AWS: ELB(ALB) + Route 53 + ACM + Cfn (名前解決からHTTPSなELB作成メモと最後に Cfn)
目的
- 個人的備忘録
- 最初は手作業で作って次に ACM 以外を Cfn で作る
前提条件
- DNS は Route 53 利用
- Hosted Zone を1つは持っている (例: example.com)
- ELB, Route 53 側の詳細手順は記載しない
手順
1. マネコンの Certificate Manager にアクセスする
- Security, Identity & Compliance
- Certificate Manager
2. Certificate を要求する
- Request a certificate
- Request a public certificate
2-1. Step 1: Add domain names
- FQDN で入力 (例: www.example.com)
2-2. Step 2: Select validation method
- DNS validation
2-3. Step 3: Review
- 正しければ Confirm and request
2-4. Step 4: Validation
- 直後だと Pending validation
3. ACM に戻って Continue をクリック
- Status: Validation not complete でしばし待つ
- 数分で Status: Issued になるはず
4. その他手作業の場合以下
4-1. ELB
- Configure Security Settings
- Select Certificate
- Certificate type:
- Choose a certificate from ACM (recommended) を選択
- Certificate: で ACM で作成したものを選択
- Choose a certificate from ACM (recommended) を選択
- Certificate type:
- Select Certificate
4-2. ELB の Domain name を Route 53 の CNAME に追加する
4-3. 名前解決が可能になるまでしばし待つ
example
nslookup www.example.com
4-4. ブラウザからアクセス
example
https://www.example.com/
5. ACM 以外の部分を Cfn で作る場合
[HTTPS:443]ALB --- [HTTPS:5450]Ec2Instances
ref. https://dev.classmethod.jp/cloud/aws/cloudformation-alb/
example
{
"Description" : "create alb test template",
"Parameters" : {
"Env" : {
"Type" : "String",
"Default" : "TEST-LB01"
},
"VPCID" : {
"Type" : "AWS::EC2::VPC::Id",
"Default" : "vpc-f545d491"
},
"Subnets" : {
"Type" : "List<AWS::EC2::Subnet::Id>",
"Default" : "subnet-bd809696,subnet-c9dd10bf"
},
"Keypair" : {
"Type" : "AWS::EC2::KeyPair::KeyName",
"Default" : "KEYNAME"
},
"MyInstance01" : {
"Type" : "String",
"Default" : "i-07ff0908aef3b035c"
},
"MyInstance02" : {
"Type" : "String",
"Default" : "i-04dddc3a548c2e83d"
},
"CertificateArn1" : {
"Type" : "String",
"Default" : "arn:aws:acm:us-east-1:XXXXXXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX"
},
"Hostname" : {
"Type" : "String",
"Default" : "www.example.com."
},
"HostedZoneName" : {
"Type" : "String",
"Default" : "example.com."
}
},
"Resources" : {
"ALBSG" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "-",
"SecurityGroupIngress" : [
{
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"CidrIp" : "0.0.0.0/0"
},
{
"IpProtocol" : "tcp",
"FromPort" : "443",
"ToPort" : "443",
"CidrIp" : "0.0.0.0/0"
}
],
"Tags" : [
{"Key" : "Name" , "Value" : { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-ALBSG"]]} }
],
"VpcId" : { "Ref": "VPCID" }
}
},
"AppSG" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "-",
"SecurityGroupIngress" : [
{
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"SourceSecurityGroupId" : { "Ref" : "ALBSG" }
}
],
"Tags" : [
{"Key": "Name", "Value": { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-AppSG"]]} }
],
"VpcId" : { "Ref": "VPCID" }
}
},
"ALBTarget" : {
"Type" : "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties" : {
"HealthCheckIntervalSeconds" : "30",
"HealthCheckPath" : "/webui/login",
"HealthCheckPort" : "5450",
"HealthCheckProtocol" : "HTTPS",
"HealthCheckTimeoutSeconds" : "5",
"HealthyThresholdCount" : "5",
"Matcher" : { "HttpCode" : "200" },
"Name" : { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-ALBTarget"]]},
"Port" : "5450",
"Protocol" : "HTTPS",
"Tags" : [
{"Key": "Name", "Value": { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-ALBTarget"]]} }
],
"TargetGroupAttributes" : [
{ "Key" : "deregistration_delay.timeout_seconds", "Value" : "300" },
{ "Key" : "stickiness.enabled", "Value" : "false" },
{ "Key" : "stickiness.type", "Value" : "lb_cookie" },
{ "Key" : "stickiness.lb_cookie.duration_seconds", "Value" : "86400" }
],
"Targets" : [
{ "Id" : { "Ref" : "MyInstance01" }, "Port" : "5450" },
{ "Id" : { "Ref" : "MyInstance02" }, "Port" : "5450" }
],
"UnhealthyThresholdCount" : "2",
"VpcId" : { "Ref": "VPCID" }
}
},
"ALB" : {
"Type" : "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties" : {
"LoadBalancerAttributes" : [
{ "Key" : "access_logs.s3.enabled", "Value" : "false" },
{ "Key" : "deletion_protection.enabled", "Value" : "false" },
{ "Key" : "idle_timeout.timeout_seconds", "Value" : "60" }
],
"Name" : { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-ALB"]]},
"Scheme" : "internet-facing",
"SecurityGroups" : [
{ "Ref": "ALBSG" }
],
"Subnets" : { "Ref": "Subnets" },
"Tags" : [
{"Key": "Name", "Value": { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-ALB"]]} }
]
}
},
"ALBListener" : {
"Type" : "AWS::ElasticLoadBalancingV2::Listener",
"Properties" : {
"DefaultActions" : [{
"TargetGroupArn" : { "Ref" : "ALBTarget" },
"Type" : "forward"
}],
"Certificates" : [
{
"CertificateArn" : {
"Ref" : "CertificateArn1"
}
}
],
"LoadBalancerArn" : { "Ref" : "ALB" },
"Port" : "443",
"Protocol" : "HTTPS",
"SslPolicy" : "ELBSecurityPolicy-2016-08"
}
},
"DnsRecord" : {
"Type" : "AWS::Route53::RecordSet",
"Properties" : {
"HostedZoneName" : { "Ref" : "HostedZoneName" },
"Comment" : "DNS name for ALB",
"Name" : { "Ref" : "Hostname" },
"Type" : "CNAME",
"TTL" : "300",
"ResourceRecords" : [
{ "Fn::GetAtt" : [ "ALB", "DNSName" ] }
]
}
}
}
}