This post is going to show you how to add an Elastic Load Balancer to your Elastic Beanstalk Environment so you can support SSL in your application.

Assumptions

This guide assumes you have purchased a domain and are comfortable with adding the required DNS entries to verify ownership. If you are not familiar with it, you can do all of that in AWS Route 53.

Requesting a Certificate using AWS Certificate Manager

In order to enable SSL for your application you are going to need to add a certificate to your load balancer. In order to do that - you’re going to need to request a certificate. Luckily, AWS makes this rather easy when you are using certificates with their services. You will simply request the certificate including the domain(s) that you want it to cover and that’s it!

If you are familiar with this process you will notice we add the root domain and a wildcard domain to this certficate request. This way your certificate will cover root domain urls as well as subdomains. If you don’t want to do this, feel free to only add whatever domains you wish to your request. If you didn’t understand that - then just follow our steps.

Requesting a Certificate

  1. Go to the Certificate Manager Console
  2. Click Request a certificate
    • Type your root domain (example): blackninjasoft.com
    • Click Add another name to this certificate
    • Type a wildcard domain (example): *.blackninjasoft.com
    • Click Next
    • Choose DNS validation
    • Click Review
    • Review your request and then click Confirm and request
  3. Follow the instructions to add a DNS entry to your domain registration
  4. Wait

It can take some time for the certificate request to complete and the status to become Issued. In the meantime, we can setup the load balancer.

Configure a Load Balancer for your Elastic Beanstalk Environment

Add a Load Balancer to a Single Instance Environment

If you’ve been following along with the Deploying a Ruby on Rails Application Stack to AWS using Elastic Beanstalk and RDS then you will have setup a single instance environment. Let’s make it a load balanced environment!

  1. Go the the Elastic Beanstalk Console in AWS
  2. Go to Configuration
    • Modify the Capacity configuration
    • From Environment Type, choose Load balanced
    • Click Continue
    • Notice the Load Balancer configuration is now populated
    • Click Apply Configuration
    • Click Confirm, wait

When this completes, your Elastic IP will be removed from your EC2 instance and requests for your application will now being going through the load balancer.

Get the Load Balancer DNS Name

You will need to reset your domain’s A record to point to the load balancer. This is how you get the value for the A record:

  1. Go to the EC2 Console
  2. Click Load Balancers
  3. Select the Load Balancer
    • Choose the Instance tab
    • The Instance ID for your instance should be listed
    • Choose the Description tab
    • Copy the value for the DNS Name

Using the DNS Name you copied, add or modify the A record for your domain and point to this value.

Configure an Elastic Beanstalk Classic Load Balancer for SSL

As long as your certificate status is Issued, you are ready to finish enabling SSL for your application. We are going to terminate SSL at the load balancer. You can read more about it at the link we just provided.

Important: Terminating at the load balancer basically means SSL Connections will be encrypted UP TO the load balancer, then the load balancer will continue over port 80 to the application. Encrypting all the way to the application means installing the certificate on your application server and purchasing an external certificate which is beyond the scope of this guide.

  1. Go the the Elastic Beanstalk Console in AWS
  2. Go to Configuration
  3. Modify the Load Balancer configuration
    • Click Add Listener
    • Type 443 for the Listener port
    • Choose HTTPS for the Listener protocol
    • Choose 80 for the Instance port
    • Choose HTTP for the Instance protocol
    • Choose your certificate from SSL Certificate
    • Click Add
  4. Scroll down
  5. Click Apply

And wait…

Configure an Elastic IP for your EC2 Instance

Once that’s finished you will notice that your health check is failing, but you can successfully resolve your application at its url. You may also notice that eb ssh no longer works. This is because you no longer have a public IP configured for the EC2 instance that Elastic Beanstalk created. It was was removed when we switched from a single instance setup to a load balanced one. Here’s how we allocate an Elastic IP for our EC2 instance:

  1. Go to the EC2 Console
  2. Choose Elastic IPs from the left hand side navigation
  3. Click Allocate New Address
  4. Use the Amazon Pool and click Allocate
  5. Select the Elastic IP you just created from the list
    • Choose the Instance Resource Type
    • Choose your instance id
    • Choose the private ip for your instance
    • Click Associate

That will fix your failing health check and the ssh connection.

If you’ve been following along, then congratulations! At this point you have a fully configured Elastic Beanstalk environment, ready to host a Ruby on Rails application with a database and SSL support!