Home > Software design >  AWS-issued (managed) TLS/SSL certificate for ELB/ALB
AWS-issued (managed) TLS/SSL certificate for ELB/ALB

Time:10-20

When I create an ELB (i.e. Application Load Balancer), Amazon gives it a DNS name e.g.:

myalb-1472119708.eu-central-1.elb.amazonaws.com

Now, I would like to terminate TLS/SSL on my ALB, however, I don't want to attach my own certificate (e.g. from the Certificate Manager), I am ok with accessing my application via the default DNS name (of the ALB) through HTTPS:

https://myalb-1472119708.eu-central-1.elb.amazonaws.com

However, with the default configuration I can access my app via HTTP only:

http://myalb-1472119708.eu-central-1.elb.amazonaws.com

Does AWS support this (rhetorical question)? Any plans to add this feature in the near future? Thanks.


UPDATE: After all it's not a hard feature to implement. Moreover, SSL is the de facto standard for running (secure) web apps today. I believe, AWS can issue wildcard certificates for the ELB in every region, e.g.:

*.eu-central-1.elb.amazonaws.com

And then attach it to every ALB by default. Or publish a list of certificates' ARNs for every region. This would free developers from extra effort (buying a domain, registering a certificate in ACM) for their non-production projects.

CodePudding user response:

At the time of this writing, the only way to resolve this is by running your ALB/ELB behind CloudFront, which unlike ALB gives you a TLS certificate by default:

User -> CloudFront edge location (HTTPS) -> ALB (HTTP) -> Backend (HTTP)

Although CloudFront incurs extra costs, apart from the ability to cache static content, CloudFront gives you faster TLS termination, which happens at its edge locations, thus reducing latency on the first two TLS handshake roundtrips (2 in theory, but practically 3 in case of low-bandwidth clients).

  • Related