I'm setting up server that will host multiple SSL domains across a wide range of load balanced EC2 instances and being a programmer who really sucks at network/infrastructure stuff I had some questions:
I'm assuming that by using ELB I only have to setup HTTPs one time under the ELB and install the certificate there and not on the actual instances?
For SSL, do I still need separate IP addresses for each site when using ELB or does the communication from ELB to the instance run over HTTP?
What's the best way to point the websites to the elb? CNAME record to the amazon ELB instance name?
Should I be using a loadbalancer for this, am I on the right track here?
I am completely open to any other suggestions/help on this issue.
Thank you for your help.
Best Answer
You are on the right track.
ELBs can be SSL termination proxies. In this scenario you set up HTTPS one time on the ELB and install the certificate there and not on the instances.
Traditionally for SSL you needed the web server name to match the CN in the cert. This hasn't been the case for a while now. See http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Support_for_name-based_virtual_servers So no, in no case do you need, including ELB terminated SSL, separate IP addresses for each site.
You can configure the ELB to terminate SSL and speak HTTP to the instances.
It is Amazon's strong recommendation that your website CNAMEs to the ELB instance name (or names, multi-AZ ELBs return 1 name per AZ). The IP addresses can change, especially if you ELB is very E due to traffic spikes.
I would also look into "DNS Failover for Elastic Load Balancing" if you ELBs are going to be multi-AZ.
I strongly recommend you read Amazon's documentation on ELBs http://aws.amazon.com/elasticloadbalancing/ . All these questions are answered--and more!--are answered there and there are best practices. This will be better than gaining a piecemeal understanding through Serverfault questions. (Certainly if you want clarification on the docs SF may be a good place to ask a question.)