Difference between revisions of "Deploy .NET to AWS"

From MgmtWiki
Jump to: navigation, search
(Created page with "==Full Title== Deploying a ASP.NET core website to Amazon Web Services ==Context== *Bring up a secure web site deployment with a minimum of fuss. *The largest part of the prob...")
 
(References)
 
(40 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
==Context==
 
==Context==
 
*Bring up a secure web site deployment with a minimum of fuss.
 
*Bring up a secure web site deployment with a minimum of fuss.
 +
*At first the challenge is getting the [[Web Site]] working well.
 +
*The assumption here is that the design is not fully fleshed out as the [[User Experience]] needs to be functional before it can be fully evaluated.
 +
*Later the problem is to get the performance to be good while the deployment expands to multiple instances.
 +
 +
==Problems==
 
*The largest part of the problem is not getting the web site to run, but rather to ensure that it is secure using SSL certificates and HTTPS.
 
*The largest part of the problem is not getting the web site to run, but rather to ensure that it is secure using SSL certificates and HTTPS.
==Problems==
+
 
 
==Solutions==
 
==Solutions==
 +
* Elastic Compute Cloud (EC2) was selected as the resource for its ease of deployment and expansion to handle volume.
 +
* Elastic Beanstalk (EB) automates some of the deployment and expansion services for EC2. [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_NET.html Creating and Deploying Elastic Beanstalk Applications in .NET Using AWS Toolkit for Visual Studio.]
 +
* [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/SSLNET.SingleInstance.html Terminating HTTPS on Amazon EC2 Instances Running .NET] on single instances (not behind a load balancer for this use case.)
 +
** On the EC2 instance you need to open HTTPS port (443). To do that, you go to https://console.aws.amazon.com/ec2/ and click on the Security Groups link on the left, then change the existing or create a new security group to include HTTPS availability. It is best to select the HTTPS type in the drop-down menu to add to a security group as it will create entries for both IPV4 and IPV6 address ranges. After accepting the change, be sure that 0.0.0.0/0 is enabled for port 443.
 +
** [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html#upload-server-certificate pushing the private key to an S3 bucket.]
 +
===Debugging===
 +
* "The site cannot be reached" is typically caused by the fact that Amazon does not enable HTTPS (port 443) by default. To fix go to EC2 console and check security groups to be sure 0.0.0.0/0 is enabled for port 443.
 +
* It is possible to install and run [https://aws.amazon.com/powershell/ AWS PowerShell tools] on your local computer to see what EC2 instances look like. (An instance is one server running the site.)
 +
** [https://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-set-up-windows.html Setting up the AWS Tools for PowerShell on a Windows-based Computer]
 +
** PS C:\> Import-Module AWSPowerShell
 +
** PS C:\> Get-AWSPowerShellVersion
 +
* It is also possible to look at EB, but that requires the local computer to enable Python and PIP.
 +
* Windows Remote Desktop can be enabled to see what the EC2 instance really looks like. Clink [https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html?icmpid=docs_ec2_console here for information on Connecting to Your Windows Instance].
 +
** You will need to have the RDP client installed on Windows, which is common, or on other operating systems, which is uncommon.
 +
** You need a key pair - using AWS PowerShell [https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2KeyPair.html these are the instructions for the EC2Key pair cmdlet] if you have not already created a pem file for this purpose. '''You can only retrieve the private key when you create the key pair''', so be sure to save the key to a file.
 +
** You will need to open the port on EC2 for RDP inbound traffic [https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/authorizing-access-to-an-instance.html Adding a Rule for Inbound RDP Traffic to a Windows Instance]
 +
** One easy way to start the RDP client is to navigate to the EC2 console, select the instance to be view and click on the "Connect" button at the top. A RDP connection string will be downloaded that you can put in a convenient place, like your desktop.
 +
* Easiest good access is via System Manager / [https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html#start-sys-console Session Manager], which provides a remote PowerShell console on the targeted EC2 instance.
 +
* If http:// works and https:// gives "Server not found" error, then the following steps should help:
 +
** Run "netstat -ano" in session manager. Check that server is listening on port 443.
 +
** Navigate to cert store "cd Cert:\LocalMachine\my" and list certificates to be sure the SSL cert is loaded and has a key "(dir)[0] | fl *" where the index "[0]" matches the https cert.
 +
** Examine firewall WebServerRole rules: Show-NetFirewallRule -PolicyStore ActiveStore | % {If($_.Name -match "WebServerRole") {$_}}
 +
** See if there are any errors from HTTPS (Schannel): Get-EventLog -LogName "system" -Source "Schannel"
 +
** Try to restore an existing key and certificate:
 +
PS Cert:\LocalMachine\my> certutil –repairstore my "EF96A6EDFE748ADA67CEFEEE6CF49DE46707EEF4"
 +
my "Personal"
 +
================ Certificate 0 ================
 +
Serial Number: 8f68e93d4e66871c887b0746e69f68bb
 +
Issuer: CN=Network Solutions DV Server CA 2, O=Network Solutions L.L.C., L=Herndon, S=VA, C=US
 +
  NotBefore: 9/26/2018 12:00 AM
 +
  NotAfter: 9/17/2019 11:59 PM
 +
Subject: CN=trustregistry.us, OU=nsProtect Secure Xpress, OU=Domain Control Validated
 +
Non-root Certificate
 +
Cert Hash(sha1): ef96a6edfe748ada67cefeee6cf49de46707eef4
 +
  Key Container = {7E9AF5F5-A40F-42C7-A5D0-ED58AB3A1F0B}
 +
  Unique container name: bdbc4122a6c91f3c7d76e0f0a30150a2_c99fc568-d037-4591-84ac-a83617d2c480
 +
  Provider = Microsoft Software Key Storage Provider
 +
Private key is NOT exportable
 +
Encryption test passed
 +
CertUtil: -repairstore command completed successfully.
 +
PS Cert:\LocalMachine\my>
 +
 
