AWS Application Load Balancer

AWS CLI

Check Load Balancers (CLI)

aws elbv2 help

Check

NOTE: If you run these commands in order then invariably the arn (or SSLPolicy) argument that you need will be in the output of a previous command.

aws elbv2 describe-load-balancers

aws elbv2 describe-load-balancer-attributes --load-balancer-arn arn

aws elbv2 describe-listeners --load-balancer-arn arn

aws elbv2 describe-listeners --listener-arn arn

aws elbv2 describe-listener-certificates --listener-arn arn

aws elbv2 describe-target-groups

aws elbv2 describe-target-group-attributes --target-group-arn arn

aws elbv2 describe-target-health --target-group-arn arn

aws elbv2 describe-tags --resource-arns arn

arn can be a target-group-arn but not a listener-arn

aws elbv2 describe-rules --listener-arn arn

aws elbv2 describe-account-limits

aws elbv2 describe-ssl-policies --names SSLPolicy

Add HTTPS Listener (CLI)

The commands below will prompt for:

The ARN for the Application Load Balancer
The ARN of the SSL Certificate
The ARN of the Target Group (for "forward" default action)

aws elbv2 describe-load-balancers --output table | grep LoadBalancer

aws acm list-certificates

aws elbv2 describe-target-groups --output table | grep TargetGroup

read -ep "LoadBalancerARN: " LBARN

read -ep "CertificateARN : " CERTARN

read -ep "TargetGroupARN : " TARGARN

aws elbv2 create-listener --load-balancer-arn ${LBARN} --protocol HTTPS --port 443 --certificates CertificateArn=${CERTARN} --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=${TARGARN}

ELBSecurityPolicy

(Information correct on 24-Jun-2020)

ELBSecurityPolicy-2016-08 is the default Elastic Load Balancer Security Policy but includes support for TLS1.0 and TLS1.1 which means the Listener cannot score higher than B on the SSLLabs Server Test. For a higher score consider ELBSecurityPolicy-FS-1-2-Res-2019-08 but note that this may cause problems for some older client software. Useful tables to aid in deciding on the best ELBSecurityPolicy for your needs can be found here... https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

SSLLabs Test

AWS ELBSecurityPolicy Docs

Add a Certificate to a Listener

The commands below will prompt for:

The ARN for the Application Load Balancer
The ARN for the Listener
The ARN for the Certificate

aws elbv2 describe-load-balancers --output table | grep LoadBalancer

read -ep "LoadBalancerARN: " LBARN

aws elbv2 describe-listeners --load-balancer-arn ${LBARN}

read -ep "ListenerARN: " LISTARN

aws acm list-certificates

read -ep "CertificateARN : " CERTARN

modify-listener --listener-arn ${LISTARN} --certificates CertificateArn=${CERTARN}

Bibliography

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.htmlhttps://docs.aws.amazon.com/elasticloadbalancing/latest/application/tutorial-application-load-balancer-cli.htmlhttps://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
https://forums.aws.amazon.com/thread.jspa?messageID=920273 (ALB Failing Health Checks - 301)