Difference between revisions of "Deploy .NET to AWS"

From MgmtWiki
Jump to: navigation, search
(Debugging)
(Solutions)
Line 14: Line 14:
 
* Elastic Beanstalk (EB) automates some of the deployment and expansion services for EC2. [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_NET.html Creating and Deploying Elastic Beanstalk Applications in .NET Using AWS Toolkit for Visual Studio.]
 
* Elastic Beanstalk (EB) automates some of the deployment and expansion services for EC2. [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_NET.html Creating and Deploying Elastic Beanstalk Applications in .NET Using AWS Toolkit for Visual Studio.]
 
* [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/SSLNET.SingleInstance.html Terminating HTTPS on Amazon EC2 Instances Running .NET] on single instances (not behind a load balancer.)
 
* [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/SSLNET.SingleInstance.html Terminating HTTPS on Amazon EC2 Instances Running .NET] on single instances (not behind a load balancer.)
 +
** On the EC2 instance you need to open HTTPS port (443). To do that, you go to https://console.aws.amazon.com/ec2/ and click on the Security Groups link on the left, then change the existing or create a new security group with also HTTPS available. It is best to select the HTTPS type to add to a security group as it will create entries for both IPV4 and IPV6 address ranges.
 
** [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html#upload-server-certificate pushing the private key to an S3 bucket.]
 
** [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html#upload-server-certificate pushing the private key to an S3 bucket.]
 
===Debugging===
 
===Debugging===

Revision as of 18:49, 14 May 2019

Full Title

Deploying a ASP.NET core website to Amazon Web Services

Context

  • Bring up a secure web site deployment with a minimum of fuss.
  • At first the challenge is getting the Web Site working well.
  • The assumption here is that the design is not fully fleshed out as the User Experience needs to be functional before it can be fully evaluated.
  • Later the problem is to get the performance to be good while the deployment expands to multiple instances.

Problems

  • The largest part of the problem is not getting the web site to run, but rather to ensure that it is secure using SSL certificates and HTTPS.

Solutions

Debugging

  • It is possible to install and run AWS PowerShell tools on your local computer to see what EC2 instances look like. (An instance is one server running the site.)
  • It is also possible to look at EB, but that requires the local computer to enable Python and PIP.
  • Windows Remote Desktop can be enabled to see what the EC2 instance really looks like. Clink here for information on Connecting to Your Windows Instance.
    • You will need to have the RDP client installed on Windows, which is common, or on other operating systems, which is uncommon.
    • You need a key pair - using AWS PowerShell these are the instructions for the EC2Key pair cmdlet if you have not already created a pem file for this purpose. You can only retrieve the private key when you create the key pair, so be sure to save the key to a file.
    • You will need to open the port on EC2 for RDP inbound traffic Adding a Rule for Inbound RDP Traffic to a Windows Instance
    • One easy way to start the RDP client is to navigate to the EC2 console, select the instance to be view and click on the "Connect" button at the top. A RDP connection string will be downloaded that you can put in a convenient place, like your desktop.
  • Easiest good access is via System Manager / Session Manager, which provides a remote PowerShell console on the targeted EC2 instance.
  • If http:// works and https:// gives "Server not found" error, then the following steps should help:
    • Run "netstat -ano" in session manager. Check that server is listening on port 443.
    • Navigate to cert store "cd Cert:\LocalMachine\my" and list certificates to be sure the SSL cert is loaded and has a key "(dir)[0] | fl *" where the index "[0]" matches the https cert.
    • Examine firewall WebServerRole rules: Show-NetFirewallRule -PolicyStore ActiveStore | % {If($_.Name -match "WebServerRole") {$_}}
    • See if there are any errors from HTTPS (Schannel): Get-EventLog -LogName "system" -Source "Schannel"
    • Try to restore an existing key and certificate:
PS Cert:\LocalMachine\my> certutil –repairstore my "EF96A6EDFE748ADA67CEFEEE6CF49DE46707EEF4"
my "Personal"
================ Certificate 0 ================
Serial Number: 8f68e93d4e66871c887b0746e69f68bb
Issuer: CN=Network Solutions DV Server CA 2, O=Network Solutions L.L.C., L=Herndon, S=VA, C=US
 NotBefore: 9/26/2018 12:00 AM
 NotAfter: 9/17/2019 11:59 PM
Subject: CN=trustregistry.us, OU=nsProtect Secure Xpress, OU=Domain Control Validated
Non-root Certificate
Cert Hash(sha1): ef96a6edfe748ada67cefeee6cf49de46707eef4
  Key Container = {7E9AF5F5-A40F-42C7-A5D0-ED58AB3A1F0B}
  Unique container name: bdbc4122a6c91f3c7d76e0f0a30150a2_c99fc568-d037-4591-84ac-a83617d2c480
  Provider = Microsoft Software Key Storage Provider
Private key is NOT exportable
Encryption test passed
CertUtil: -repairstore command completed successfully.
PS Cert:\LocalMachine\my>

References