HTTP → HTTPS | AWS Architecture Guide

Services Used

🔮

Amazon Route 53

Authoritative DNS — Alias records pointing to ALB

🔐

AWS ACM

Free SSL/TLS certificates with auto-renewal

⚖️

Application Load Balancer

HTTP → HTTPS redirect + SSL termination + routing

🖥️

Amazon EC2

Application instances — targets in the load balancer group

Request Flow

💻

User
Browser

🔮

1

Route 53
DNS

⚖️

2

Load
Balancer

🔐

3

ACM
SSL/TLS

🖥️

4

EC2
Targets

🔒

✓

Secure
HTTPS

Architecture Diagram

AWS Infrastructure — VPC Layout

☁️ VPC — Virtual Private Cloud

⚖️ Application Load Balancer (ALB)

HTTP : 80

↪ Redirect → HTTPS 301

- - - -→

HTTPS : 443

🔐 SSL/TLS Termination

↓

🎯 Target Group — HTTP on application port

↓

🖥️

Instance 1

Healthy

🖥️

Instance 2

Healthy

🖥️

Instance 3

Healthy

🔐

AWS Certificate Manager (ACM)

Issues & manages SSL/TLS certificates — attached to the HTTPS:443 listener. Auto-renews 60 days before expiry. Zero cost for use with AWS services.

💻

User / Browser

Sends HTTPS request

↕ Route 53

🔒

Secure Connection

Response over HTTPS

Detailed Notes

Step-by-Step Breakdown

Protocol

HTTPS (Hypertext Transfer Protocol Secure)

Port: 443 | TLS 1.2 / 1.3

DNS Resolution chain

Browser → OS cache → ISP → Route 53

dig devops.punedevs.in

First Contact

Browser resolves domain then connects to ALB IP

TTL controls cache duration

🌐

HTTP vs HTTPS — Why It Matters

HTTP transmits data as plain text — anyone on the network can intercept and read it. HTTPS wraps HTTP inside TLS (Transport Layer Security), encrypting everything. In this architecture, the ALB ensures any HTTP request (port 80) is permanently redirected to HTTPS (port 443) before the browser even sends data.

🔍

DNS Lookup Layers

Before connecting to the server, the browser needs the IP address. It checks: (1) its own cache, (2) the OS resolver cache, (3) the router cache, (4) the ISP's recursive DNS, and finally (5) Route 53 as the authoritative nameserver. TTL (Time-To-Live) values on DNS records control how long each layer caches the answer.

dig devops.punedevs.in +trace    # traces full DNS path
nslookup devops.punedevs.in      # quick lookup

🔌

Port 80 vs Port 443

When the browser sees https:// it defaults to port 443. Port 80 (HTTP) is also open on the ALB but exists only to send a 301 Moved Permanently redirect back to the HTTPS URL. This happens before any application data is sent — the redirect itself is unencrypted but contains no sensitive information.

Record Type

A Record with Alias enabled

Type: A — Alias: true

Target

ALB DNS Name (FQDN)

my-alb.us-east-1.elb.amazonaws.com

Health Check

Optional — Route 53 can monitor ALB endpoint

Failover policy if enabled

🔮

Alias Records vs CNAME

AWS Alias records are a Route 53 extension. Unlike CNAMEs: (1) Alias records are FREE — no per-query charge, (2) they can be used at the zone apex (root domain like punedevs.in — CNAME cannot), (3) they resolve at the Route 53 level without an extra DNS hop, and (4) they automatically track the ALB IP as it changes.

devops.punedevs.in A ALIAS my-alb.us-east-1.elb.amazonaws.com

📋

Hosted Zone Structure

A Hosted Zone in Route 53 is a container for DNS records for a domain. When created, you get 4 NS (Name Server) records and 1 SOA (Start of Authority) record automatically. You update your domain registrar's nameservers to point to Route 53's NS records to delegate authority.

NS records (auto-created):
  ns-1234.awsdns-12.com
  ns-5678.awsdns-34.co.uk
  ns-9012.awsdns-56.net
  ns-3456.awsdns-78.org

🌍

Routing Policies Available

Route 53 supports multiple routing strategies: Simple (basic single target), Weighted (A/B split by percentage), Latency-based (routes to lowest-latency region), Failover (active-passive with health checks), Geolocation (by user's country/continent), Geoproximity (by distance with bias), Multi-value (returns multiple IPs).

Listener 1

HTTP:80 → 301 Redirect to HTTPS

Action: Redirect → :443

Listener 2

HTTPS:443 — SSL Termination

ACM Certificate attached here

Target Group

EC2 instances on HTTP app port

Health check: GET /health → 200

🔄

HTTP → HTTPS Redirect Listener Rule

The ALB Listener on port 80 has a default rule that redirects all traffic to HTTPS with status 301 (Permanent). This is performed at the load balancer level — no application code changes needed. Browsers cache 301 redirects, so repeat visitors skip the redirect entirely after the first visit.

Action: Redirect
  Protocol:  HTTPS
  Port:      443
  Status:    301 (Moved Permanently)
  URL:       https://#{host}/#{path}?#{query}

⚖️

SSL Termination at ALB

TLS is decrypted ("terminated") at the ALB. Traffic between ALB and EC2 instances travels as plain HTTP inside the private VPC network. This offloads CPU-intensive TLS handshake processing from application servers. For end-to-end encryption (compliance scenarios), configure HTTPS on the target group as well.

🎯

Target Groups & Health Checks

A Target Group holds the registered EC2 instances. ALB only routes requests to targets that pass health checks. The ALB periodically sends requests to a configured path (e.g. /health) and expects a 200 OK response. Failing targets are automatically deregistered and traffic redistributes to remaining healthy instances.

