AWS Elastic Beanstalk
Developer Guide (API Version 2010-12-01)
AWS services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon AWS.

Configuring Your Elastic Beanstalk Environment's Load Balancer to Terminate HTTPS

To update your AWS Elastic Beanstalk environment to use HTTPS, you need to configure an HTTPS listener for the load balancer in your environment. Two types of load balancer support an HTTPS listener: Classic Load Balancer and Application Load Balancer.

You can use the Elastic Beanstalk console to configure a secure listener and assign the certificate.

To assign a certificate to your environment's load balancer (Elastic Beanstalk console)

  1. Open the Elastic Beanstalk console.

  2. Navigate to the management page for your environment.

  3. Choose Configuration.

  4. On the Load balancer configuration card, choose Modify.

    Note

    If the Load balancer configuration card doesn't have a Modify button, your environment doesn't have a load balancer.

  5. On the Modify load balancer page, the procedure varies depending on the type of load balancer associated with your environment.

    Classic Load Balancer

    1. Choose Add listener.

    2. In the Classic Load Balancer listener dialog box, configure the following settings:

      • For Listener port, type the incoming traffic port, typically 443.

      • For Listener protocol, choose HTTPS.

      • For Instance port, type 80.

      • For Instance protocol, choose HTTP.

      • For SSL certificate, choose your certificate.

    3. Choose Add.

    Application Load Balancer

    1. Choose Add listener.

    2. In the Application Load Balancer listener dialog box, configure the following settings:

      • For Port, type the incoming traffic port, typically 443.

      • For Protocol, choose HTTPS.

      • For SSL certificate, choose your certificate.

    3. Choose Add.

    Note

    If the drop-down menu doesn't show any certificates, you should create or upload a certificate in AWS Certificate Manager (ACM) (preferred), or upload a certificate to IAM with the AWS CLI.

  6. Choose Save, and then choose Apply.

Configuring a Secure Listener with a Configuration File

You can configure a secure listener on your load balancer with one of the following configuration files.

Example .ebextensions/securelistener-clb.config

Use this example when your environment has a Classic Load Balancer. The example uses options in the aws:elb:listener namespace to configure an HTTPS listener on port 443 with the specified certificate, and to forward the decrypted traffic to the instances in your environment on port 80.

option_settings: aws:elb:listener:443: SSLCertificateId: arn:aws:acm:us-west-2:1234567890123:certificate/#################################### ListenerProtocol: HTTPS InstancePort: 80

Replace the highlighted text with the ARN of your certificate. The certificate can be one that you created or uploaded in AWS Certificate Manager (ACM) (preferred), or one that you uploaded to IAM with the AWS CLI.

For more information about Classic Load Balancer configuration options, see Classic Load Balancer Configuration Namespaces.

Example .ebextensions/securelistener-alb.config

Use this example when your environment has an Application Load Balancer. The example uses options in the aws:elbv2:listener namespace to configure an HTTPS listener on port 443 with the specified certificate. The listener routes traffic to the default process.

option_settings: aws:elbv2:listener:443: Protocol: HTTPS SSLCertificateArns: arn:aws:acm:us-west-2:1234567890123:certificate/####################################

Security Group Configuration

If you configure your load balancer to forward traffic to an instance port other than port 80, you must add a rule to your security group that allows inbound traffic over the instance port from your load balancer. If you create your environment in a custom VPC, Elastic Beanstalk adds this rule for you.

You add this rule by adding a Resources key to a configuration file in the .ebextensions directory for your application.

The following example configuration file adds an ingress rule to the AWSEBSecurityGroup security group, which allows traffic on port 1000 from the load balancer's security group.

Example .ebextensions/sg-ingressfromlb.config

Resources: sslSecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]} IpProtocol: tcp ToPort: 1000 FromPort: 1000 SourceSecurityGroupName: {"Fn::GetAtt" : ["AWSEBLoadBalancer" , "SourceSecurityGroup.GroupName"]}