4

I am attempting to route traffic through the AWS API Gateway to my ECS containers running in a private subnet via an Application Load Balancer running in a public subnet. Using plain old HTTP everything works perfectly fine, but now I want to add transport layer security (TLS, fka SSL) to the communication between the gateway and the load balancer. In other words, terminate SSL at the load balancer.

  • I've got a custom domain name configured and working on my gateway that was already exposing a HTTPS endpoint.
  • I've got a HTTPS listener configured on my load balancer, which scolds me for having a dodgy certificate but if I ignore the warning when I hit it directly I get routed to my service correctly. Thus load balancer routing is correct.
  • When I attempt to point the gateway to the balancer it breaks. Furthermore, it seems the I can only use certificates for custom domain names that are in the us-east-1 region. At present they are failing with the following error in CloudWatch (details obscured for privacy).

Execution failed due to configuration error: Host name 'XXXXXXXXX-lb-XXXXXXXXX..elb.amazonaws.com' does not match the certificate subject provided by the peer (CN=)

Given my load balancer is not in the us-east-1 region how can I achieve my goal?

Mark
  • 1,884
  • 2
  • 25
  • 36
  • 2
    *Furthermore, it seems the I can only use certificates for custom domain names that are in the us-east-1 region.* I think you're confusing two constraints. For your balancer, you need a cert in the balancer region. For API-GW, you probably needed a cert from us-east-1 because of the API-GW dependency on CloudFront, which only interfaces with ACM in us-east-1. You can't use dodgy certs behind API-GW, by design. – Michael - sqlbot Jun 06 '17 at 02:05

1 Answers1

3

Assign a custom domain name to the load balancer. Then assign a valid SSL certificate to the load balancer using the ACM service. Then reference the load balancer using the custom domain name.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Perfect! Up and running. Finally found the following AWS documentation which helped, too: http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/using-domain-names-with-elb.html. Thanks again! – Mark Jun 06 '17 at 08:14
  • Hi, Can you tell me how to integrate API gateway with application load balancer? I have integrated ECS with ALB, now I want to add API gateway in front without lambda. so I got confused how to connect API gateway with ALB.. – Mihir Shah Jan 10 '19 at 19:48
  • @MihirShah ask a separate question on here instead of tagging onto an existing question. – Mark B Jan 10 '19 at 20:01
  • This worked! Saved by the Classic Load Balancer, a DNS A Record + Alias. – Justin Tilson Jun 26 '19 at 04:05