Amazon Elastic Beanstalk with SSL

Where ‘myapp-cname’ is the assigned cname when you first launch your environment. 

What if we want to resolve our own domain, e.g. 

This is pretty straight forward (assuming some background in working with cnames)… 

1. Go into the Amazon AWS console and locate the elastic load balancer. This is generally found under EC2 -> load balancers. 

2. Take the DNS name of the load balancer. This will be your cname record on your domain host. 

Example: 

alias: myapp.yourdomain.com

cname: myapp-cname.elasticbeanstalk.com

SSL (HTTPS) is a little more tricky. 

1. You need to create a certificate and have it signed by an authority. This steps is far beyond this post, but if you google or look in Amazon’s docs, they’ll help you out. 

2. Once you have your cert and your private key, you need to upload those to IAM. IAM is Amazon’s Identity and Access Management cloud service. This requires some command line work, as the AWS console does not currently support any way to upload this… 

See… http://docs.amazonwebservices.com/IAM/latest/UserGuide/index.html?ManagingServerCerts.html

3. Now, you need to change your load balancer config on your elastic beanstalk environment to point to this certificate. This requires enabling https and setting the aws certificate id on your elastic beanstalk load balancer config.

See… http://docs.amazonwebservices.com/elasticbeanstalk/latest/dg/index.html?using-features.managing.elb.html

4. Then, assuming you did the above (add the cname for http) everything should work. 

The load balancer is doing the SSL termination and handling the overhead and processing associated with that… That’s why we had to upload it and point the cname to the balancer. Your elastic beanstalk environment (the actual server) doesn’t do any SSL stuff, which is nice, because it means more CPU for your apps. 

There is an issue with root type cnames. e.g. mydomain.com (instead of www.mydomain.com)… but there is a work around by setting up an Amazon Route 53 alias. 

In case you are wondering, for each environment, you need one sub-domain. Because, we are pointing to the load balancer and every elastic beanstalk environment creates a new load balancer. Maybe one day Amazon will add a routing cloud service, so you could point to a load balancer, which points to other load balancers, which point to your apps… Thus, you could in theory have one subdomain and use a path variable to do the routing through the system. But, that’s a bit more complicated than we need to make things… (though it would be nice not to muck with DNS records as much)