Connecting Control Room AWS account and API Tasks AWS account

Public certificates from AWS Certificate Manager (ACM) validate the connection between the domain names of both the AWS accounts and enable the load balancer to handle capacity in response to the incoming traffic. This certificate allows you to access the domain through HTTPS.

You must create a public hosted zone in Control Room AWS account, then create a certificate using the ACM and add the certificate to the private hosted zone that you created earlier.

Procedure

  1. Log in to the console of the Control Room AWS account as an administrator.
  2. Go to Route 53 console in the AWS console and perform the following steps.
    1. Select Hosted zone > Create Hosted zone.
      The Create hosted zone page appears.
    2. Enter the domain name that you had entered when creating a private hosted zone in Domain name.
    3. Select Public Hosted Zone in the Type.
    4. Optional: Click Add tag to apply tags to hosted zones to help organize and identify them.
    5. Click Create hosted zone to create a public hosted zone.
      The new public hosted zone appears on the Route 53 dashboard. This public hosted zone enables you to validate the certificate using public DNS record.
  3. Go to the AWS Certificate Manager portal in Control Room AWS account console and perform the following steps.
    1. Click Request a certificate to request a certificate from Amazon.
    2. Select Request a public certificate, and click Next.
    3. Enter the FQDN of the API Tasks AWS account in Fully qualified domain name.
    4. Optional: Click Add another name to this certificate and enter an alternate name for the domain.
      This option allows you to access the certificate from both domain names.
    5. Select Disable export in Allow export.
    6. Select DNS validation in Validation method.
    7. Select RSA 2048 as encryption algorithm in Key algorithm.
    8. Optional: Click Add tag to apply tags to the certificates to help organize and identify them.
    9. Click Request to request a public certificate
      After processing the request, the ACM console displays the new certificate in the Certificates list. The ACM console also displays the CNAME record for the certificate. You must use this CNAME in the DNS configuration of your domain. If you request a certificate with a name and an additional name, ACM creates two CNAMEs for the certificate.
      Note: If the certificate shows Failed or Validation timed out, delete the certificate and retry again. For more information about troubleshooting certificate requests, see Troubleshooting certificate requests in ACM.
  4. Go to Route 53 console in the AWS console and perform the following steps.
    1. Select the private hosted zone created earlier and click Create Record.
    2. Enter the CNAME generated earlier in ACM in Record name.
    3. Select CNAME as type in Record type.
    4. Enter the CNAME value generated earlier in ACM in Value
    5. Enter an appropriate timeout value in seconds in TTL.
    6. Select Simple in Routing policy.
    7. Click Create records.
      The Route 53 console creates the record and validates the certificate. You can delete the public hosted zone after the certificate validation is complete. This avoids conflicts with the private hosted zone.
  5. Go to EC2 > Load balancers in the Control Room AWS console and perform the following steps:
    1. Select your load balancer.
    2. Go to Listeners and rules tab and select Add listener.
    3. Select HTTPS in Protocol and set the port as 443.
    4. Select Default action > Forward to target groups, and select the target group attached to your load balancer.
    5. Select Default SSL/TLS certificate > Certificate (from ACM) and choose the public certificate created earlier.
    6. Optional: Click Add a new tag to apply tags to the listener.
    7. Click Add listener to add the listener to the console.
      The listener is active and connects both the AWS accounts.

Next steps

Run the following command in the AWS CLI or CloudShell of the Control Room AWS to verify the connection: curl https://<API_TASK_AWS_ACCOUNT>, where <API_TASK_AWS_ACCOUNT> is the FQDN of your API Tasks AWS account.