Question 108024 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – What is the easiest and fastest way to add HTTPS to an AWS EC2 instance?

I created an EC2 instance. It has a default URL like this:

http(s)://ec2-000-000-000-000.us-east-1.compute.amazonaws.com

I’m ok with this URL, the server is to be used for API calls, so I don’t care about it – any URL will do, but I need it to be HTTPS (because it will be called from frontend of a website with HTTPS).

I know that I need a certificate, but I didn’t find a way to get a certificate for the standard EC2 URL.
So the question is: what is the easiest and fastest way to configure HTTPS without using a custom domain? If there are many ways, please, list them all.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    It turned out to be pretty easy - it can be done with API Gateway.

    1. Create HTTP (not REST) API Gateway.
    2. Create a route: ANY /{path+}
    3. Attach an integration to the route with URI: http://ec2-000-000-000-000.us-east-1.compute.amazonaws.com:3000/{path} (the port number is up to you)

    That's it, now API Gateway HTTPS URL can be used: https://00000000.execute-api.us-east-1.amazonaws.com.

    The only downside - it's accessible from both API gateway and the EC2 original HTTP link. It can be solved with Network Load Balancer and VPC link. In the EC2 security group you should allow connection only from your VPC (something like 172.31.0.0/16 should work), or more precisely only from the availability zones of the Network Load Balancer. Read more here: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-private-integration.html

    Of course, API Gateway isn't free - you have to pay. And also you have to pay for the Network Load Balancer.

    Alternatively you can configure CloudFront (there is a fee tier, but after it, you have to pay for the transferred data too) - maybe it will work, but it doesn't seem any better than API Gateway. I haven't tried it.

    Also, you can use a secret prefix in the URL (and use it only in the API Gateway config) to make the URL effectively inaccessible without API Gateway and not configure the load balancer. As a temporary solution it's enough. In the long term, maybe it's worth using a custom domain for HTTPS.


  2. 0

    Option 1 (keeping ec2-000-000-000-000.us-east-1.compute.amazonaws.com domain):

    You can only generate a self-signed cert, which I guess it’s not what you want since browsers could block it.

    Option 2 (using custom domain):

    Issue a free cert with https://letsencrypt.org/

    Option 3:

    Spin up a load balancer in front of your EC2 instance with AWS Certificate Manager and point your API to the LB endpoint https://aws.amazon.com/premiumsupport/knowledge-center/associate-acm-certificate-alb-nlb/

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search