SSL-Enabled ALB Ingress for GrowEasy Solutions on AWS EKS

Deploying SSL-Enabled ALB Ingress for GrowEasy Solutions

AMJ Cloud Technologies collaborated with GrowEasy Solutions, an e-commerce company, to enhance their AWS Elastic Kubernetes Service (EKS) cluster by deploying the AWS Load Balancer Controller with SSL-enabled Ingress. This project secured GrowEasy’s microservices, including user management and frontend interfaces, using Application Load Balancers (ALBs) with AWS Certificate Manager (ACM) certificates and Route 53 DNS. Context path-based routing ensured efficient management of multiple services, replacing insecure HTTP traffic and manual SSL configurations.

Situation

GrowEasy Solutions needed to secure their e-commerce platform’s microservices, which were exposed via HTTP using NodePort Services, risking user data exposure. Their existing setup, established in a prior engagement with AMJ Cloud Technologies, used an ALB with context path-based routing but lacked HTTPS. Managing SSL certificates manually and routing multiple services (e.g., /frontend, /backend) added complexity. AMJ was tasked with enabling HTTPS using ACM certificates, integrating with Route 53 DNS, and maintaining automated, scalable access for GrowEasy’s growing user base.

Task

The objectives were to:

• Register a DNS domain in AWS Route 53 for GrowEasy Solutions.
• Create an SSL certificate using AWS Certificate Manager.
• Add SSL annotations to the Ingress manifest for HTTPS support.
• Deploy and test SSL-enabled Ingress with context path-based routing for microservices (e.g., /frontend, /backend, /).
• Ensure security with health checks and TLS certificates.
• Automate deployment using Helm and Kubernetes manifests.
• Complete the project within one month.

Action

Our team executed the following steps, adhering to AWS and Kubernetes best practices:

Prerequisites

• Leveraged GrowEasy’s existing EKS cluster (ecommerce-cluster, version 1.31) from the prior project.
• Configured tools (kubectl, eksctl, Helm) and verified IAM OIDC provider for AWS API access.
• Ensured the AWS Load Balancer Controller (v2.8.0) was installed:

  helm install load-balancer-controller eks/aws-load-balancer-controller -n kube-system --set clusterName=ecommerce-cluster --set image.tag=v2.8.0

Register Domain in Route 53

• Registered a domain for GrowEasy in AWS Route 53:

  # Registered groweasysolutions.com via AWS Console

• Configured contact details and enabled automatic renewal in the Route 53 console.

Create SSL Certificate in ACM

• Requested a public certificate in AWS Certificate Manager:

  # Created certificate for *.groweasysolutions.com via AWS Console

• Used DNS validation, created a Route 53 record for validation, and confirmed certificate issuance after 5-10 minutes.

Configure IngressClass

• Used the existing default IngressClass:

  apiVersion: networking.k8s.io/v1
  kind: IngressClass
  metadata:
    name: alb-ingress-class
    annotations:
      ingressclass.kubernetes.io/is-default-class: "true"

Deploy Microservices

• Deployed GrowEasy’s microservices (frontend, backend, default) with ClusterIP Services:

  apiVersion: v1
  kind: Service
  metadata:
    name: frontend-service
    annotations:
      alb.ingress.kubernetes.io/healthcheck-path: /frontend/index.html
  spec:
    type: ClusterIP
    ports:
      - port: 80

• Applied similar configurations for backend-service (/backend/index.html) and default-service (/index.html) using files frontend-deployment.yaml, backend-deployment.yaml, and default-deployment.yaml.

Configure SSL-Enabled Ingress

• Updated the Ingress with SSL annotations for HTTPS support:

  apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    name: multi-service-ingress
    annotations:
      alb.ingress.kubernetes.io/load-balancer-name: ecommerce-ingress
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:<account-id>:certificate/<certificate-id>
  spec:
    ingressClassName: alb-ingress-class
    rules:
      - http:
          paths:
            - path: /frontend
              pathType: Prefix
            - path: /backend
              pathType: Prefix
            - path: /
              pathType: Prefix

• Applied manifests:

  kubectl apply -f manifests/

• Verified deployment, pods, services, and Ingress:

  kubectl get ingress
  kubectl get deploy,pods,svc

Configure Route 53 DNS

• Created a Route 53 record set for the ALB:

  # Created alias record ssl-demo.groweasysolutions.com pointing to ALB DNS via AWS Console

Test SSL Access

• Verified HTTPS access to GrowEasy’s microservices:

  https://ssl-demo.groweasysolutions.com/frontend/index.html
  https://ssl-demo.groweasysolutions.com/backend/index.html
  https://ssl-demo.groweasysolutions.com/

• Confirmed HTTP access remained functional:

  http://ssl-demo.groweasysolutions.com/frontend/index.html

Result

The project delivered a secure solution for GrowEasy Solutions:

• Scalability Achievement: Secured high traffic for GrowEasy’s e-commerce microservices with dynamic ALB scaling.
• Automation Level: Fully automated SSL and Ingress setup via ACM, Route 53, and Kubernetes manifests.
• Security Improvement: Enforced HTTPS with ACM certificates, health checks, and restricted IAM permissions.

Technologies Used

• AWS EKS
• AWS Load Balancer Controller
• Kubernetes Ingress
• Application Load Balancer
• AWS Route 53
• AWS Certificate Manager

Key Takeaways

This case study highlights AMJ Cloud Technologies’ expertise in securing GrowEasy Solutions’ e-commerce platform with SSL-enabled Ingress. Context path-based routing streamlined multi-service management, while ALB integration with ACM and Route 53 ensured secure, scalable access, offering a model for similar industries.