Adding SSL to the listener

Our CloudFormation template that provisioned our ECS cluster also provisioned a network load balancer. That load balancer was configured with a TCP protocal listner on port 8080. However, before we can register our app in Jira we will need to allow for HTTPS. For production workloads, it is recommended that you use a proper certficiate issued from a valid Certificate Authority.

This is where services such as AWS Certificate Manager lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services.

Earlier in the workshop, we generated a self-signed certificate and uploaded this to AWS Certficiate Manager. For the purpose of this example, this will suffice. Now that we have our cluster up and running, we will take this self-signed cert and attach it to a new TLS listener. To do this, we will use the AWS CLI. The following command will create the listener and pass in the values needed from the resources we have previously created. Run the following from your Cloud9 IDE:

aws elbv2 create-listener --load-balancer-arn \
$(aws elbv2 describe-load-balancers \
--query LoadBalancers[0].LoadBalancerArn --output text) \
--protocol TLS --port 443 --certificates \
CertificateArn=$(aws acm list-certificates \
--query CertificateSummaryList[0].CertificateArn --output text) \
--ssl-policy ELBSecurityPolicy-2016-08 --default-actions \
Type=forward,TargetGroupArn=$(aws elbv2 describe-target-groups \
--query TargetGroups[0].TargetGroupArn --output text)

If successfully created, you should see output similar to the output below:

    "Listeners": [
            "Protocol": "TLS", 
            "DefaultActions": [
                    "TargetGroupArn": "arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/atlassian-connect-ecs-target/b8ce7fa3f5fa7211", 
                    "Type": "forward"
            "SslPolicy": "ELBSecurityPolicy-2016-08", 
            "Certificates": [
                    "CertificateArn": "arn:aws:acm:us-west-2:123456789012:certificate/f11b8ccd-3d65-4533-8c54-bcf8972455eb"
            "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/net/atlas-Publi-1NU0KBFFQU8GU/46285272d2eb179d", 
            "Port": 443, 
            "ListenerArn": "arn:aws:elasticloadbalancing:us-west-2:123456789012:listener/net/atlas-Publi-1NU0KBFFQU8GU/46285272d2eb179d/abd555c815f133ca"

Lastly, we can test this by opening a new tab in our browser and pointing to HTTPS:// and the public DNS name of our load balancer. We can find this by quering with the following command:

aws elbv2 describe-load-balancers --query LoadBalancers[0].DNSName --output text

As with the previous like examples, we should expect to see a JSON payload in the body.