AWS Certificate Manager Implementation

Introduction

In this session, we will discuss the AWS Certificate Manager (ACM) and implement a demo showcasing how to secure a URL using SSL/TLS certificates. The following steps outline the process:

1. Request Initiation: The user will make a request using a specific URL.
2. Route 53: The request will land on AWS Route 53, which will forward it to our Application Load Balancer.
3. Application Load Balancer: The load balancer will direct traffic to our EC2 instance, where the application is hosted.
4. Certificate Issuance: To secure the URL, we will use AWS Certificate Manager to issue the necessary certificates.
5. Route 53 Configuration: We will then import the certificate records into Route 53, allowing us to utilize HTTPS.

Implementation Steps

Let's break down the implementation into several steps:

1. AWS Account Setup: Start by ensuring you have access to an AWS account.
2. VPC Setup: Create a Virtual Private Cloud (VPC) within your AWS account.
3. Subnet Creation: Establish a subnet within that VPC.
4. Internet Gateway Setup: Set up an Internet Gateway for external access.
5. Route Table Configuration: Configure the route table to manage traffic.
6. EC2 Instance Launch: Launch an EC2 instance to run your application.
7. Application Load Balancer Creation: Set up an Application Load Balancer to enable user access to the application hosted on the EC2 instance, using the load balancer’s DNS name.
8. Route 53 Configuration: Configure Route 53 to manage DNS records for your domain.

Once Route 53 is configured, users can make requests using the specified URL (e.g., http://mydomain.com) to access the service running on the EC2 instance.

Transition to HTTPS

It is essential to note that initially, the URL is accessed using HTTP. To secure the connection with HTTPS, we will use AWS Certificate Manager to generate SSL/TLS certificates. After creating these certificates, we will insert the relevant records into AWS Route 53.

Once this setup is complete, users will be able to access the application using the secure URL (e.g., https://mydomain.com).

Setup VPC

To begin our demo, we will first set up a Virtual Private Cloud (VPC) in our AWS account. Here’s how to do it step by step:

1. Access the AWS Console: Log into your AWS account and navigate to the AWS Management Console.
2. Search for VPC: In the search box at the top of the console, type "VPC" and select it from the dropdown menu.
3. Create a VPC:
   • Click on the "Create VPC" button.
   • Choose the "VPC only" option.
   • Name Your VPC: Enter a name for your VPC, such as test-VPC.
   • IP Range: Specify the IP range for your VPC. For example, you can use 12.0.0.0/16.
   • Keep the default tenancy settings.
4. Create the VPC: Click on the "Create VPC" button.

Once the process is complete, you will see a confirmation message indicating that your test-VPC has been created. You can verify this by navigating to your VPC section in the console.

Here's the continuation of your document, detailing the setup of the subnet:

---

Setup Subnet

After creating the VPC, the next step is to set up subnets. Follow these steps to create subnets within the VPC:

1. Access the VPC Dashboard: Go back to your AWS Management Console and navigate to the VPC dashboard.
2. Create a Subnet:
   • Click on "Subnets" in the left navigation panel.
   • Click on the "Create subnet" button.
3. Select the VPC:
   • Choose the VPC you just created (test-VPC).
4. Configure Subnet Details:
   • Name Tag: Enter a name for the first subnet, such as test-public-subnet-1A.
   • Availability Zone: Select the availability zone (for example, eu-central-1a).
   • IP Address Range: Specify the IP range for your subnet. You can use 12.0.1.0/24, which will provide 256 IP addresses.
5. Add Another Subnet:
   • To increase availability, create another subnet in a different availability zone.
   • Copy the name from the previous subnet and change it to test-public-subnet-1B.
   • Change the availability zone to eu-central-1b.
   • Set the IP range to 12.0.2.0/24, ensuring it differs from the first subnet.
6. Create the Subnets: Click the "Create subnet" button.

After completing these steps, you will see that both subnets (test-public-subnet-1A and test-public-subnet-1B) have been created successfully.

Setup Internet Gateway

After creating the subnets, the next resource to create is the Internet Gateway, which will allow external access to the VPC. Follow these steps to set up an Internet Gateway:

1. Access the VPC Dashboard: Go back to the AWS Management Console and navigate to the VPC dashboard.
2. Locate Internet Gateways:
   • In the left navigation menu, find and click on "Internet Gateways."
3. Create a New Internet Gateway:
   • Click on the "Create internet gateway" button.
   • Name Tag: Enter a name for the Internet Gateway, such as test-igw (short for Internet Gateway).
4. Create the Internet Gateway: Click on the "Create internet gateway" button. You will see a confirmation that your Internet Gateway has been created.
5. Attach the Internet Gateway to the VPC:
   • To connect the Internet Gateway to your VPC, look for the "Attach to VPC" option on the green bar or go to the "Actions" dropdown menu and select "Attach to VPC."
   • Choose the VPC you created earlier (test-VPC) from the list and click on "Attach internet gateway."

