How to create a protected external website environment.
- Create the certificate in ACM that will be used to enable HTTPS on the ALB
- Add the verification record for the above cert to make it active and usable.
- Create
ALB target group and register the web instance. Later you might have to
adjust the "path" and the "success codes" depending on the backend web
configuration.
- IMPORTANT: create the ALB in any public
subnet that is in the same AZ as the private web instance. The LB will
not function if you miss this. Second subnet can be any public one,
unless there are two web instances obviously. If so, you need to adjust
the load balancing rules and options appropriately.
- Create HTTP listener that forwards to HTTPS
- Create HTTPS listener that forwards to the target group
- Create SG "ALB-external" for ALB allowing appropriate public IPs
- Create SG "ALB-internal"
for web instance, referencing the above ALB SG to allow LB to run
health checks & route traffic. This might be port 80 or 443
depending on whether private VPC traffic from LB to Web instance needs
to be encrypted with self-signed IIS cert. IMPORTANT: If the private
traffic needs to be encrypted, then you need to adjust the ALB to point
to 443 instead of port 80.
- Create the WAF and associate the ALB.
- Add appropriate AWS Managed WAF rules, such as "Amazon IP reputation list", "Known bad inputs". These rules are free, unlike the one created below on step 11.
- Usually a "US Only" rule should be created.
- Add the desired CNAME for the FQDN referenced in the above cert record to point to the ALB A record.
No comments:
Post a Comment