Steps to Create HTTPS/SSL Elastic Load Balancer on Eucalyptus



Eucalyptus Versions: 4.0

Steps to Create HTTPS/SSL Elastic Load Balancer on Eucalyptus 

This article covers how to create an HTTPS/SSL Elastic Load Balancer on Eucalyptus 4.0.  These steps are similar to the information provided in the Amazon Web Services (AWS) Elastic Load Balancing Developer Guide documentation [1].

1.  Configure Elastic Load Balancer Listeners

  • Create SSL Certificate for Elastic Load Balancer
    • Create private key:
      • $ openssl genrsa 2048 > acmes-dev-euca.pem
    • If submitting the Certificate Signing Request to a Certificate Authority (CA), generate Certificate Signing Request (CSR).  If not, create a self-signed certificate. (Note: for production use, its recommended to generate a CSR. Self-signed certificates are great for testing):
      • Generate a CSR:
        • $ openssl req -new -key acmes-dev-euca.pem -out acme-dev-csr.pem


      • Generate a self-signed certificate:
        • $ openssl req -new -x509 -key acmes-dev-euca.pem -out acmes-cacert.pem -days 1095
    • Upload the Certificate
      • If not in PEM format, create PEM format private key:
        • $ openssl rsa -in acmes-dev-euca.pem -outform PEM > acmes-dev-euca-pem.pem
      • If not in PEM format, create PEM format public certificate:
        • $ openssl x509 -inform PEM -in acmes-cacert.pem > acmes-cacert-pem.pem
      • (In case a certificate chain was provided by the CA) Typically, both intermediate and root certificates are provided by a CA in a bundled file with the proper chained order. If a certificate bundle is not available or not available in the required order, you can create your own certificate chain file. To create your own certificate chain file, include the intermediate certificates and optionally, the root certificate, one after the other without any blank lines. If you are including the root certificate, your certificate chain must start with intermediate certificates and end with the root certificate. Use the intermediate certificates that were provided by your CA. Any intermediaries that are not involved in the chain of trust path must not be included. Once there is a certificate chain and its not in PEM format, create PEM format certificate chain:
        • $ openssl x509 -inform PEM -in acmes-cachain-cert.pem > acmes-cachain-cert-pem.pem
      • Upload certificates using euare-servercertupload:
        • (With no certificate chain)
          • $ euare-servercertupload -server-certificate-name acmes-dev-eucalyptus --certificate-file acmes-cacert-pem.pem --private-key-file acmes-dev-euca-pem.pem
        • (With certificate chain)
          • $ euare-servercertupload -server-certificate-name acmes-dev-eucalyptus --certificate-file acmes-cacert-pem.pem --private-key-file acmes-dev-euca-pem.pem --certificate-chain-file acmes-cachain-cert-pem.pem
    • Confirm certificate using euare-servercertgetattributes:
      • $ euare-servercertgetattributes -server-certificate-name acmes-dev-eucalyptus
  • Create Elastic Load Balancer with Listeners using eulb-create-lb:
    • $ eulb-create-lb MyLoadBalancer --availability-zones AcmeAvailabilityZone --listener "lb-port=80, protocol=HTTP, instance-port=80, instance-protocol=HTTP" --listener "lb-port=443, protocol=https, instance-port=80, instance-protocol=http, cert-id=arn:aws:iam::408396244283:server-certificate/acmes-dev-eucalyptus"
    • Note: In the above example, the ELB accepts both HTTP (port 80 and HTTPS (port 443), whereas the connection from the ELB to the back-end instance is only using HTTP (port 80). This is a valid configuration. Please refer to "Secure website or application using Elastic Load Balancing to offload SSL decryption" reference on the Elastic Load Balancing Listener Configurations Quick Reference page [2]. Note also that end-to-end SSL is not yet supported in Eucalyptus, at least as of v4.1.0.

2.  Configure Health Check using eulb-configure-healthcheck:

  • eulb-configure-healthcheck MyLoadBalancer --target "HTTP:80/" --interval 30 --timeout 2 --unhealthy-threshold 2 --healthy-threshold 2

3.  Launch and register instances. EMI used for instances can be either pre-baked with web server, or configured upon launching the instance using user-data option [3].

  • Create security group for instances using euca-create-group:
    • $ euca-create-group mysecuritygroup -d "Security Group for HTTPS/SSL Web Servers"
  • Authorize Elastic Load Balancer (ELB) security group for back-end port communication with instance security group using euca-authorize:
    • $ eulb-describe-lbs --show-long
      LOAD_BALANCER MyLoadBalancer {interval=30,target=HTTP:80/,timeout=2,healthy-threshold=2,unhealthy-threshold=2} AcmeAvailabilityZone {protocol=HTTP,lb-port=80,instance-protocol=HTTP,instance-port=80},{protocol=HTTPS,lb-port=443,instance-protocol=HTTP,instance-port=80,cert-id=arn:aws:iam::408396244283:server-certificate/acmes-dev-eucalyptus} {owner-alias=944786667073,group-name=euca-internal-408396244283-MyLoadBalancer} 2014-05-29T02:14:00.141Z
    • $ euca-authorize mysecuritygroup -u 944786667073 -o euca-internal-408396244283-MyLoadBalancer --port-range -1
  • Launch instances using euca-run-instances:
    • $ euca-run-instances --group mysecurity --instance-count 2 --instance-type m1.medium emi-50783D25
  • Register instances with the Elastic Load Balancer using eulb-register-instances-with-lb:
    • $ eulb-register-instances-with-lb MyLoadBalancer --instances i-A564BC81,i-B17317D1

4.  Verify details of Elastic Load Balancer using eulb-describe-instance-health:

  • $ eulb-describe-instance-health MyLoadBalancer --show-long
    INSTANCE i-B17317D1 InService
    INSTANCE i-A564BC81 InService


[1]  AWS Elastic Load Balancing Developer Guide - Create a HTTPS/SSL Load Balancer
[2]  AWS Elastic Load Balancing Listener Configurations Quick Reference
[3]  AWS EC2 User Guide - Instance Metadata and User Data - Retrieving User Data


Have more questions? Submit a request


Powered by Zendesk