Add an example of setting up HTTPS on ApplicationLoadBalancedFargateService
See original GitHub issueAn example showing the recommended way of enabling HTTPS on an ApplicationLoadBalancedFargateService
.
Use Case
I am having issues enabling HTTPS in my ApplicationLoadBalancedFargateService
. I have been digging many issues and StackOverflow issues and trying to wrap my head around all the possible configurations. Should I add certificate
to the service directly? Then I need to set up domains. Should I create an entirely new ApplicationLoadBalancer
? Should I add a listener for 443 in the loadBalancer
property?
There is no clear path and the documentation is somewhat inconsistent as to how to do it.
- 👋 I may be able to implement this feature request
- ⚠️ This feature might incur a breaking change
This is a 🚀 Feature Request
Issue Analytics
- State:
- Created 3 years ago
- Reactions:10
- Comments:18 (3 by maintainers)
Top Results From Across the Web
class ApplicationLoadBalancedFargateService (construct)
A Fargate service running on an ECS cluster fronted by an application load balancer. ... Setting this option will set the load balancer...
Read more >Adding HTTPS And Custom Domains To An API Hosted On ...
One thing is worth noting up front — while will be looking into configuring HTTPS and the custom domain using the same API...
Read more >Application Load Balanced Fargate Service example in AWS ...
Application Load Balanced Fargate Service example in AWS CDK ... Before we can start to build a Fargate service we need to set...
Read more >Configure HTTPS with an AWS Load Balancer - YouTube
In this tutorial, you will learn how to configure HTTPS using AWS Load Balancer. IMPORTANT: Please note that in newer instances the ...
Read more >Hey CDK, how can I secure my Fargate Service with ALB ...
Next, we need some information from our OIDC provider. See here how to set up a new application in Azure AD. Replace {tenantId}...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
If you wanted to add a certificate to this pattern, you first need to create a certificate construct in the constructor:
Then in the properties of the ecs pattern add the certificate and redirectHTTP (optional, but recommended) properties.
Thats it!
In this example, I’m not using an AWS hosted zone, so when this deploys the certificate will be stuck in a pending state. You will need to goto AWS Certificate Manager, open the certificate and copy and paste the CNAME to your DNS provider.
If you wanted to add an AWS Hosted zone, you can create one by adding the following construct to the constructor:
Then in AWS Certificate manager, open the certificate and there’s a blue button that you click that will create the record for you. Don’t forget to delegate to your hosted zone from your DNS provider or else you’ll be in the pending waiting room.
Hope this helps!
Nice! You’re almost there. For the HTTPS piece you need to make the certificate and attach it to the service and cloudfront. Note that Cloudfront is based in us-east-1, so your certificate for cloudfront must be in us-east-1. (You can also make a crossZoneDNS cert… search for
DnsValidatedCertificate
in the@aws-cdk/aws-certificatemanager
library)Assuming that you’re creating this in us-east-1, you can first create your cert:
Then on your ApplicationLoadBalancedFargateService add the
certificate
property. Then add thecertificate
anddomainName
property to your cloud front. Also make sure to addallowedMethods
andviewerProtocolPolicy
otherwise cloudfront won’t forward your requests on.That should get you set up on whatever domain name you pick. Make sure you have the proper delegation/own the zone, and if the zone is hosted by google, or some other provider, that you can add the certificate validation CNAME, otherwise cloudformation will hang forever (3 hrs, but feels like forever). Recommend creating the route53 hostedZone in aws and then let certificate manager create the records for you. Then all you need to do is delegate to that hosted zone and you’re good to go.
Also I was able to find an example write up which is pretty similar to this here: https://enlear.academy/aws-cdk-a-beginners-guide-with-examples-424c600ac409
The big difference i see here is that they terminate ssl at cloud front. Doing the above terminates at the ALB. Not sure how important that is to ya, but /shrug.