SCS-C01 Amazon AWS Certified Security Specialty – Domain 5 – Data Protection part 8

24. ELB Listeners – Understanding HTTP vs TCP Listeners

Hey everyone, and welcome back to the Knowledge Pool video series. And in today’s lecture we are primarily going to look into one of the basic major difference between a Http and the TCP listeners. So in the earlier lecture we were discussing about various listeners type available in the ELP and we had paused our video in the listener type of TCP and SSL. So one of the questions which generally comes during the interview specifically is that what would be the difference when we use Http versus TCP protocol for the port 80 in ALB? So this is one of the very famous questions that I have seen specifically for the senior DevOps position and many of the people cannot answer. And this is the very basic things that we should be understanding.

So let’s look into this specific on what this question means. So here the load balancer protocol which is Http. The load balancer port is the 80. So this is the front end connection that we had discussed earlier. And on the back end connection you have the load instance protocol as Http and the instance port is 80. Now, this is the first part. Second part you have the port as 80 in both the front end and backend. However, the protocol is now TCP, both in front end connection and the back end connection. So the question is what would be the difference between both of these approaches? And basically, if you have a very simple website, both of them would work perfectly. However, it is necessary to understand the difference which will help us have a proper base into how the elastic load balancer works.

It will also help us in our exams. So let’s look into the first aspect. So this is the first listener port. So let’s look into how that would work, which is the Http listeners. So you have the client and you have the back end instance. So whenever a client sends a request to the elastic load balancer, the request might look something similar to this. So this is the Http request and it has certain headers of the Http protocol. Now, elastic load balancer will initiate a new connection to the back end instance. So you see there is a color difference. You have a gray color and you have a blue color. So this same connection is not forwarded here. A new connection is sent to the EC two instance. Now, within this connection, if you see the request that the elastic load balancer will send to the back end instance, there are more headers which are added over here.

Now, these headers are being added by the elastic load balancer. And this is one of the major points to remember when you talk about the Http listeners and the instance will respond back and ELB will send back the response to the client. So when you talk about the Http listeners, ELB can modify the Http headers which have been sent by the client to the server. Now, when you talk about TCP listeners, whenever a client sends the request again, you have a request header. The ELP will not modify any request headers over here, so it will forward the same headers which it received from the client back to the EC two instance running behind the scenes. And this is one of the major difference between the Http and TCP listeners. So there are more things to understand, but let’s look into how exactly that would really look like.

I’ll just log into the EC to instance and this EC two instance. So I’ll just show you the overall diagram. So what we have is we have an ALB over here and we have an EC two instance which is running. So this is the ELB and I have the EC two instance. If you see under the instance there is one EC two instance which is connected. So as the first part, let’s look into the Http listeners and we’ll look into the header aspect, whether the headers are modified or not. So let’s try it out. So what I’ll do, I’ll be starting the TCP dump on the EC to instance. Let me start the TCP dump and from one more terminal I’ll do a simple request curled request on the IP address of the EC to instance first, so that we can see on what is the difference, I’ll copy it up and I’ll paste it here. So once I press Enter, you see I have got the response back.

Now, if you look into the TCP dump output, what I have received is I have received a simple get request on Http 1. 1 and there are headers related to the host, the user agent and the accept. So these are the four lines that I have received when I make direct connection to the AC to instance. Perfect. So let’s start the TCP dump again and this time instead of directly sending the traffic to the EC two instance, I’ll send the traffic to the load balancer. So I’ll open up the load balancer, I’ll just start my TCP tank again and we’ll run the same command and let’s press Enter. And now if you see, this is the request which I received from the ELB. Now these are the headers which were present earlier also when we had made the direct connection. If you just go up it up. So these are the Http requests which were present when we had initiated a direct connection.

But now when we initiated a connection via elastic load balancer, there are certain headers which are added by the ELB itself. So you see x forwarded for x forwarded port, x forwarded proto as well as the connection which is keep alive. So when you look into the Http, so this is basic Http listeners. So Http listeners can add its own headers is something that you have to remember. Now the second is the TCP listeners we have discussed that the TCP listeners do not add any headers, it will just pass the headers which were sent by the client. So let’s look into that as well. So if you look into the listeners type I have first listener is the http 1. Second listener is the TCP one. So let’s try it out the TCP one as well. So I’ll run the TCP dump again and I’ll run the curl command this time on port 8080.

