Ad

What Is The Easiest And Fastest Way To Add HTTPS To An AWS EC2 Instance?

- 1 answer

I created an EC2 instance. It has a default URL like this:

http(s)://ec2-000-000-000-000.us-east-1.compute.amazonaws.com

I'm ok with this URL, the server is to be used for API calls, so I don't care about it - any URL will do, but I need it to be HTTPS (because it will be called from frontend of a website with HTTPS).

I know that I need a certificate, but I didn't find a way to get a certificate for the standard EC2 URL. So the question is: what is the easiest and fastest way to configure HTTPS without using a custom domain? If there are many ways, please, list them all.

Ad

Answer

It turned out to be pretty easy - it can be done with API Gateway.

  1. Create HTTP (not REST) API Gateway.
  2. Create a route: ANY/{path+}
  3. Attach an integration to the route with URI: http://ec2-000-000-000-000.us-east-1.compute.amazonaws.com:3000/{path} (the port number is up to you)

That's it, now API Gateway HTTPS URL can be used: https://00000000.execute-api.us-east-1.amazonaws.com.

The only downside - it's accessible from both API gateway and the EC2 original HTTP link. It can be solved with Network Load Balancer and VPC link. In the EC2 security group you should allow connection only from your VPC (something like 172.31.0.0/16 should work), or more precisely only from the availability zones of the Network Load Balancer. Read more here: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-private-integration.html

Of course, API Gateway isn't free - you have to pay. And also you have to pay for the Network Load Balancer.

Alternatively you can configure CloudFront (there is a fee tier, but after it, you have to pay for the transferred data too) - maybe it will work, but it doesn't seem any better than API Gateway. I haven't tried it.

Also, you can use a secret prefix in the URL (and use it only in the API Gateway config) to make the URL effectively inaccessible without API Gateway and not configure the load balancer. As a temporary solution it's enough. In the long term, maybe it's worth using a custom domain for HTTPS.

Ad
source: stackoverflow.com
Ad