In this post, I’ll show you how to securely route traffic to an Elastic Beanstalk environment with a subdomain. For the sake of streamlining things, I’ll be explaining the whole process via the AWS console, but this is also possible using CloudFormation. This post assumes you already have an Elastic Beanstalk environment up and running.
Route 53 Domain and Subdomain
First, we’ll need to register a domain in Route 53. Your domain may be registered elsewhere — if that’s the case, this setup is still feasible for you. You can transfer your domain to Route 53, or you’ll have to configure your DNS records a bit differently later in the process. Let’s assume we’re registering a new domain.
From the Route 53 console, select Registered Domains and then Register Domain. You should be able to check the availability of your desired domain name and add it to the cart for $12. Once you’ve input some contact information, you can purchase the domain. It could take a bit for the new domain to show up in the list of registered domains, so don’t panic if it’s not there right away. When it does finally appear, navigate to Hosted Zones in Route 53, and you should see that a hosted zone was created for the new domain.
Now we’ll create a hosted zone for our subdomain that will host our Elastic Beanstalk application. In Route 53, navigate to Hosted Zones and click Create hosted zone. Input the name of your subdomain and click the create button. Select your newly created subdomain and notice the NS record has been generated.
Next, copy the four values in the NS records (they begin with ns-) and return to the hosted zones list. Select the zone for your root domain name and select Create record. Fill in the record name with your subdomain and select the NS record type. Finally, paste the four values you copied in the value box and click Create records. This will allow routing of traffic to your subdomain via your domain.
Creating a Certificate in ACM
Next, we’ll create a certificate in Amazon Certificate Manager (ACM) that will later allow us to use SSL with Elastic Beanstalk. Navigate to the ACM dashboard and select Request a certificate. Choose the public SSL/TSL type and input the subdomain name that we created earlier. Select DNS validation unless you don’t have DNS permissions for your domain. Finish by clicking Request and notice that the certificate status is pending. It will take a bit for the certificate to be validated via DNS, and it will have to be issued before the next step can be completed successfully.
Attaching a Certificate to the Load Balancer
Now that we have an SSL/TSL certificate, we can attach it to our Elastic Beanstalk’s load balancer to secure our application with HTTPS. First, navigate to the Elastic Beanstalk console and select the environment that you wish to connect the certificate to. Once the environment is selected, select Configuration in the menu on the left side. Find “Load balancer” in the list and click Edit. At the top, notice the box titled “Listeners.” Click Add Listener and enter the port you’d like to use for HTTPS traffic (usually 443). Choose “HTTPS” for the protocol and select the certificate we created in the last step for the “SSL certificate.” Finally, save the configuration. Now the Elastic Beanstalk environment is set up for secure connections.
Creating DNS Records in Route 53
Finally, we’ll attach our subdomain’s hosted zone in Route 53 to the ACM certificate and Elastic Beanstalk environment. Navigate back to the Route 53 console and select the subdomain’s hosted zone. Click Create Record. Leave the record name empty and select the “A” record type. Flip the radio button titled “Alias” on. There should now be drop-down menus where you can select Alias to Elastic Beanstalk environment, the region that the EB environment is in, and finally, the name of the environment. Click Create Records.
We’ll create one more DNS record in the subdomain’s hosted zone. For this record, we’ll need some information from our certificate. In ACM, select the certificate and find the box labeled Domains. Note the CNAME name and CNAME value columns. Return to Route 53, select Create Record, and input the certificate’s CNAME name into the record name field. Select CNAME as the record type and paste the CNAME value from the certificate into the value box. Click Create Records and notice that the hosted zone now has four DNS records, two that we created and two generated records. Now, when we navigate to our subdomain, we should see the contents of our Elastic Beanstalk environment with HTTPS enabled.
This post draws on several pieces of AWS documentation. I’ll leave them here in case they’re helpful to anyone working on a similar problem:
Routing traffic to an AWS Elastic Beanstalk environment