Saturday, April 25, 2015

DNS entry confusion for AWS ELB backed by Cloudfront with SNI

   I was not able to find any interactive and useful article on Internet for DNS entry modification when we use Cloudfront and AWS Elastic load balancer therefore i decided to write little bit about it for new amazonian administrators.

    Hear is the scenario, I have deployed a web-server with an elastic IP address (Public IP) and i have created A Record in GoDaddy for Webserver IP address (A Record: = Everything works well and users can access my website through HTTP port 80.

Now 2 new business requirement has been raised:
   1) Website Communication should be through HTTPS only
   2) Because of high web traffic autoscaling and load balancing need to be implemented
   3) Content delivery should be faster irrespective of user's location/

In order to fulfill above requirement i have created an autoscaling group for webserver with Load balancer .  To implement HTTPS in web traffic i have purchased SSL certificate from GoDaddy with * and installed certificate in Load balancer.

   In order to to provide fast content delivery I have implemented Cloudfront CDN for my web application. and i have configured ELB's DNS as CDN origin.

   Everything seems to be A OK...So whats the issue??
Well  AWS ELB and cloudfront does not provide Public IP address because it has multiple instance running in back end (no IP means no A RECORD). we will get domain name for ELB and cloudfront(ELB domain name:, Cloudfront domain name:

     The issue is we can not create A RECORD in DNS service with domain name we need IP address. so now the solution is we have to create CNAME of cloudfront in Godaddy.

  eg.:CNAME in Godaddy: =

    Now all the Internet users will be directed to CDN edge for faster web content access instead of slow and far webserver.
In order to fulfill 1st requirement (HTTPS communication only) we have to configure default web behavior to redirect HTTP to HTTPS

    Now Every thing seems to be fine....Really!!! NO. Still when i open site ( it shows SSL certificate validation error
   It shows this error because i purchased this certificate for * domain but when i installed this certificate in AWS ELB. ELB gave me its random domain name ( therefore certificate is showing above mentioned error.

  To resolve this issue we have to create one more CNAME for loadbalancer (CNAME: = and then add as origin in Cloudfront settings.

   Now the DNS entry with architecture looks like follows.

Now the flow of user request for as follows for first time request
   1) user request for DNS resolution to DNS server
   2) DNS server response to user
   3) user request to for website request.
   4) cloudfront response to user (SNI) for http ot https redirection.
   5) user request as to cloudfront.
   6) cloudfront will forward HTTPS request to ELB
   7) ELB will convert request from 443 to 80 and forward to Webserver
   8) webserver page response to cloudfront
   9) cloudfront cache will deliver webpage to user.

       Any next requests for the same page will be delivered directly from cloudfront.

Mission completed!!!!!!

No comments:

Post a Comment