So this is where my TCP is listening. And now you see where the headers are exactly the same. So load balancer have not added any header related to x 400 for the proto. The port as well as the connection keep alive. So whatever headers which the client has sent the same header, the elastic load balancer has forwarded it to the back end EC two instance. And this is one of the important points to remember when it comes to the difference between the Http protocol as well as the TCP protocol. So this is one of the difference. Again, in the upcoming lecture we’ll look into few more difference in where you should be using the TCP and where you should be using the Http protocol. So I hope this basic understanding has been clear to you and I look forward to seeing you in the next lecture.

25. Understanding AWS Certificate Manager

Hey everyone and welcome back. Now in today’s lecture, we are going to look into one of the new services call as a double certificate manager. Now, this is a very, very great feature which AWS has extended to the customers and it really makes life simple. So let’s look into the Use case which will help us understand how the AWS certificate manager helps the clients to have their life simple. Now, in the earlier approach, whenever a client, let’s assume that I have a website and I need to use Https. Now there are two ways in which I can use it. One is with the help of self signed certificate and second would be the CA certificate authority signed certificate.

So if you’re using a self signed certificate, the browser will show you these error like a red that the site security certificate cannot be trusted. However, if you use a genuine CA signed certificate, then you will have a nice Https based browser URL that you will see. However, problem is the casino certificate are generally paid ones. So let me show you the example. So I’m in the name comssl, and here you see there are various SSL certificates that I can purchase. Now one of the certificates, you see, it starts with the basic Commodore Essential. It starts with $10 per year. So $9. 99 per year. However, if you go for the extended certificates, then you actually have to pay a much more larger amount. So if you go into the Komodo Essential SSL wildcard, so this is basically the wildcard certificates.

It is actually $130 per year. So quite expensive. And specifically for a very new organization, or for the people who wants to have Https on their personal website or on their personal blog, they must pay for the SSL certificate in most of the Use cases. The second major problem is that it gets expired after one year. So after one year, if you do not renew your certificate, then you will have this red color mark on your website. And this is a very, I would say, challenging thing because I have seen many of the big organizations, they have SSL certificates, genuine SSL certificate, but after one year, they forget to renew their SSL and the entire website breaks. So entire website gets these warning. And specifically when you talk about the clients like Android or iOS, these clients will not work if you have the certificate. They only work if you have the genuine certificates.

So the entire website fails, or all the Android, the iOS, as well as the Windows application, they throw an error. So any user who are using those applications, the application will throw an error. And this is quite a pain because every one year, or maybe every five years, you have to renew the certificate. And if there are any vulnerabilities which are present, you again have to renew the certificate. So it’s quite a big pain. And this is the reason why AWS actually decided to launch an AWS certificate manager service. So if I just go to the certificate manager so this certificate manager is responsible for provisioning, managing and deploying the SSL TLS certificates. So if you’ll see over here in the first, you can provision the certificate. So you see, ACM manages the renewal of SSLT certificates issued by the Amazon for you.

So whenever you create or whenever you create your own certificate through authority like Commodore SSL, it’s quite pain because you have to do a lot of things like they’ll call you for validation. So there are a lot of things involved. However, through ACM, life is much more simpler. We’ll see on when we deploy our search for certificate with the help of ACM. Along with that, whatever certificates that we get from the certificate managers, they are completely free. Like you do not really have to pay anything for the certificates which are launched to the AWS certificate managers. So there are certain big advantages of ACM and this is the reason why a lot of startups they are now moving to ACM, which makes their life simpler. So let’s do one thing, we’ll conclude the lecture for the time being and in the next lecture we’ll look into how we can provision our first certificate with the help of AWS certificate manager. Thanks for watching.

26. Deploying SSL/TLS certificate with ACM

Hey everyone and welcome back. So let’s do one thing in today’s lecture. We’ll be deploying our first SSL certificate with the help of the AWS certificate manager. So click on Get started. And the first thing that you need to do in ACM is that you have to put your domain name. Now, I have one funny domain name which I have registered and integrated it with the Route 53. So I’ll copy this domain and I’ll just paste it over here. Perfect. And I’ll click on next. Now, there are two types of validation that you can use. One is the DNS validation and second is the email validation. So I prefer DNS validation. So let’s go ahead with the DNS validation and I’ll click on Review and let me go ahead and click on Confirm and Request.

