I've attempted to follow this particular document
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-tcp-passthrough.html
With no luck for my particular needs. What is required was a Layer 4 TCP passthrough from our proxy server through the ELB that does not terminate SSL until the Tomcat backend. The ingress port is TCP 443, egress is 8443. It is also necessary to utilize a custom VPC rather than the default. How can this be accomplished utilizing configuration files?
I was able to resolve with the following config files:
https-instance-balancer.config
{
"Resources": {
"AWSEBSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": "vpc-xxxxxxxx",
"GroupDescription": "EC28443Ingress",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 8443,
"ToPort": 8443,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"AWSEBLoadBalancerSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": "vpc-xxxxxxxx",
"GroupDescription": "ELB443and8443Ingress",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 443,
"ToPort": 443,
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": 8443,
"ToPort": 8443,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"AWSEBLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"Listeners": [
{
"LoadBalancerPort": 443,
"Protocol": "TCP",
"InstancePort": 8443,
"InstanceProtocol": "TCP"
}
],
"SecurityGroups": [
{
"Fn::GetAtt": [
"AWSEBLoadBalancerSecurityGroup",
"GroupId"
]
}
]
}
}
}
}
https-lb-passthrough.config
{
"option_settings": {
"aws:elb:listener:443": {
"ListenerProtocol": "TCP",
"InstancePort": 8443,
"InstanceProtocol": "TCP"
},
"aws:elb:healthcheck": {
"Target": "TCP:8443"
}
}
}
This could probably be accomplished more easily with software such as Terraform, but that may not be an option for some.