81 lines
3.2 KiB
Markdown
81 lines
3.2 KiB
Markdown
# Notes
|
|
|
|
## HTTPS
|
|
|
|
### With load balancer
|
|
|
|
HTTPS can terminate at the load balancer
|
|
Load balancer to EC2 can be HTTP
|
|
From the front end all is well as the connection is secure.
|
|
|
|
When terminating at the load balancer 08-loadbalancer.config shows the option setting
|
|
<https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html>
|
|
|
|
## Database
|
|
|
|
Connecting an external DB: <https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.RDS.html>
|
|
|
|
Configure the auto scaling group to use an additional scaling group that allows ingress to the RDS instance.
|
|
|
|
You can configure the RDS credentials either with environment variables in the ELB config file, or use S3: <https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/rds-external-credentials.html>.
|
|
|
|
To create your own RDS instance you will need to create:
|
|
|
|
- A VPC - for the RDS
|
|
- Subnets - for the RDS
|
|
- A subnet group
|
|
- A security group
|
|
|
|
Use `aws ec2 describe-availability-zones --region eu-west-1 --profile admin` to get a list of availability zones for the region.
|
|
|
|
VPC terraform will create
|
|
|
|
- A IGW
|
|
- A route table
|
|
- A security group
|
|
|
|
## AWS Networking
|
|
|
|
- A VPC is a network that you give a CIDR block to.
|
|
- You create subnets for a VPC. These subnets will be split evenly across availability zones (for redundancy) and private/local (whether they have internet access or not).
|
|
- Behind the scenes (if using TF), internet gateway, routing tables, attachments will all be created for you. If using CF you will need to create these yourself.
|
|
- A security group is a firewall that is _attached to an EC2 instance_. A security group belongs to a VPC. You can permit instances to talk to each other by setting the source and destination to be the security group itself. You can control ports/ips exactly on an instance basis using security groups.
|
|
|
|
## HTTPS
|
|
|
|
### Single instance
|
|
|
|
As it terminates on the Ec2 instance itself, you need to ammend the nginx config locally. This is specific for each application you are deploying.
|
|
|
|
<https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-nodejs.html>.
|
|
|
|
You need to generate a certificate locally.
|
|
|
|
`pip install certbot`
|
|
|
|
`sudo certbot certonly --manual --preferred-challenges=dns --email dtomlinson@panaetius.co.uk --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d "*.panaetius.co.uk"`
|
|
|
|
### Load balanced
|
|
|
|
You have two options:
|
|
|
|
1. Terminate on the load balancer (easiest).
|
|
|
|
<https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html>.
|
|
|
|
You can use AWS Certificate manager to generate your SSL cert, or you can upload your own.
|
|
|
|
Use a .config file as documented above and EB will handle the rest.
|
|
|
|
2. Pass through to the instance.
|
|
|
|
<https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-tcp-passthrough.html>.
|
|
|
|
If you do this you need to set up termination on the EC2 instances using the config for a single instance above.
|
|
|
|
You can TCP pass through without the load balancer decrypting the traffic. The traffic is encrypted all the way to the instance. The instances between themselves are HTTP.
|
|
|
|
Additionally you can configure end-to-end encryption between the EC2 instances if you have strict security requirements.
|
|
|
|
<https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html>.
|