After these steps, your Internet Gateway will be successfully attached to the VPC, enabling internet access for resources within the VPC.

Setup Route Table

After creating the Internet Gateway, the next resource to set up is the Route Table. This will help manage traffic routing within your VPC. Follow these steps to create and configure a Route Table:

1. Access the VPC Dashboard: Go back to the AWS Management Console and navigate to the VPC dashboard.
2. Locate Route Tables:
   • In the left navigation menu, find and click on "Route Tables."
3. Create a New Route Table:
   • Click on the "Create route table" button.
   • Name Tag: Enter a name for your route table, such as RT-public, indicating that this is a public route table.
   • VPC Selection: Choose the VPC (test-VPC) where you want to create the route table.
4. Create the Route Table: Click on the "Create route table" button. You should see a confirmation that your route table has been created.
5. Associate the Route Table with the Subnet:
   • Select the newly created route table (RT-public).
   • Click on the "Subnet Associations" tab.
   • Click on "Edit subnet associations."
   • Select the subnets you created earlier and click on "Save associations."
6. Add Routes to the Route Table:
   • Go to the "Routes" tab within your route table.
   • Click on "Edit routes" and then "Add route."
   • In the destination field, enter 0.0.0.0/0 (this means all internet traffic).
   • For the target, choose "Internet Gateway" and select the Internet Gateway you created (test igw).
   • Click on "Save routes."

After completing these steps, your public subnet will be able to access the internet through the Internet Gateway.

Summary

At this stage, you have successfully created a public Route Table, associated it with the public subnet, and configured it to allow internet access via the Internet Gateway.

Setting Up EC2 Instance

After configuring the Route Table, the next step is to set up an EC2 instance that will run your application. Follow these steps to launch an EC2 instance:

1. Access the EC2 Dashboard:
   • Go back to the AWS Management Console and type EC2 in the search box. Click on the EC2 option.
2. Launch an EC2 Instance:
   • Click on the "Launch Instances" button.
3. Configure Instance Settings:
   • Name the Instance: Enter a name for your instance, such as test-ec2.
   • Choose an Amazon Machine Image (AMI): Select Ubuntu as the base operating system.
   • Instance Type: Choose t2.micro, which is eligible for the free tier.
4. Configure Key Pair:
   • For key pair login, either create a new key pair or use an existing one. If creating a new one, download the private key file (.pem) for later use.
5. Configure Network Settings:
   • Click on "Edit" under Network settings.
   • Select VPC: Choose the test-VPC that you created earlier.
   • Select Subnet: Choose one of the subnets (e.g., subnet-1A).
   • Auto-assign Public IP: Enable the option to auto-assign a public IP address.
6. Configure Security Groups:
   • Keep the default security group for SSH access.
   • Add another security group rule for HTTP access:
     • Type: HTTP
     • Source: Anywhere (to allow access from all IP addresses).
7. Configure Storage:
   • You can stick with the default storage of 8 GiB.

8. Add User Data:

   • In the "Advanced details" section, add a script to install Apache on boot. Here’s a sample script:
     

     #!/bin/bash
     apt-get update
     apt-get install -y apache2
     echo "<h1>Hello World....</h1>" > /var/www/html/index.html
     systemctl restart apache2
     

9. Launch the Instance:

   • Click on the "Launch instance" button. It may take a couple of minutes for the instance to become available.

10. Verify the Instance:

    • Once the instance is running, click on the instance ID to view its details.
    • Copy the public IP address of the instance and paste it into a browser. You should see the Apache default homepage displaying the hostname of your EC2 instance.

Summary

At this point, you have successfully set up an EC2 instance running Ubuntu with Apache installed. While you are currently using the public IP address for verification, the next steps will involve creating a load balancer and configuring your domain to point to this instance.

