Allow AWS Private EC2 HTTP and HTTPS to Public

Inquirer Guy

3/10/23, 5:39 AM

Apologies for the question as I'm still learning AWS, currently I am exploring using a Private EC2 running Windows Server IIS to connect to a Database via Site-to-site VPN/VPC to a on-premise DC, aside from the Database connection/port, I'll allow access to RDP via the VPN.

However I wanted users to access the IIS HTTP and HTTPS from the public. what are steps or requirements to it, I've read that it requires a ELB? Appreciate your feedback and hopefully point me to the right direction or resources. Thank you.

0 + 0

iis

amazon-web-services

Score:0

Server

Tim

3/10/23, 6:11 AM

AWS is a fairly complex enterprise platform. You really need to learn the platform in order to use it to ensure you're doing things properly, securely. Training helps a lot.

Your question is slightly difficult to answer as you're not using standard AWS terminology. But the short answer is the security group that is associated with your IIS server needs to have inbound ports 80 and 443 open. You don't need an ELB if you only have one EC2 server, but ELBs provide some additional protection against some forms of DDOS attacks. You do need an internet gateway in your VPC, routed to your public subnet, but the route table for your private subnet should not route to the internet gateway. The private subnet should not allocate public IPs either.

Update - if you want to run multiple web servers then use an application load balancer in one security group with 443 / 80 open to the world, then another security group for your EC2 instances open only to the ALB. EC2 instances best in a private subnet, no route to / from the internet and no public IP.

If that makes no sense I suggest either getting some training or hiring someone to help :)

Update re SSL

I wouldn't do TLS offload at CloudFlare, that would leave your traffic unencrypted across the internet and wouldn't be compliant with anything. You can terminate TLS at an ALB and use http to your EC2 instances fairly safely as the traffic within AWS is generally considered safe, it's isolated by the AWS Hyperplane. The ALB can receive traffic on port 443, decrypt, then pass on to EC2 on port 80. I haven't done it myself but I think you just set up your target group listening to port 80 rather than 443. Create a TLS certificate using AWS certificate manager.

Personally I would do the TLS on the EC2 instances unless I had a good reason or the workload wasn't sensitive. It's easier to use an ALB certificate than install certificates on each EC2 instance though.

0 + 0

Inquirer Guy

3/10/23, 8:08 AM

Thanks tim, yes the goal is to run multiple webservers thus lead me to read up some ELB topics. I'll check and read some on the Internet gateway you mentioned. Thank you

Tim

3/10/23, 8:22 AM

I edited to add more about load balancing for you.

Inquirer Guy

3/12/23, 5:14 PM

Hi Tim, I was able to achieve that the private subnet are behind a ALB and the servers(IIS) are now accessible in the internet and have pointed the DNS name to my DNS hosting and Cloudflare as CNAME. I'm curious, I only wanted Load balancing but since I have a Cloudflare WAF and I would want to offloading SSL using that instead of the AWS ALB. what would be the approach in the AWS ALB where I can allow SSL/HTTPS without importing SSL to it(given that as mentioned I'll SSL offload on Cloudflare)? What I've tried so far is allow on the ALB-Security group port 443, but to no avail.

Tim

3/12/23, 6:09 PM

I have edited my answer to address your comment.

Inquirer Guy

3/13/23, 3:01 AM

Ok I understand. I wanted to offload SSL because the servers are more than one and I would not want to trouble myself setting up certficate one by one on each of EC2, and I wanted to maximize the speed/performance of the EC2 without the additional overhead of SSL/encryption on itself. So in essence I might have do SSL offload on the WAF and on the AWS ALB as well. that way the traffic across the internet passing between cloudflare and alb is still encrypted. Thanks Tim.

Tim

3/13/23, 6:16 AM

WAF does inspection, not offload. ALB does offload or decrypt / re-encrypt in TLS. Best practice is certificates on each instance, it's pretty easy with Let's Encrypt.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Allow AWS Private EC2 HTTP and HTTPS to Public

TH: อนุญาตให้ AWS Private EC2 HTTP และ HTTPS เป็นสาธารณะ

RO: Permiteți AWS Private EC2 HTTP și HTTPS să fie public

RU: Разрешить AWS Private EC2 HTTP и HTTPS общедоступным

VI: Cho phép AWS Private EC2 HTTP và HTTPS công khai

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.