==References==
 
==References==
 +
[[Category:Best Practice]]

Latest revision as of 15:00, 22 July 2020

Full Title

Deploying a ASP.NET core website to Amazon Web Services

Context

  • Bring up a secure web site deployment with a minimum of fuss.
  • At first the challenge is getting the Web Site working well.
  • The assumption here is that the design is not fully fleshed out as the User Experience needs to be functional before it can be fully evaluated.
  • Later the problem is to get the performance to be good while the deployment expands to multiple instances.

Problems

  • The largest part of the problem is not getting the web site to run, but rather to ensure that it is secure using SSL certificates and HTTPS.

Solutions

Debugging

  • "The site cannot be reached" is typically caused by the fact that Amazon does not enable HTTPS (port 443) by default. To fix go to EC2 console and check security groups to be sure 0.0.0.0/0 is enabled for port 443.
  • It is possible to install and run AWS PowerShell tools on your local computer to see what EC2 instances look like. (An instance is one server running the site.)
  • It is also possible to look at EB, but that requires the local computer to enable Python and PIP.
  • Windows Remote Desktop can be enabled to see what the EC2 instance really looks like. Clink here for information on Connecting to Your Windows Instance.
    • You will need to have the RDP client installed on Windows, which is common, or on other operating systems, which is uncommon.
    • You need a key pair - using AWS PowerShell these are the instructions for the EC2Key pair cmdlet if you have not already created a pem file for this purpose. You can only retrieve the private key when you create the key pair, so be sure to save the key to a file.
    • You will need to open the port on EC2 for RDP inbound traffic Adding a Rule for Inbound RDP Traffic to a Windows Instance
    • One easy way to start the RDP client is to navigate to the EC2 console, select the instance to be view and click on the "Connect" button at the top. A RDP connection string will be downloaded that you can put in a convenient place, like your desktop.
  • Easiest good access is via System Manager / Session Manager, which provides a remote PowerShell console on the targeted EC2 instance.
  • If http:// works and https:// gives "Server not found" error, then the following steps should help:
    • Run "netstat -ano" in session manager. Check that server is listening on port 443.
    • Navigate to cert store "cd Cert:\LocalMachine\my" and list certificates to be sure the SSL cert is loaded and has a key "(dir)[0] | fl *" where the index "[0]" matches the https cert.
    • Examine firewall WebServerRole rules: Show-NetFirewallRule -PolicyStore ActiveStore | % {If($_.Name -match "WebServerRole") {$_}}
    • See if there are any errors from HTTPS (Schannel): Get-EventLog -LogName "system" -Source "Schannel"
    • Try to restore an existing key and certificate:
PS Cert:\LocalMachine\my> certutil –repairstore my "EF96A6EDFE748ADA67CEFEEE6CF49DE46707EEF4"
my "Personal"
================ Certificate 0 ================
Serial Number: 8f68e93d4e66871c887b0746e69f68bb
Issuer: CN=Network Solutions DV Server CA 2, O=Network Solutions L.L.C., L=Herndon, S=VA, C=US
 NotBefore: 9/26/2018 12:00 AM
 NotAfter: 9/17/2019 11:59 PM
Subject: CN=trustregistry.us, OU=nsProtect Secure Xpress, OU=Domain Control Validated
Non-root Certificate
Cert Hash(sha1): ef96a6edfe748ada67cefeee6cf49de46707eef4
  Key Container = {7E9AF5F5-A40F-42C7-A5D0-ED58AB3A1F0B}
  Unique container name: bdbc4122a6c91f3c7d76e0f0a30150a2_c99fc568-d037-4591-84ac-a83617d2c480
  Provider = Microsoft Software Key Storage Provider
Private key is NOT exportable
Encryption test passed
CertUtil: -repairstore command completed successfully.
PS Cert:\LocalMachine\my>

References