AWScloud~30 mins

SSL/TLS termination in AWS - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

SSL/TLS Termination with AWS Elastic Load Balancer

📖 Scenario: You are setting up a secure web application on AWS. To protect your users' data, you want to use SSL/TLS encryption. Instead of configuring SSL on each server, you will use AWS Elastic Load Balancer (ELB) to handle SSL/TLS termination. This means the ELB will decrypt incoming encrypted traffic and forward it as plain HTTP to your servers.

🎯 Goal: Build an AWS Elastic Load Balancer configuration that terminates SSL/TLS connections using a specified SSL certificate and forwards traffic to backend instances over HTTP.

📋 What You'll Learn

Create a load balancer resource with HTTPS listener on port 443

Use a given SSL certificate ARN for SSL termination

Forward traffic from the load balancer to backend instances on port 80

Configure a target group for backend instances

Ensure the load balancer uses the correct security policy for SSL

💡 Why This Matters

🌍 Real World

SSL/TLS termination at the load balancer is a common practice to simplify certificate management and reduce CPU load on backend servers.

💼 Career

Cloud engineers and DevOps professionals often configure load balancers for secure web applications using SSL/TLS termination.

Progress0 / 4 steps

Create a target group for backend instances

Create an AWS target group named web-target-group that listens on port 80 using the HTTP protocol.

AWS

# Your code here to create the target group

Need a hint?

Use aws_lb_target_group resource with name, port, and protocol set as specified.

Define the SSL certificate ARN variable

Create a variable named ssl_certificate_arn to hold the ARN string of your SSL certificate.

AWS

resource "aws_lb_target_group" "web_target_group" {
  name     = "web-target-group"
  port     = 80
  protocol = "HTTP"
  vpc_id   = "vpc-12345678"
}

# Your code here to define ssl_certificate_arn variable

Need a hint?

Use variable block with type = string and a description.

Create an Application Load Balancer with HTTPS listener

Create an AWS Application Load Balancer resource named app_lb with an HTTPS listener on port 443. Use the variable ssl_certificate_arn for the SSL certificate ARN. Configure the listener to forward traffic to the target group web-target-group on port 80.

AWS

resource "aws_lb_target_group" "web_target_group" {
  name     = "web-target-group"
  port     = 80
  protocol = "HTTP"
  vpc_id   = "vpc-12345678"
}

variable "ssl_certificate_arn" {
  type        = string
  description = "ARN of the SSL certificate for the load balancer"
}

# Your code here to create the Application Load Balancer with HTTPS listener

Need a hint?

Use aws_lb for the load balancer and aws_lb_listener for the HTTPS listener. Reference the SSL certificate ARN variable.

Add security group and finalize configuration

Add a security group with ID sg-12345678 to the load balancer app_lb and ensure the load balancer is in subnets subnet-11111111 and subnet-22222222. Confirm the SSL policy is set to ELBSecurityPolicy-2016-08 for secure SSL/TLS settings.

AWS

resource "aws_lb_target_group" "web_target_group" {
  name     = "web-target-group"
  port     = 80
  protocol = "HTTP"
  vpc_id   = "vpc-12345678"
}

variable "ssl_certificate_arn" {
  type        = string
  description = "ARN of the SSL certificate for the load balancer"
}

resource "aws_lb" "app_lb" {
  name               = "app-lb"
  internal           = false
  load_balancer_type = "application"
  # Add security_groups and subnets here
}

resource "aws_lb_listener" "https_listener" {
  load_balancer_arn = aws_lb.app_lb.arn
  port              = 443
  protocol          = "HTTPS"

  ssl_policy        = "ELBSecurityPolicy-2016-08"
  certificate_arn   = var.ssl_certificate_arn

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.web_target_group.arn
  }
}

# Your code here to finalize configuration

Need a hint?

Make sure the aws_lb resource includes the security_groups and subnets attributes as specified, and the listener has the correct ssl_policy.