Perfect. So now that the request is in progress, what it expects us to do is that it expects us to add a certain records within this specific domain. So I’ll just click on Export DNS configuration to a file and if I open up it with the Excel, there are certain records that it wants us to put. So let’s try this out. Just maximize it so that it becomes much more clearer. Perfect. So let’s copy this first field. I’ll copy it and I’ll go to my Route 53. I’ll create a new record set with the type seen in and I’ll just put the details which is expected. Perfect. So this is the first and the type is CNN and it needs a certain value.

So I’ll copy this value up, I’ll paste it here and I’ll click on Create. Perfect. So now we have the CNAME which was asked for us is entered in our Route 53 record site. So we can go ahead and click on Continue. So it is on the pending validation side and it will take a certain amount of time and after a few seconds, ten to 15 seconds, you see that your certificate was issued successfully. So if you see, this is one of the very easy approach in which you can have the domain name validation. Now, there is second approach that we have discussed based based on the email validation that you can use.

27. Configuring ELB with HTTPS for SSL Offloading

Hello everyone and welcome back. Now, in the earlier lecture we were discussing on how we can create our own certificate with the help of AWS Certificate Manager service. Now, I am sure you must have noted that I had to stop that lecture abruptly. Actually some of the people had come to my house and this is the reason I had to stop. And I thought I’ll not just rerecord entire thing again because the main lecture was recorded. So actually this is the reason why I actually decided to record the lecture in the morning 03:00 to avoid all these disruptions. But it actually becomes quite difficult because it is winter in India and waking up at 03:00 is actually a big challenge anyway, so I’ll try to do that from tomorrow.

Anyways, so coming back to the topic, since we have a domain Munu. com which is created, the certificate for this domain is created. What we’ll do is we’ll look into how we can have a website based on Https with the help of ACM. So in the ELB listeners part, specifically for the Http and Https based listener, if you look into the second use case where website using ELB to offload the SSL decryption. So let me show you what I mean by this. So if I just open the domain, umu. com, it is based on Http. Okay? And now what we want is we want this to be Https. And basically what we have is we have a load balancer and the traffic if you will see the record set of the munmu. com, it is actually pointing to the ELB DNS name and this is the ELB DNS name.

So whenever I type this domain, the traffic goes to the ELB and ELB will forward the request to the back end EC two instance. Now, since I want an Https over here, we can try this out in ELB. So one of the major advantages of AWS Certificate Manager is that it supports ELB directly. So let’s do one thing, let’s go to listeners, I’ll click on edit, I’ll add a listener. This time I’ll create a port of Https. Now, whenever I create a port of Https, there are two options which are highlighted. One is the cipher and second is the SSL certificate. So you must put an SSL certificate when you want the ELB to offload the encryption and decryption related functionality. So if I click here on change I’ll choose the ACN.

I can even upload my certificate and private key if I obtained it through a third party CA. However, I’ll just use ACM and it is asking me which certificate within the ACM I want to use. And since I only have one certificate, I’ll select it and I’ll click on save. So you see the SSL certificate part is automatically changed to using ACM and I’ll click on save. Perfect. So now we have a new listener of based on Https. So now the elastic load balancer is listening on port four four three, and it is sending traffic to the port 80. So let’s look into what I mean. So now what we have done is we have an ELB, we have a certificate in the ELB which is of ACM. So from the client to ELB, I have a secure connection. So you see, I have a secure connection from client to ELB.

And from ELB to the back end instance, I again have a plain text Http connection. So let’s try this out. I’ll just copy the domain, I’ll put Https. Let’s try it out. Perfect. Now, you see, you have a perfectly secure Http connection for this domain. And the certificate which is used here is the ACM certificate which got issued by the Amazon for free. So this is how you can actually use the ACM certificate for your website. So go ahead and try this out because this is quite interesting. And if you’re using production environments, I will hundred percent recommend you go ahead and use ACM because this will actually make your life much, much more simpler. So this is it about this lecture. I hope this has been informative for you and I look forward to seeing you in the next lecture.