How to Configure SSL/TLS on Amazon EC2 for IIS 7 with Elastic IP: A Step-by-Step Guide


7 views

When deploying .NET applications on Amazon EC2 with Elastic IP, SSL configuration presents unique challenges. The key misconception lies in assuming Elastic IP automatically handles SSL certificate binding - it doesn't. Here's why your HTTPS connection fails:

  • IIS requires explicit SSL binding to either the Elastic IP or domain name
  • EC2's virtualized networking layer doesn't automatically map certificates to Elastic IPs
  • Security groups must explicitly allow HTTPS traffic (port 443)

Here's the proper sequence for SSL configuration on EC2 with IIS 7:

1. Verify Security Group Configuration

First, ensure your EC2 security group allows inbound HTTPS:

AWS CLI command:

aws ec2 authorize-security-group-ingress \
--group-id your-security-group-id \
--protocol tcp \
--port 443 \
--cidr 0.0.0.0/0

2. Bind Certificate to Correct IP in IIS

In IIS Manager:

  1. Open "Server Certificates"
  2. Complete the certificate import wizard
  3. Right-click your site → Edit Bindings
  4. Add HTTPS binding with:
    • IP address: (your Elastic IP or "All Unassigned")
    • Port: 443
    • Host name: yourdomain.com (if using SNI)
    • SSL certificate: your imported cert

3. Network Configuration Checks

For Elastic IP scenarios, these PowerShell commands help verify configuration:

# Check current TCP/IP configuration
Get-NetIPConfiguration | Select-Object InterfaceAlias, IPv4Address

# Verify IIS bindings
Import-Module WebAdministration
Get-WebBinding -Name "YourSiteName" | Format-Table Protocol, BindingInformation

For complex setups like multiple SSL sites on a single EC2 instance:

Option A: Using SNI (Recommended)

# PowerShell to configure SNI binding
New-WebBinding -Name "Site1" -Protocol "https" -Port 443 -HostHeader "site1.com" -SslFlags 1

Option B: Dedicated IP Approach

If you must use dedicated IPs (for legacy clients):

# Add secondary IP to EC2 instance
aws ec2 assign-private-ip-addresses \
--network-interface-id eni-123456 \
--private-ip-addresses 10.0.0.100
  • Verify certificate chain completeness (including intermediates)
  • Check IIS logs at %SystemDrive%\inetpub\logs\LogFiles
  • Test basic HTTPS connectivity with OpenSSL: openssl s_client -connect yourdomain.com:443
  • Confirm Elastic IP is properly associated in AWS console

When migrating .NET applications to Amazon EC2 with IIS 7, SSL configuration presents unique challenges compared to traditional hosting environments. The elastic IP architecture and EC2's networking layer require special consideration for proper SSL termination.

  • Elastic IP properly associated with your EC2 instance
  • Security groups configured to allow HTTPS (port 443) traffic
  • Valid SSL certificate installed in IIS with proper private key binding
  • Correct bindings configuration in IIS

First, verify your network configuration:

# Check EC2 instance network configuration
aws ec2 describe-instances --instance-id YOUR_INSTANCE_ID \
--query 'Reservations[].Instances[].NetworkInterfaces[].Association'

For IIS binding configuration:

# PowerShell command to verify SSL bindings
Get-WebBinding -Name "YourSiteName" | 
Where-Object { $_.Protocol -eq "https" } | 
Select-Object -Property Protocol, BindingInformation

The most frequent issues I've encountered:

1. Certificate Binding Conflicts

When multiple sites share the same IP, IIS requires SNI (Server Name Indication) configuration:

# Configure SNI binding in PowerShell
New-WebBinding -Name "YourSite" -IPAddress "*" -Port 443 -Protocol https
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Subject -match "yourdomain.com" }
New-Item -Path IIS:\SslBindings\0.0.0.0!443!yourdomain.com -Value $cert

2. Security Group Misconfiguration

Verify your EC2 security group allows inbound HTTPS:

aws ec2 authorize-security-group-ingress \
--group-id YOUR_SECURITY_GROUP_ID \
--protocol tcp \
--port 443 \
--cidr 0.0.0.0/0

For production environments, consider these enhancements:

  • Implement HTTP to HTTPS redirect in web.config
  • Configure HSTS headers for security
  • Set up certificate auto-rotation using AWS Certificate Manager
  1. Test basic HTTP connectivity first
  2. Verify certificate chain completeness
  3. Check Windows event logs for SCHANNEL errors
  4. Test with OpenSSL: openssl s_client -connect yourdomain.com:443

Remember that EC2 instances behind load balancers require different SSL termination approaches. For single-instance deployments, the above configuration should resolve most SSL access issues.