Cloud Vendor | Amazon AWS |
Proficiency Level | Cloud Enthusiast |
Tags | EC2Load BalancerSecurity GroupsWeb Server |
Summary
In this lab, you will configure HTTPS Listener in an Application Load Balancer in Amazon AWS. You will upload a self-signed certificate to the Application Load Balancer and will disable the HTTP listener to allow only secure traffic.
Each exercise below builds upon the previous one. You should start each new exercise from the last step of the previous exercise unless it is explicitly written otherwise.
Learning Objectives
After completion of this lab, you will be able to:
- Upload a self-signed certificate to an Application Load Balancer in Amazon AWS
- Configure an HTTPS Listener on the Application Load Balancer to enable secure Web traffic
- Disable the HTTP Listener on the Application Load Balancer to avoid unsecured traffic
Prerequisites
To complete this lab, you will need the following:
- Reliable internet connection
- A free AWS Account used to access the AWS Management Console
- You will need to complete one of the Creating a Self-Signed Certificate on Mac OS X or Creating a Self-Signed Certificate on Windows 10 labs
- You will need to complete the Creating an Application Load Balancer in AWS lab
- Follow the steps to determine the public IP address your local machine uses
- Follow the steps to determine the public IP addresses for your backend pool virtual machines
Determine the Public IP Address Your Local Machine Uses
Here is how you can determine the public IP address your local machine uses. This IP address cannot be used to access your local machine from the Internet, but it is the IP address that requests to services come from:
- Go to https://www.google.com
- Type
what is my ip address
in the search box - Google will return the public IP address your local machine uses. Note this IP address; you will need it for the exercises
Determine the Public IP Addresses of the Target Group EC2 Instances
Here is how you can determine the IP address of the Application Gateway.
- Sign in to the AWS Management Console at https://aws.amazon.com/console/ using your AWS credentials
- In the Find Services search box, type EC2, and press Enter
- Find the
computelab01-ec2-i01
EC2 instance in the list of instances and click on it - On the Description tab below the list, note the IPv4 Public IP address of the EC2 instance
- Repeat steps 4 and 5 for
computelab01-ec2-i02
EC2 instance
Exercise #1: Create a Security Group in Amazon AWS
In this exercise, you will create a new Security Group in Amazon AWS and add inbound rules to it.
Steps
- Sign in to the AWS Management Console at https://aws.amazon.com/console/ using your AWS credentials
- In the Find Services search box, type EC2, and press Enter
- Click on the Security Groups link in the left-hand navigation
- Click on the
button on top of the security groups list
- In the pop-up window, fill in the following information:
Security group name →securitylab01-ec2-sg
Description →Restrict HTTP access to Target Group
- Click on the
button to add a new rule
- Select
SSH
for the Type field, and in the Source field, paste the public IP address your local machine uses, followed by/32
. You obtained in the Prerequisites section. - Click on the
button to add another rule
- Select
HTTP
for the Type field, and typecomputelablab01-ec2-sg
in the Source field. - Click on the
button to create the Security Group
- Milestone step: At this point, you have learned how to a new Security Group in Amazon AWS and configure Inbound rules
Exercise #2: Configure the Target Group EC2 Instances to use the Security Group
In this exercise, you will configure the Target Group EC2 instances to use the new Security Group.
Steps
- Click on the Instances link in the left-hand navigation
- Find the
computelab01-ec2-i01
EC2 instance in the list of instances and click on it - Click on the
button on top of the list and select Networking → Change Security Groups
- Deselect
computelablab01-ec2-sg
and selectsecuritylab01-ec2-sg
from the list - Click on the
button to save the Security Group changes
- Repeat steps 2 through 5 for the
computelab01-ec2-i02
EC2 instance - Milestone step: At this point, you have learned how to change the Security Group for EC2 instances in Amazon AWS
Exercise #3: Testing the Security Group (NSG) Rules for Web Traffic
In this exercise, you will test the web traffic rules you created in the Security Group.
Steps
- Open a new browser window and type the following in the address bar:
https://[the_application_load_balancer_ip_address]
- You should see the home page served by the webserver installed on
computelab01-ec2-i01
EC2 Instance
- Refresh the page
- You should see the home page served by the webserver installed on
computelab01-ec2-i02
EC2 Instance
- Milestone step: At this point, you have verified that the Target Group can serve requests via HTTPS through the Application Load Balancer
- Open a new browser tab and paste the
computelab01-ec2-i01
EC2 Instance IP address in the address bar - After some time, you should receive an error message or the page will time out
- Milestone step: At this point, you have verified that the
computelab01-ec2-i01
EC2 Instance is not directly accessible via HTTP - Open a new browser tab and paste the
computelab01-ec2-i02
EC2 Instance IP address in the address bar - After some time, you should receive an error message or the page will time out
- Milestone step: At this point, you have verified that the
computelab01-ec2-i02
EC2 Instance is not directly accessible via HTTP
Exercise #4: Testing the Security Group (NSG) Rules for SSH Traffic
In this exercise, you will test the remote access rules you created in the Security Group using an SSH client. Make sure; you execute the steps from the location you configured in the SG.
Steps
- Open a Terminal (Mac OS/Linux) or Command Prompt (Windows) window
- Type the following command
ssh [computelab01-ec2-i01_username]@[computelab01-ec2-i01_ip_address]
- Type in the
[computelab01-ec2-i01_username]
password - You should connect to the
computelab01-ec2-i01
EC2 Instance
- Milestone step: At this point, you have verified that you have remote access to the
computelab01-ec2-i01
EC2 Instance using SSH - Type
exit
- Type the following command
ssh [computelab01-ec2-i02_username]@[computelab01-ec2-i02_ip_address]
- Type in the
[computelab01-ec2-i02_username]
password - You should connect to the
computelab01-ec2-i02
EC2 Instance
- Milestone step: At this point, you have verified that you have remote access to the
computelab01-ec2-i02
EC2 Instance using SSH
Last Update: October 27, 2019