed security group ids.
3. Choose Next: Configure Routing.
Step 4: Configure a Target Group
You register targets with a target group. The target group that you configure in this step is used as the target group in the default listener rule, which forwards requests to the target group.
To configure your target group
1. For Target group, keep the default, New target group.
2. For Name, type a name for the target group.
3. Keep the default Protocol HTTP and Port 80.
4. For Target type, choose instance to specify targets by instance ID.
5. For Health checks, keep the default health check settings.
6. Choose Next: Register Targets.
Step 5: Configure Targets for the Target Group
With an Application Load Balancer, you will register targets by instance ID.
To register targets by instance ID
1. For Instances, select one or more instances.
2. Type the instance listener port, and then choose Add to registered.
3. When you have finished registering instances, choose Next: Review.
Step 6: Create the Load Balancer
After creating your load balancer, you can verify that your targets have passed the initial health check and then test that the load balancer is sending traffic to your targets.
To create the load balancer
1. On the Review page, choose Create.
2. After the load balancer is created, choose Close.
Step 7: Update DNS Records in Route 53
From AWS Services page, go to ‘Networking and Content Delivery’ section and select ‘Route 53’.
From DNS Management box, click ‘Hosted Zones’ link.
From ‘Hosted Zones’ page, double click your domain name.
Select the naked domain entry, go to ‘edit record set’ section.
Keep the ‘Type values’.
On ‘Alias’ select radio button ‘No’ then select ‘Yes’ to populate ‘Alias Target’ drop down box.
Under the ‘ELB Application Load Balancers’ and select your domain entry and click button ‘Save Record’.
At this point, the application is available for access using your domain address URL.