I created an EC2 instance. It has a default URL like this:
http(s)://ec2-000-000-000-000.us-east-1.compute.amazonaws.com
I’m ok with this URL, the server is to be used for API calls, so I don’t care about it – any URL will do, but I need it to be HTTPS (because it will be called from frontend of a website with HTTPS).
I know that I need a certificate, but I didn’t find a way to get a certificate for the standard EC2 URL.
So the question is: what is the easiest and fastest way to configure HTTPS without using a custom domain? If there are many ways, please, list them all.
2
Answers
It turned out to be pretty easy - it can be done with API Gateway.
ANY
/{path+}
http://ec2-000-000-000-000.us-east-1.compute.amazonaws.com:3000/{path}
(the port number is up to you)That's it, now API Gateway HTTPS URL can be used:
https://00000000.execute-api.us-east-1.amazonaws.com
.The only downside - it's accessible from both API gateway and the EC2 original HTTP link. It can be solved with Network Load Balancer and VPC link. In the EC2 security group you should allow connection only from your VPC (something like
172.31.0.0/16
should work), or more precisely only from the availability zones of the Network Load Balancer. Read more here: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-private-integration.htmlOf course, API Gateway isn't free - you have to pay. And also you have to pay for the Network Load Balancer.
Alternatively you can configure CloudFront (there is a fee tier, but after it, you have to pay for the transferred data too) - maybe it will work, but it doesn't seem any better than API Gateway. I haven't tried it.
Also, you can use a secret prefix in the URL (and use it only in the API Gateway config) to make the URL effectively inaccessible without API Gateway and not configure the load balancer. As a temporary solution it's enough. In the long term, maybe it's worth using a custom domain for HTTPS.
Option 1 (keeping ec2-000-000-000-000.us-east-1.compute.amazonaws.com domain):
You can only generate a self-signed cert, which I guess it’s not what you want since browsers could block it.
Option 2 (using custom domain):
Issue a free cert with https://letsencrypt.org/
Option 3:
Spin up a load balancer in front of your EC2 instance with AWS Certificate Manager and point your API to the LB endpoint https://aws.amazon.com/premiumsupport/knowledge-center/associate-acm-certificate-alb-nlb/