-
-
Save afternoon/5384101 to your computer and use it in GitHub Desktop.
# vim: ft=yaml | |
# Elastic Load Balancer and Security Group configuration for the app | |
# | |
# - Allow anyone to connect to port 443 and office traffic to connect to | |
# port 22 | |
# - Ensure all traffic is encrypted by configuring load balancer to listen on | |
# 443 and direct traffic to port 443 on app servers | |
# - Enable cookie-based session stickiness | |
# - Use /status for health check | |
# - Enable backend authentication policy by providing public key for cert | |
Resources: | |
AWSEBSecurityGroup: | |
Type: "AWS::EC2::SecurityGroup" | |
Properties: | |
GroupDescription: "Security group to allow HTTPS for all, SSH for office" | |
SecurityGroupIngress: | |
- {CidrIp: "0.0.0.0/0", IpProtocol: "tcp", FromPort: "443", ToPort: "443"} | |
- {CidrIp: "176.35.225.76/32", IpProtocol: "tcp", FromPort: "22", ToPort: "22"} | |
AWSEBLoadBalancer: | |
Type: "AWS::ElasticLoadBalancing::LoadBalancer" | |
Properties: | |
Listeners: | |
- {LoadBalancerPort: 443, InstancePort: 443, Protocol: "HTTPS", SSLCertificateId: "arn:aws:iam::1234567890:server-certificate/server"} | |
AppCookieStickinessPolicy: | |
- {PolicyName: "lb-session", CookieName: "lb-session"} | |
HealthCheck: | |
HealthyThreshold: "3" | |
Interval: "30" | |
Target: "HTTPS:443/status" | |
Timeout: "5" | |
UnhealthyThreshold: "5" | |
Policies: | |
- | |
PolicyName: "MyPubKey" | |
PolicyType: "PublicKeyPolicyType" | |
Attributes: | |
- | |
Name: "PublicKey" | |
Value: "..." | |
- | |
PolicyName: "BackendAuth" | |
PolicyType: "BackendServerAuthenticationPolicyType" | |
Attributes: | |
- | |
Name: "PublicKeyPolicyName" | |
Value: "MyPubKey" | |
InstancePorts: | |
- "443" |
Oh, I also added this security group, which allows inbound/outbound between the load balancer and the instances:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {Ref: AWSEBSecurityGroup}
IpProtocol: tcp
ToPort: 443
FromPort: 443
SourceSecurityGroupId: {Ref: AWSEBLoadBalancerSecurityGroup}
( Reviving this thread for a fix for others in future )
@pwaller: I think you need to append a 'sslSecurityGroupEgress' block which will actually allow the outbound access to the instances via HTTPS
sslSecurityGroupEgress:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: {"Ref" : "AWSEBSecurityGroup"}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
I also want to point out that configuring a health check URL for the load balancer alone will not cause an unhealthy instance to be automatically replaced with a new one. But instead, the default behavior is for the unhealthy instance to be removed from the load balancer.
In order to have unhealthy instances be terminated and replaced with new ones, you must also declare the following options for the AutoScaling resource:
Resources:
AWSEBAutoScalingGroup:
Type: "AWS::AutoScaling::AutoScalingGroup"
Properties:
HealthCheckType: ELB
HealthCheckGracePeriod: 300
The complete AWS note on the default behavior is pasted below, taken from the following AWS documentation - https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.healthstatus.html#using-features.healthstatus.understanding
Configuring a health check URL does not change the health check behavior of an environment's Auto Scaling group. An unhealthy instance is removed from the load balancer, but is not automatically replaced by Amazon EC2 Auto Scaling unless you configure Amazon EC2 Auto Scaling to use the Elastic Load Balancing health check as a basis for replacing instances.
The main issues I'm having is that the listener appears to be using the HTTP protocol to speak to the instances, and the health check is being ignored.