I'm running a Linux server that hosts a web page and I've successfully added an Elastic IP, so I can access it directly. Now, I want to move this setup behind an Application Load Balancer (ALB) and set up a target group. The ALB already has an SSL certificate configured, but I'm unsure if I need to create a self-signed certificate on my server as well. Currently, my target group is set up for HTTPS for both the protocol and health check. What steps should I take to make this configuration work?
5 Answers
For end-to-end encryption, using a self-signed certificate on your EC2 instance is valid, as ALBs don’t check the certificate validity when passing traffic to the target group. You wouldn’t even need to spend extra on a third-party certificate since the ALB doesn’t enforce those checks internally. It's more cost-effective!
If you want to keep things simple, you can just have your web server switched to port 80, allowing the traffic between your ALB and server to be unencrypted. This means you’ll let the ALB handle all the SSL stuff, which is usually easier. Just adjust the health checks and target group settings accordingly. If your traffic needs to be secure within your VPC, that's generally fine too!
Since you've already set up an ALB with a certificate, you could set your target group to use HTTP instead of HTTPS. That way, the ALB takes care of the SSL termination, and you won't have to worry about setting up SSL on your EC2 instance!
You should also consider using an Autoscaling Group if you plan on having more than one instance—this lets you balance the traffic effectively. Plus, it could help maintain uptime if one instance goes down. Using CloudFront in front can further optimize your setup.
If you end up needing HTTPS connectivity from the ALB to your server, just set the health check path to match where your server is responding. Just be aware that internally, AWS doesn’t check certs, so you might have to ensure your server responds correctly to health checks!
True! Self-signed certs are a good way to save some cash—especially since they won’t create issues for ALB. Just focus on ensuring your web server can handle the requests properly.