Health Check Config:
  Protocol:  HTTP
  Path:      /health
  Port:      traffic-port
  Interval:  30 seconds
  Threshold: 3 consecutive successes

📊

ALB vs NLB vs CLB

ALB (Layer 7) — HTTP/HTTPS, path & host-based routing, WebSockets, gRPC. Best for web apps. NLB (Layer 4) — TCP/UDP, ultra-low latency (<1ms), static IP, best for real-time apps. CLB (Classic) — legacy, do not use for new deployments. For this HTTPS web application, ALB is the correct choice.

Certificate Type

Public SSL/TLS X.509 Certificate

RSA 2048-bit or ECDSA 256-bit

Cost

Completely FREE for AWS service use

No charge for ACM public certs

Validation Method

DNS validation via CNAME record

Auto-add in Route 53 (1-click)

Renewal

Automatic — 60 days before expiry

Zero manual intervention required

🔐

What ACM Does Internally

ACM provisions, stores, and renews SSL/TLS X.509 certificates. Private keys are stored securely in AWS KMS — you never see or handle them. The certificate proves to browsers that the server is the legitimate owner of the domain. ACM integrates directly with ALB, CloudFront, and API Gateway.

✅

DNS Validation Process

When you request a certificate, ACM generates a unique CNAME record. You add it to your hosted zone (Route 53 can do this automatically). ACM queries for this record to prove domain ownership. Once validated, the certificate issues within minutes and stays valid as long as the CNAME record exists — enabling automatic renewals forever.

ACM provides:
  Name:  _abc123def.devops.punedevs.in
  Value: _xyz789ghi.acm-validations.aws.

Add as CNAME in Route 53 → validation complete

⭐

Wildcard Certificates

A wildcard certificate (*.punedevs.in) covers all subdomains — devops, api, www, staging, etc. — with a single certificate. Combine with a Subject Alternative Name (SAN) for the apex domain to cover everything. Wildcard certs require DNS validation (email validation not supported).

Domains covered by one cert:
  *.punedevs.in   (all subdomains)
  punedevs.in     (apex domain via SAN)

🤝

TLS Handshake Step-by-Step

1. ClientHello — Browser sends supported TLS versions, cipher suites, and a random number. 2. ServerHello — ALB picks TLS version, cipher suite, sends ACM certificate. 3. Certificate verification — Browser validates cert against trusted CA roots. 4. Key exchange — ECDHE generates shared secret. 5. Session established — Both sides derive symmetric encryption keys. 6. Encrypted channel open — Application data flows encrypted. Total: ~1 RTT for TLS 1.3.

Receives

Plain HTTP (TLS terminated at ALB)

X-Forwarded-Proto: https

Network Access

Private — accessible only from ALB SG

SG inbound: TCP 8080 from ALB-SG

Load Balancing

Round Robin or Least Outstanding Requests

Sticky sessions optional (cookie)

🖥️

What EC2 Instances Receive

After ALB terminates TLS, it forwards a plain HTTP request to the EC2 target. The ALB automatically injects forwarding headers so your application knows the original connection was HTTPS. Use X-Forwarded-Proto in your app to enforce HTTPS-only logic (e.g. secure cookie flags).

Headers added by ALB:
  X-Forwarded-For:   203.0.113.45      (original client IP)
  X-Forwarded-Proto: https             (original protocol)
  X-Forwarded-Port:  443               (original port)

🔒

Security Groups — Principle of Least Privilege

EC2 instances should NOT be publicly accessible. Configure the EC2 Security Group to only allow inbound traffic from the ALB's Security Group ID — not from 0.0.0.0/0. This ensures all traffic flows through the ALB (with TLS termination, WAF, etc.) and EC2 instances cannot be reached directly from the internet.

EC2 Security Group Inbound Rule:
  Type:    Custom TCP
  Port:    8080 (or your app port)
  Source:  sg-xxxxxxxx (ALB Security Group ID)
  
NOT:  0.0.0.0/0  ← never expose directly

⚖️

Load Balancing Algorithms

Round Robin (default) — each new request goes to the next instance in sequence. Even distribution. Least Outstanding Requests — routes to the instance with fewest active connections; best for varying response times. Sticky Sessions — uses ALB-generated cookies to bind a user session to a specific instance (needed for stateful apps).

End-to-End Request Flow

1

User types https://devops.punedevs.in → browser queries DNS, Route 53 returns ALB DNS name

2

Browser connects to ALB on port 80 → ALB responds with 301 Redirect → :443

3

Browser connects to ALB on port 443 → TLS handshake using ACM certificate completes

4

ALB decrypts TLS → forwards plain HTTP to healthy EC2 target with X-Forwarded-* headers

✓

EC2 responds → ALB re-encrypts → delivers secure HTTPS response to browser 🔒

Route 53 Cost

$0.50/hosted zone/month
+ $0.40/million queries

ACM Cost

★ FREE for public certs
used with AWS services

ALB Cost

~$16.20/month base
+ LCU charges per usage

Production Hardening Checklist

✓

Enable ALB access logs → S3 bucket for audit trail

✓

Attach AWS WAF to ALB — block SQLi, XSS, bad bots

✓

Enable ALB deletion protection to prevent accidental removal

✓

Use ACM wildcard + apex SAN — one cert for all subdomains

✓

EC2 Security Group: allow only ALB SG, never 0.0.0.0/0

✓

Enable VPC Flow Logs for network traffic visibility

✓

Set HSTS header in app: Strict-Transport-Security: max-age=31536000

✓

Enable AWS Shield Standard (included free) — DDoS protection

✓

Use TLS 1.2+ only policy on ALB HTTPS listener

✓

Multi-AZ deployment — instances in 2+ Availability Zones

HTTP to HTTPSArchitecture

HTTP to HTTPS
Architecture