.netcore in production (aws) reverse proxy and elb?
I’m about to host a number of .net core apps in production in aws. After a lot of research around best practice, there is lots of advice about using a revserse proxy to prelimnary handle https request and forward to kestrel. So we have configured our ec2 ami with nginx and it works fine.
My question is that if we are using a load balancer as well do we need the reverse proxy still? We are using the elb to distribute traffic to our ami’s as well as ssl termination.
Does this mean we can ditch nginx?
Probably not, unless you need a proxy to do something clever.
A common pattern is to use cloudfront (aws cdn / reverse proxy) in front of a load balencer in front of your instances.
A Cdn is basically some dns trickery and a collection of reverse proxies distributed geographically.
You can enhance this config by plugging a WAF (web application firewall) into either elb or cdn to actively block dodgy requests.
When you use cf+elb set your security groups to only allow the elb to access the instances and only allow cloudfront access to the elb.
Cloudfront can handle the http to https redirect automatically, and you can use a free ssl certificate from aws certificate manager. Assuming you prevent direct access between internet and the elb and internet & instances you can offload https at cloud front and use http for your elb & backend instances.