Deploy .NET to AWS
From MgmtWiki
Full Title
Deploying a ASP.NET core website to Amazon Web Services
Context
- Bring up a secure web site deployment with a minimum of fuss.
- At first the challenge is getting the Web Site working well.
- The assumption here is that the design is not fully fleshed out as the User Experience needs to be functional before it can be fully evaluated.
- Later the problem is to get the performance to be good while the deployment expands to multiple instances.
Problems
- The largest part of the problem is not getting the web site to run, but rather to ensure that it is secure using SSL certificates and HTTPS.
Solutions
- Elastic Compute Cloud (EC2) was selected as the resource for its ease of deployment and expansion to handle volume.
- Elastic Beanstalk (EB) automates some of the deployment and expansion services for EC2. Creating and Deploying Elastic Beanstalk Applications in .NET Using AWS Toolkit for Visual Studio.
- Terminating HTTPS on Amazon EC2 Instances Running .NET on single instances (not behind a load balancer.)
- On the EC2 instance you need to open HTTPS port (443). To do that, you go to https://console.aws.amazon.com/ec2/ and click on the Security Groups link on the left, then change the existing or create a new security group with also HTTPS available. It is best to select the HTTPS type to add to a security group as it will create entries for both IPV4 and IPV6 address ranges.
- pushing the private key to an S3 bucket.
Debugging
- It is possible to install and run AWS PowerShell tools on your local computer to see what EC2 instances look like. (An instance is one server running the site.)
- Setting up the AWS Tools for PowerShell on a Windows-based Computer
- PS C:\> Import-Module AWSPowerShell
- PS C:\> Get-AWSPowerShellVersion
- It is also possible to look at EB, but that requires the local computer to enable Python and PIP.
- Windows Remote Desktop can be enabled to see what the EC2 instance really looks like. Clink here for information on Connecting to Your Windows Instance.
- You will need to have the RDP client installed on Windows, which is common, or on other operating systems, which is uncommon.
- You need a key pair - using AWS PowerShell these are the instructions for the EC2Key pair cmdlet if you have not already created a pem file for this purpose. You can only retrieve the private key when you create the key pair, so be sure to save the key to a file.
- You will need to open the port on EC2 for RDP inbound traffic Adding a Rule for Inbound RDP Traffic to a Windows Instance
- One easy way to start the RDP client is to navigate to the EC2 console, select the instance to be view and click on the "Connect" button at the top. A RDP connection string will be downloaded that you can put in a convenient place, like your desktop.
- Easiest good access is via System Manager / Session Manager, which provides a remote PowerShell console on the targeted EC2 instance.
- If http:// works and https:// gives "Server not found" error, then the following steps should help:
- Run "netstat -ano" in session manager. Check that server is listening on port 443.
- Navigate to cert store "cd Cert:\LocalMachine\my" and list certificates to be sure the SSL cert is loaded and has a key "(dir)[0] | fl *" where the index "[0]" matches the https cert.
- Examine firewall WebServerRole rules: Show-NetFirewallRule -PolicyStore ActiveStore | % {If($_.Name -match "WebServerRole") {$_}}
- See if there are any errors from HTTPS (Schannel): Get-EventLog -LogName "system" -Source "Schannel"
- Try to restore an existing key and certificate:
PS Cert:\LocalMachine\my> certutil –repairstore my "EF96A6EDFE748ADA67CEFEEE6CF49DE46707EEF4" my "Personal" ================ Certificate 0 ================ Serial Number: 8f68e93d4e66871c887b0746e69f68bb Issuer: CN=Network Solutions DV Server CA 2, O=Network Solutions L.L.C., L=Herndon, S=VA, C=US NotBefore: 9/26/2018 12:00 AM NotAfter: 9/17/2019 11:59 PM Subject: CN=trustregistry.us, OU=nsProtect Secure Xpress, OU=Domain Control Validated Non-root Certificate Cert Hash(sha1): ef96a6edfe748ada67cefeee6cf49de46707eef4 Key Container = {7E9AF5F5-A40F-42C7-A5D0-ED58AB3A1F0B} Unique container name: bdbc4122a6c91f3c7d76e0f0a30150a2_c99fc568-d037-4591-84ac-a83617d2c480 Provider = Microsoft Software Key Storage Provider Private key is NOT exportable Encryption test passed CertUtil: -repairstore command completed successfully. PS Cert:\LocalMachine\my>