AWS
CloudFormation
route53
ElasticLoadBalancing
CertificateManager

AWS: ELB(ALB) + Route 53 + ACM + Cfn (名前解決からHTTPSなELB作成メモと最後に Cfn)

AWS: ELB(ALB) + Route 53 + ACM + Cfn (名前解決からHTTPSなELB作成メモと最後に Cfn)

目的

  • 個人的備忘録
  • 最初は手作業で作って次に ACM 以外を Cfn で作る

前提条件

  • DNS は Route 53 利用
    • Hosted Zone を1つは持っている (例: example.com)
  • ELB, Route 53 側の詳細手順は記載しない

手順

1. マネコンの Certificate Manager にアクセスする

  • Security, Identity & Compliance
    • Certificate Manager

2. Certificate を要求する

  • Request a certificate
    • Request a public certificate

2-1. Step 1: Add domain names

2-2. Step 2: Select validation method

  • DNS validation

2-3. Step 3: Review

  • 正しければ Confirm and request

2-4. Step 4: Validation

  • 直後だと Pending validation

3. ACM に戻って Continue をクリック

  • Status: Validation not complete でしばし待つ
  • 数分で Status: Issued になるはず

4. その他手作業の場合以下

4-1. ELB

  • Configure Security Settings
    • Select Certificate
      • Certificate type:
        • Choose a certificate from ACM (recommended) を選択
          • Certificate: で ACM で作成したものを選択

