AWS GovCloud ELB SSL Configuration

TL;DR

This guide shows you how to set up end-to-end SSL/TLS encryption for your application in AWS GovCloud, using an Elastic Load Balancer (ELB). We’ll cover configuring the ELB to terminate SSL and then forwarding traffic securely to your backend instances.

Setting Up End-to-End SSL with AWS GovCloud ELB

1. Obtain or Create an SSL Certificate:
   • You’ll need a valid SSL/TLS certificate for your domain. You can request one from a Certificate Authority (CA) like DigiCert, Sectigo, or use AWS Certificate Manager (ACM).
   • If using ACM, ensure you request the certificate in the us-gov region.
2. Upload/Import your SSL Certificate to ELB:
   • Navigate to the EC2 console in AWS GovCloud.
   • In the left navigation pane, under ‘Load Balancing’, select ‘Load Balancers’.
   • Select your existing ELB or create a new one.
   • Go to the ‘Listeners’ tab.
   • Add a listener for HTTPS (port 443).
   • Choose ‘SSL certificate from ACM’ or ‘SSL certificate uploaded to IAM’. If uploading, you’ll need the certificate (.pem), private key (.key) and chain certificate (.pem).
3. Configure Security Groups:
   • ELB Security Group: Allow inbound traffic on port 443 (HTTPS) from your desired sources (e.g., 0.0.0.0/0 for public access, or specific IP ranges).
   • Backend Instance Security Groups: Allow inbound traffic on the port your application listens on (e.g., 80, 443, 8080) from the ELB’s security group ID. This is crucial to allow secure communication between the ELB and your instances.
4. Configure Health Checks:
   • In the ELB configuration, go to the ‘Health Checks’ tab.
   • Ensure the health check path is correctly configured for your application (e.g., ‘/health’, ‘/’).
   • Set a healthy threshold and unhealthy threshold appropriate for your application’s responsiveness.
5. Configure ELB Backend Instances:
   • Register your backend instances with the ELB. Ensure they are running in the correct Availability Zone(s).
6. Verify SSL Configuration:
   • Use a tool like SSL Shopper or your browser’s developer tools to verify the SSL certificate is correctly installed on the ELB’s public DNS name.

Server to ELB Encryption (Optional, but Recommended)

While the ELB terminates SSL, you can further encrypt traffic *from* your servers to the ELB for added security.

1. Configure Your Application: Configure your application on each backend instance to use HTTPS when communicating with the ELB. This typically involves setting up a truststore with the ELB’s certificate.
2. Use Mutual TLS (mTLS): For even stronger security, consider using mTLS where both the client (your server) and the server (ELB) authenticate each other using certificates. This requires more configuration but provides enhanced protection against man-in-the-middle attacks.

Troubleshooting

• Certificate Errors: Double-check that your SSL certificate is valid, not expired, and correctly configured in the ELB.
• Security Group Issues: Verify that security groups allow traffic on the necessary ports between clients, the ELB, and backend instances.
• Health Check Failures: Ensure your health check path is correct and your application responds appropriately to health checks.