Creating and Setting Up a Load Balancer

Now that the EC2 instance is running, the next step is to create and configure an Application Load Balancer (ALB). This will help distribute incoming traffic across multiple EC2 instances. Here's how to set it up:

1. Access Load Balancing Section:
   • Go back to the AWS Management Console. In the EC2 dashboard, find the Load Balancing section in the left navigation menu.
2. Create a Target Group:
   • Before creating the load balancer, you need to create a Target Group, which acts as a logical group for your EC2 instances.
   • Click on Target Groups and then on Create target group.
   • Select Target Type: Choose Instances.
   • Name the Target Group: Enter test-TG.
   • Protocol: Keep it as HTTP.
   • IP Address Type: Select IPv4.
   • VPC: Select your test-VPC.
   • Protocol Version: Keep it as HTTP1.
   • Health Check: Keep default settings and click Next.
3. Register Targets:
   • You will see a list of instances. Select your EC2 instance and click on Include as pending below.
   • Click on Create Target Group. Your target group is now created, and the instance is registered.
4. Create the Load Balancer:
   • Go back to the Load Balancing section and click on Load Balancers.
   • Click on Create Load Balancer and choose Application Load Balancer.
   • Name: Enter test-lb.
   • Scheme: Choose Internet-facing.
   • IP Address Type: Select IPv4.
   • VPC: Again, select your test-VPC.
   • Subnets: Select both subnet-1A and subnet-1B.
5. Configure Security Group:
   • You will need to create a security group for the load balancer.
   • Click on Create Security Group:
     • Name: test-SG-for-lb.
     • Description: Allow SSH (Port 22) and HTTP (Port 80).
     • VPC: Select test-VPC.
   • Inbound Rules:
     • Rule 1: HTTP, Port 80, Source: Anywhere.
     • Rule 2: SSH, Port 22, Source: Anywhere.
   • Click on Create Security Group.
6. Select Security Group:
   • Refresh the security group list and select test-SG-for-lb.
7. Configure Listeners and Target Group:
   • In the Listeners section, ensure that it is set to listen on port 80 (HTTP).
   • Target Group: From the dropdown, select test-TG, which contains your EC2 instance.
8. Create the Load Balancer:
   • Review your settings and click on Create Load Balancer.
   • It may take a few minutes for the load balancer to be provisioned.
9. Verify Load Balancer Status:
   • Once the load balancer status changes to Active, click on it to view details.
   • Copy the DNS Name of the load balancer.
10. Test the Load Balancer:
    • Open a new browser tab and paste the DNS name. Hit enter, and you should see the same Apache homepage as you did with the public IP of your EC2 instance.

Summary

You have successfully created an Application Load Balancer and configured it to route traffic to your EC2 instance. The DNS name of the load balancer serves as a public endpoint for your application.

Setting Up Route 53

1. Create a Hosted Zone:
   • In the AWS console, search for Route 53 and go to the Hosted Zones section.
   • Click on Create Hosted Zone and enter your domain name (e.g., test.xyz), with a description and selecting Public Hosted Zone.
   • The hosted zone will provide Name Server (NS) records.
2. Update Domain Name Servers:
   • If you purchased the domain from another registrar (e.g., GoDaddy, Namecheap), copy the NS records from your Route 53 hosted zone and update your domain's DNS settings to point to these AWS Name Servers.
3. Create a Record Set:
   • In your Route 53 hosted zone, create a record set (A record) that points to your Load Balancer.
   • Select Simple Routing, and define the record to point to your Load Balancer.
   • Ensure the record status is in sync.
4. Test the Domain:
   • Wait for DNS changes to propagate, and then test the domain (e.g., test.xyz) to ensure it resolves to the Load Balancer and then to your EC2 instance.

Steps to Set Up HTTPS with AWS Certificate Manager

1. Request a Certificate:
   • Navigate to AWS Certificate Manager in the AWS console.
   • Click on Request a Certificate and select Request a public certificate.
   • Enter your fully qualified domain name (e.g., mydomain.org) and choose DNS validation.
2. Create DNS Records in Route 53:
   • After requesting the certificate, create the necessary DNS records in Route 53. You can use the Create Records in Route 53 button in the Certificate Manager to do this.
3. Check Certificate Status:
   • Refresh the Certificate Manager page to ensure the status of the certificate changes from "Pending validation" to "Issued" after the DNS records propagate.
4. Set Up Load Balancer:
   • Go to the EC2 dashboard and select your load balancer.
   • Add an HTTPS listener on port 443 and select the SSL certificate from ACM.
5. Update Security Group:
   • Ensure your load balancer's security group allows inbound traffic on port 443 for HTTPS.
6. Redirect HTTP to HTTPS:
   • Modify the HTTP listener rules in your load balancer to redirect HTTP requests to HTTPS. Set the action to redirect with a 301 status code.
7. Verification:
   • Test accessing your domain with both HTTP and HTTPS. Ensure HTTP redirects to HTTPS correctly.

Additional Considerations:

• If you need to support www or other subdomains, request additional certificates for those domains.
• Keep in mind DNS propagation might take some time, so patience may be required after making changes.

This setup ensures secure connections to your application hosted on AWS, improving security and trust for users.