4-2. ELB の Domain name を Route 53 の CNAME に追加する

4-3. 名前解決が可能になるまでしばし待つ

example
nslookup www.example.com

4-4. ブラウザからアクセス

example
https://www.example.com/

5. ACM 以外の部分を Cfn で作る場合

[HTTPS:443]ALB --- [HTTPS:5450]Ec2Instances

ref. https://dev.classmethod.jp/cloud/aws/cloudformation-alb/

example
{
    "Description" : "create alb test template",
    "Parameters" : {
        "Env" : {
            "Type" : "String",
            "Default" : "TEST-LB01"
        },
        "VPCID" : {
            "Type" : "AWS::EC2::VPC::Id",
            "Default" : "vpc-f545d491"
        },
        "Subnets" : {
            "Type" : "List<AWS::EC2::Subnet::Id>",
            "Default" : "subnet-bd809696,subnet-c9dd10bf"
        },
        "Keypair" : {
            "Type" : "AWS::EC2::KeyPair::KeyName",
            "Default" : "KEYNAME"
        },
        "MyInstance01" : {
            "Type" : "String",
            "Default" : "i-07ff0908aef3b035c"
        },
        "MyInstance02" : {
            "Type" : "String",
            "Default" : "i-04dddc3a548c2e83d"
        },
        "CertificateArn1" : {
            "Type" : "String",
            "Default" : "arn:aws:acm:us-east-1:XXXXXXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX"
        },
        "Hostname" : {
            "Type" : "String",
            "Default" : "www.example.com."
        },
        "HostedZoneName" : {
            "Type" : "String",
            "Default" : "example.com."
        }
    },
    "Resources" : {
        "ALBSG" : {
            "Type" : "AWS::EC2::SecurityGroup",
            "Properties" : {
                "GroupDescription" : "-",
                "SecurityGroupIngress" : [
                    {
                        "IpProtocol" : "tcp",
                        "FromPort" : "80",
                        "ToPort" : "80",
                        "CidrIp" : "0.0.0.0/0"
                    },
                    {
                        "IpProtocol" : "tcp",
                        "FromPort" : "443",
                        "ToPort" : "443",
                        "CidrIp" : "0.0.0.0/0"
                    }
                ],
                "Tags" : [
                    {"Key" : "Name" , "Value" : { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-ALBSG"]]} }
                ],
                "VpcId" : { "Ref": "VPCID" }
            }
        },
        "AppSG" : {
            "Type" : "AWS::EC2::SecurityGroup",
            "Properties" : {
                "GroupDescription" : "-",
                "SecurityGroupIngress" : [ 
                {
                    "IpProtocol" : "tcp",
                    "FromPort" : "80",
                    "ToPort" : "80",
                    "SourceSecurityGroupId" : { "Ref" : "ALBSG" }
                }
                ],
                "Tags" : [
                    {"Key": "Name", "Value": { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-AppSG"]]} }
                ],
                    "VpcId" : { "Ref": "VPCID" }
            }
        },
        "ALBTarget" : {
            "Type" : "AWS::ElasticLoadBalancingV2::TargetGroup",
            "Properties" : {
                "HealthCheckIntervalSeconds" : "30",
                "HealthCheckPath" : "/webui/login",
                "HealthCheckPort" : "5450",
                "HealthCheckProtocol" : "HTTPS",
                "HealthCheckTimeoutSeconds" : "5",
                "HealthyThresholdCount" : "5",
                "Matcher" : { "HttpCode" : "200" },
                "Name" : { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-ALBTarget"]]},
                "Port" : "5450",
                "Protocol" : "HTTPS",
                "Tags" : [
                    {"Key": "Name", "Value": { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-ALBTarget"]]} }
                ],
                "TargetGroupAttributes" : [
                    { "Key" : "deregistration_delay.timeout_seconds", "Value" : "300" },
                    { "Key" : "stickiness.enabled", "Value" : "false" },
                    { "Key" : "stickiness.type", "Value" : "lb_cookie" },
                    { "Key" : "stickiness.lb_cookie.duration_seconds", "Value" : "86400" }
                ],
                "Targets" : [
                    { "Id" : { "Ref" : "MyInstance01" }, "Port" : "5450" },
                    { "Id" : { "Ref" : "MyInstance02" }, "Port" : "5450" }
                ],
                "UnhealthyThresholdCount" : "2",
                "VpcId" : { "Ref": "VPCID" }
            }
        },
        "ALB" : {
            "Type" : "AWS::ElasticLoadBalancingV2::LoadBalancer",
            "Properties" : {
                "LoadBalancerAttributes" : [
                    { "Key" : "access_logs.s3.enabled", "Value" : "false" },
                    { "Key" : "deletion_protection.enabled", "Value" : "false" },
                    { "Key" : "idle_timeout.timeout_seconds", "Value" : "60" }
                ],
                "Name" : { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-ALB"]]},
                "Scheme" : "internet-facing",
                "SecurityGroups" : [
                    { "Ref": "ALBSG" }
                ],
                "Subnets" : { "Ref": "Subnets" },
                "Tags" : [
                    {"Key": "Name", "Value": { "Fn::Join" : [ "", [{ "Ref": "Env" }, "-ALB"]]} }
                ]
            }
        },
        "ALBListener" : {
            "Type" : "AWS::ElasticLoadBalancingV2::Listener",
            "Properties" : {
                "DefaultActions" : [{
                    "TargetGroupArn" : { "Ref" : "ALBTarget" },
                    "Type" : "forward"
                }],
                "Certificates" : [
                    {
                        "CertificateArn" : {
                            "Ref" : "CertificateArn1"
                        }
                    }
                ],
                "LoadBalancerArn" : { "Ref" : "ALB" },
                "Port" : "443",
                "Protocol" : "HTTPS",
                "SslPolicy" : "ELBSecurityPolicy-2016-08"
            }
        },
        "DnsRecord" : {
            "Type" : "AWS::Route53::RecordSet",
            "Properties" : {
                "HostedZoneName" : { "Ref" : "HostedZoneName" },
                "Comment" : "DNS name for ALB",
                "Name" : { "Ref" : "Hostname" },
                 "Type" : "CNAME",
                 "TTL" : "300",
                 "ResourceRecords" : [
                     { "Fn::GetAtt" : [ "ALB", "DNSName" ] }
                 ]
            }
        }
    }
}