This is originally part 6 in a series on setting up a personal Elasticstack. It can also be applied to any similar setup. It does not even have to be a Kibana dashboard you are setting it up for!
You can check out the other parts in the series below.
- Building Your Environment in AWS
- Setting up and Installing Elasticsearch
- Setting up Kibana
- Using a Proxy for Kibana with HAProxy
- Enabling Security and Using Password Authentication
- Making Kibana Internet Accessible with Cloudfront
- Securing Cloudfront with Security Groups
- Inserting Data into Elasticsearch with Logstash
Now that you have a proxy server from part 4, and password authentication from part 5, the next stage is to make it so you have SSL on the frontend before the proxy.
You will need your own domain hosted in Route 53 to continue with CloudFront. If you do not have a hosted zone in Route 53, setup one now.
Step 1: Generate a Certificate
Before we start on on the CloudFront configuration, we need a certificate for our domain. Start by navigating to Certificate Manager in AWS.
Start with Request a certificate and select Request a public certificate.
Add the domain you want to the certificate. In my case I am using kibana.<mydomain>.com as my dashboard name. You may want to add any additional names you have in your domain.
Use DNS validation, as we are using Route 53.
Continue through and hit the Review button. Check that everything is in order and click Confirm and request.
In the Validation screen, select the drop down of your domain. Select the Create Record in Route 53 button.
This will create a new entry in your Route 53 hosted zone. You should see it change status to issued shortly.
Step 2: Create a CloudFront Distribution
Go to CloudFront in AWS and select Create Distribution
We want to create a Web distribution, so under Web, hit the Get Started button.
The Origin Domain Name is the Public DNS of your proxy server you setup previously in part 4. Alternatively it will be your Kibana server, or whatever server you would like to use CloudFront for.
Note: It may change, depending on what you are using. You can either use an Elastic IP on your instance, never turn off the instance, or update it when you turn it off.
Origin path is blank in our case.
Ensure Origin Protocol Policy is HTTP Only, as we are only using HTTP to the proxy endpoint.
Cache Behavior Configuration
In Default Cache Behavior, change Viewer Protocol Policy to Redirect HTTP to HTTPS
Set the Allowed HTTP Methods to all. GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE.
Select “Use a cache policy and origin request policy” in Cache and origin request settings. Select the Managed-CachingDisabled for the Cache Policy, and Managed-AllViewer for the Origin Request Policy.
Everything else in Cache can be left as defaults.
In Distribution Settings, you can change the price class if you want. I find that for the traffic I use, the difference is negligible.
Add your Alternate Domain Names (CNAMEs) from before, in my case it is kibana.<mydomain>.com
Select Custom SSL Certificate, and in the drop down you should see the certificate you created earlier. If you do not see it you can copy in the “Identifier” field from Certificate Manager in your certificate.
Ensure Custom SSL Client Support is the default: “Clients that Support Server Name Indication (SNI) – (Recommended)” You probably do not want to spend the money on legacy support of $600 a month.
It should be ok to leave everything else as default.
Create the Distribution
Finally hit the create distribution button.
Step 3: Setup Route 53
Now that we have a distribution, we need to setup the DNS entry for it.
Go to Route 53, and navigate to your hosted zone. Select create record and use simple routing.
Click next, and then click define simple record. We are going to create an A record for our CloudFront distribution.
Setup your simple record with the DNS name you have been using throughout, in my case kibana.domain.com.
Select Alias to CloudFront distribution, your region and the drop down should contain the CloudFront you created. As per below image:
Hit the Define Simple record button, and then Create records.
You should now see your record in your Route 53 hosted zone pointing to your Cloudfront Distribution.
Step 4: Setup Security Groups for CloudFront
Now the issue is your CloudFront wont be allowed to connect to your proxy, depending on how you setup your security groups, so we are going to need a way to allow CloudFront to connect just to the proxy, and nothing else.
I would suggest you checkout my guide and the next part in the series Securing CloudFront with Security Groups for the best way to do this.
Any thoughts, concerns, mistakes? Let me know in the comments or via the Contact page.
2 thoughts on “Creating an Internet Accessible Kibana With CloudFront”
This is a handy guide series. I’ll be using it for sure, thanks!
Sure, thanks for the comment.