?? Securely Host Internal HTTPS Static Websites on AWS with ALB, S3, & PrivateLink

?? Securely Host Internal HTTPS Static Websites on AWS with ALB, S3, & PrivateLink

Khijar Shaikh Khijar Shaikh

Khijar Shaikh

AWS/Azure Devops Engg 4yr of exp in IT Industry. | Kubernetes | Jenkins | Github action | Docker | Ansible | Terraform | cloudformation | ECR | Git | Gitlab | Cloudwatch | Wazuh | Prowler | Sonarcube | shell scrypting.

发布日期: 2025年2月1日
+ 关注

Step-by-Step Guide to Hosting Internal HTTPS Static Websites

1. Prerequisites

  • An AWS account with a VPC and private subnets.
  • A private/internal SSL certificate for your domain (e.g., portal.example.com) in AWS Certificate Manager (ACM).
  • An S3 bucket named after your domain (e.g., portal.example.com) with static content (e.g., index.html).
  • A private DNS zone (e.g., Route53 Private Hosted Zone).
  • A private network connection (Direct Connect, VPN, or Client VPN).

2. Create an S3 VPC Endpoint

  • Why: Private, secure connectivity to S3 without public internet exposure.
  • How:

Navigate to VPC Dashboard → Endpoints → Create Endpoint.

Select AWS S3 Interface Endpoint.

Attach it to your VPC and subnets (multi-AZ recommended).

Configure security groups to allow HTTPS/HTTP traffic from the ALB.

Note the VPC Endpoint’s IP addresses for later.

3. Lock Down S3 Bucket Access

  • Why: Ensure only traffic from the VPC endpoint can access the bucket.
  • How:

Update the S3 bucket policy to restrict access to the VPC Endpoint:

{

"Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Principal": "*",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::portal.example.com/*",

"Condition": {"StringEquals": {"aws:SourceVpce": "vpce-12345abcde"}}

}]

}

领英推荐

4. Set Up the Internal Application Load Balancer (ALB)

  • Why: Terminate TLS, route traffic, and provide a custom domain.
  • How:

Create ALB:

  1. Scheme: Internal.
  2. Listener: HTTPS (Port 443) with your ACM certificate.
  3. Attach to private subnets.

Configure Target Group:

  1. Protocol: HTTPS (health checks use HTTP on port 80).
  2. Health check success codes: 307,405 (to bypass S3’s directory listing errors).

Register Targets: Add the S3 VPC Endpoint IP addresses.

5. Fix S3 Paths with ALB Listener Rules

  • Why: Redirect requests ending in / to /index.html.
  • How:

Add a rule to the ALB listener:

  1. Condition: Path matches.*/
  2. Action: Redirect to./#{path}index.html

6. Configure Private DNS (Route53)

  1. Why: Map your custom domain (e.g., portal.example.com) to the ALB.

How:

Create an A-record in your private hosted zone.

Alias the record to the internal ALB’s DNS name.

7. Test & Validate

  • Use an EC2 instance or resource inside the VPC to test access:

curl -kIv https://portal.example.com

Ensure the ALB returns your S3 hosted content over HTTPS.

要查看或添加评论,请登录

Khijar Shaikh的更多文章

社区洞察

其他会员也浏览了