Custom Domain Name, CloudFront, & SSL
(Application Load Balancer)

⚠️ Using API Gateway? Please read Custom Domain Name & CloudFront (API Gateway) instead.

We assume your domain name is already setup with AWS and available in Route53. Also, we have not created CloudFormation templates yet for this guide. Instead we will rely on ClickOps™ and have documented the steps you will need to perform within both the AWS Console and your SAM template.

SSL/TLS Certificate with ACM

We are going to use AWS Certificate Manager to secure your HTTPS traffic under your custom domain under CloudFront. Again, this assumes your domain is setup in Route53 since you will need to validate the certificate and AWS makes that super easy with DNS.

Verification will take about 3 minutes. From the Certificate Manager dashboard, you can wait and/or hit the 🔄 button and the Status will change from "Pending validation" to "Issued".

Update SAM Template

A few changes need to be made to the default template.yaml file Lamby generates for Application Load Balancer support. First, add another inbound rule to your existing RailsSecurityGroup Resource for port 443. Shown here at the bottom.

RailsSecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: Allow HTTP
    VpcId: !Ref VpcId
    SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0
      - IpProtocol: tcp
        FromPort: 443
        ToPort: 443
        CidrIp: 0.0.0.0/0

Now using the ARN from certificate in the first SSL step, add this new resource to your template.yaml file. The name is similiar but RailsLoadBalancerHttpsListener is for HTTPS. Remember, put it in the Resource section, next to the HTTP one is a good place.

RailsLoadBalancerHttpsListener:
  Type: 'AWS::ElasticLoadBalancingV2::Listener'
  Properties:
    Certificates:
      - CertificateArn: arn:aws:acm:us-east-1:123456789012:certificate/abcdefgh-ijkl-mnop-qrst-uvwxyzabcdef
    DefaultActions:
      - TargetGroupArn: !Ref RailsLoadBalancerTargetGroup
        Type: forward
    LoadBalancerArn: !Ref RailsLoadBalancer
    Port: 443
    Protocol: HTTPS

CloudFront Distribution

Once your Application Load Balancer (ALB) Lambda is listening to HTTPS traffic with an SSL Certificate, you can setup CloudFront to point to your ALB's DNS name.

First, navigate to your ALB in the Console, click on "Description" copy/note the "DNS name". Example: myapp-1234567890.us-east-1.elb.amazonaws.com. This will be needed when setting up your CloudFront distribution. Options below assume variations of the defaults. So you only have to focus on changing those in setup.

Grab a ☕️ it could take up to 20 minutes to deploy this new CloudFront distribution. While you wait, you can setup your domain name in Route53 in the next step. Here is some additional reading material on this subject.

Creating a Custom Domain with Route53

Please make sure to copy the "Domain Name" of your newly created CloudFront distribution. It will be needed as a target for your new DNS entry and will look something like this dxxxxxxxxxxxxx.cloudfront.net.

That's it! 🎉🎊🥳 Once your CloudFront distribution fully deploys, you can access your Rails application on Lambda and everything from forms, redirects, caching, etc will all just work!

☰ Lamby ☰ 🆕 Application Load Balancer ALB Support     GitHub