Posted at

AWS: ELB(ALB) + Route 53 + ACM + Cfn (名前解決からHTTPSなELB作成メモと最後に Cfn)

More than 1 year has passed since last update.


AWS: ELB(ALB) + Route 53 + ACM + Cfn (名前解決からHTTPSなELB作成メモと最後に Cfn)


目的


  • 個人的備忘録

  • 最初は手作業で作って次に ACM 以外を Cfn で作る


前提条件


  • DNS は Route 53 利用


    • Hosted Zone を1つは持っている (例: example.com)



  • ELB, Route 53 側の詳細手順は記載しない


手順


1. マネコンの Certificate Manager にアクセスする


  • Security, Identity & Compliance


    • Certificate Manager




2. Certificate を要求する


  • Request a certificate


    • Request a public certificate




2-1. Step 1: Add domain names


2-2. Step 2: Select validation method


  • DNS validation


2-3. Step 3: Review


  • 正しければ Confirm and request


2-4. Step 4: Validation


  • 直後だと Pending validation


3. ACM に戻って Continue をクリック


  • Status: Validation not complete でしばし待つ

  • 数分で Status: Issued になるはず


4. その他手作業の場合以下


4-1. ELB


  • Configure Security Settings


    • Select Certificate


      • Certificate type:


        • Choose a certificate from ACM (recommended) を選択


          • Certificate: で ACM で作成したものを選択










4-2. ELB の Domain name を Route 53 の CNAME に追加する


4-3. 名前解決が可能になるまでしばし待つ


example

nslookup www.example.com



4-4. ブラウザからアクセス


example

https://www.example.com/



5. ACM 以外の部分を Cfn で作る場合

[HTTPS:443]ALB --- [HTTPS:5450]Ec2Instances

ref. https://dev.classmethod.jp/cloud/aws/cloudformation-alb/


example

{

"Description" : "create alb test template",
"Parameters" : {
"Env" : {
"Type" : "String",
"Default" : "TEST-LB01"
},
"VPCID" : {
"Type" : "AWS::EC2::VPC::Id",
"Default" : "vpc-f545d491"
},
"Subnets" : {
"Type" : "List<AWS::EC2::Subnet::Id>",
"Default" : "subnet-bd809696,subnet-c9dd10bf"
},
"Keypair" : {
"Type" : "AWS::EC2::KeyPair::KeyName",
"Default" : "KEYNAME"
},
"MyInstance01" : {
"Type" : "String",
"Default" : "i-07ff0908aef3b035c"
},
"MyInstance02" : {
"Type" : "String",
"Default" : "i-04dddc3a548c2e83d"
},
"CertificateArn1" : {
"Type" : "String",
"Default" : "arn:aws:acm:us-east-1:XXXXXXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX"
},
"Hostname" : {
"Type" : "String",
"Default" : "www.example.com."
},
"HostedZoneName" : {
"Type" : "String",
"Default" : "example.com."
}
},
"Resources" : {
"ALBSG" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "-",
"SecurityGroupIngress" : [
{
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"CidrIp" : "0.0.0.0/0"
},
{
"IpProtocol" : "tcp",
"FromPort" : "443",
"ToPort" : "443",
"CidrIp" : "0.0.0.0/0"
}
],
"Tags" : [
{"Key" : "Name" , "Value" : { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-ALBSG"]]} }
],
"VpcId" : { "Ref": "VPCID" }
}
},
"AppSG" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "-",
"SecurityGroupIngress" : [
{
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"SourceSecurityGroupId" : { "Ref" : "ALBSG" }
}
],
"Tags" : [
{"Key": "Name", "Value": { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-AppSG"]]} }
],
"VpcId" : { "Ref": "VPCID" }
}
},
"ALBTarget" : {
"Type" : "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties" : {
"HealthCheckIntervalSeconds" : "30",
"HealthCheckPath" : "/webui/login",
"HealthCheckPort" : "5450",
"HealthCheckProtocol" : "HTTPS",
"HealthCheckTimeoutSeconds" : "5",
"HealthyThresholdCount" : "5",
"Matcher" : { "HttpCode" : "200" },
"Name" : { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-ALBTarget"]]},
"Port" : "5450",
"Protocol" : "HTTPS",
"Tags" : [
{"Key": "Name", "Value": { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-ALBTarget"]]} }
],
"TargetGroupAttributes" : [
{ "Key" : "deregistration_delay.timeout_seconds", "Value" : "300" },
{ "Key" : "stickiness.enabled", "Value" : "false" },
{ "Key" : "stickiness.type", "Value" : "lb_cookie" },
{ "Key" : "stickiness.lb_cookie.duration_seconds", "Value" : "86400" }
],
"Targets" : [
{ "Id" : { "Ref" : "MyInstance01" }, "Port" : "5450" },
{ "Id" : { "Ref" : "MyInstance02" }, "Port" : "5450" }
],
"UnhealthyThresholdCount" : "2",
"VpcId" : { "Ref": "VPCID" }
}
},
"ALB" : {
"Type" : "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties" : {
"LoadBalancerAttributes" : [
{ "Key" : "access_logs.s3.enabled", "Value" : "false" },
{ "Key" : "deletion_protection.enabled", "Value" : "false" },
{ "Key" : "idle_timeout.timeout_seconds", "Value" : "60" }
],
"Name" : { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-ALB"]]},
"Scheme" : "internet-facing",
"SecurityGroups" : [
{ "Ref": "ALBSG" }
],
"Subnets" : { "Ref": "Subnets" },
"Tags" : [
{"Key": "Name", "Value": { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-ALB"]]} }
]
}
},
"ALBListener" : {
"Type" : "AWS::ElasticLoadBalancingV2::Listener",
"Properties" : {
"DefaultActions" : [{
"TargetGroupArn" : { "Ref" : "ALBTarget" },
"Type" : "forward"
}],
"Certificates" : [
{
"CertificateArn" : {
"Ref" : "CertificateArn1"
}
}
],
"LoadBalancerArn" : { "Ref" : "ALB" },
"Port" : "443",
"Protocol" : "HTTPS",
"SslPolicy" : "ELBSecurityPolicy-2016-08"
}
},
"DnsRecord" : {
"Type" : "AWS::Route53::RecordSet",
"Properties" : {
"HostedZoneName" : { "Ref" : "HostedZoneName" },
"Comment" : "DNS name for ALB",
"Name" : { "Ref" : "Hostname" },
"Type" : "CNAME",
"TTL" : "300",
"ResourceRecords" : [
{ "Fn::GetAtt" : [ "ALB", "DNSName" ] }
]
}
}
}
}