Add endpoints

Endpoints represent the FQDN or the IP address that clients connect to. It can be internal, that is within the VPC. Clients can access the application only within the internal network. If an external endpoint is selected, any client can access the application over the internet.

The FQDN can be auto allocated or user-defined. Auto-allocated lets you use a DNS provider other than AWS Route 53. The FQDN is displayed after you deploy the application. You must add this FQDN as a CNAME in your authoritative DNS zone configuration. User-defined lets you use AWS Route 53 as a DNS provider to host your application’s FQDN. You must have bought and registered a domain with Route 53. That is, the zone must be properly acquired from AWS or delegated to AWS. For more information, see https://docs.aws.amazon.com/acm/latest/userguide/setup-domain.html. For example, if the registered zone is example.net and the domain is app1, then app1.example.net is the FQDN that clients connect to access your app.

An endpoint must have a default content route associated with it. The route includes the conditions and a target service. If the traffic matches the condition, the request is directed to the specified service.

Choose the clients who can access your application. Select Internal to deliver your application privately within the VPC. Only clients within the data center or VPC can access the application. Select External to deliver your application publicly. Any client on the internet can access the application.

Also specify the FQDN generation mode. Select Auto-allocated if you want to use a DNS provider other than Route 53 to host your application’s FQDN. The auto-allocated application FQDN is displayed in the Application dashboard after the application is deployed. Configure your application FQDN in your DNS provider as a CNAME record by using the auto-allocated FQDN. Select User-defined if you want to use Route 53 as a DNS provider to host your application’s FQDN. The application FQDN’s DNS zone must already be hosted in Route 53. Define an FQDN for the application. It is auto-configured in Route 53 during application deployment.

You can create or select an endpoint.

Follow these steps to select an endpoint.

  1. Navigate to Applications > New Application.
  2. Specify basic details, such as name of the application, environment, and services. For more information, see Deliver an application.
  3. Click Select.
  4. In the Select Endpoint page, select an endpoint from the list and click Add.

Follow these steps to create an endpoint.

  1. Navigate to Applications > New Application.
  2. Specify basic details, such as name of the application, environment, and services. For more information, see Deliver an application.
  3. Click Create.
  4. Specify values for the following parameters:
    • Name
    • Access: Specify Internal or External.
    • FQDN: Specify Auto allocated or User defined.
    • Protocol: Specify HTTP or HTTPS. If you select HTTPS, you must add a certificate and optionally, add an SSL policy to get an A+ rating for your applications. For more information, see Add an SSL certificate. You can select one or more certificates, if present, from the list. Select Auto Redirect HTTP traffic to HTTPS to ensure that the clients communicate over secure SSL.
    • Port
  5. Click Create.

    Create endpoint

  6. (Optional) To add a route based on some conditions click Add. Specify a name, condition, and a target service. Click Add.

    Add a route

    Conditions and their corresponding operators and values are listed in the following table:

    Condition Description Operators Values
    HTTP Request URL Identifies an element in the URL portion of an HTTP request. Contains, Equals, Startswith, Endswith, Not contains, Not equals, Not startswith, Not endswith URL Path
    HTTP Request URL Suffix Identifies an element in the URL suffix of an HTTP request. Contains, Equals, Startswith, Endswith, Not contains, Not equals, Not startswith, Not endswith URL Suffix Value
    HTTP Request Method Identifies an element in the HTTP request or response by using a method in the HTTP request to evaluate HTTP request data. Equals, Not equals GET, PUT, POST, DELETE
    Client IP Address Identifies and returns the client IP address in a TCP/IP packet. Between, Equals, Insubnet, Not between, Not equals, Not insubnet IP Addresses, Subnet IP Addresses, Range Start, Range End
    Client TCP Address Source Port Identifies and returns the source port in a TCP/IP packet. Equals TCP Source Ports
    Client TCP Address MSS Identifies and returns the maximum segment size (MSS) in a TCP/IP packet. Greater than TCP MSS
    HTTP Request Header Identifies the HTTP request data to determine if the data contains a specific header. Contains, Exists, Not contains, Not exists Header Names, Header Value
    HTTP Request Hostname Identifies the HTTP request data to determine if the data contains a specific host name. Contains, Equals, Startswith, Endswith, Not contains, Not equals, Not startswith, Not endswith Hostname Values
    HTTP API Resource Path Identifies the URL portion in an HTTP-based API request. Equals, Not equals, Startwith URL Path
  7. To add a default route, select a service from the Default Content route list. Click Add Default Content route. Requests that do match any condition are forwarded to this service.

    Default route

You have completed the steps to create an endpoint. Select from one of the following options:

  • Click Next to configure a load balancer, content rules, and security protection.
  • Click Deploy to start application delivery.

Add an SSL certificate

Add an SSL certificate if you select the HTTPS protocol. You can add an SSL certificate in the endpoint workflow or using the SSL Certificate Manager. For more information about the SSL Certificate Manager, see Manage SSL certificates.

Add an SSL certificate while adding an endpoint

  1. Click Add SSL Certificate.
  2. In the Select SSL Certificates page, click Create SSL Certificate.
  3. In the Create SSL Certificate page, type a certificate name.
  4. Browse to the location of the certificate and key file on your computer.
  5. If the key is encrypted, add a password.
  6. To add the certificate in the certificate chain, select Add certificate in certificate chain.
  7. Click Create.

Get an A+ rating from Qualys Labs

Perform the following actions to get an A+ rating from Qualys Labs for your applications.

  1. Click Add SSL Policy.
  2. In the Create SSL Policy page, type a name for the policy.
  3. Select A+ Security.
  4. Click Create.

Configure client authentication or mutual TLS (mTLS)

In a typical SSL transaction, the client that is connecting to a server over a secure connection checks the validity of the server. To do so, it checks the server’s certificate before initiating the SSL transaction. Sometimes, however, you might want to configure the server to authenticate the client that is connecting to it.

With client authentication enabled, the CADS service asks for the client certificate during the SSL handshake. The service checks the certificate presented by the client for normal constraints, such as the issuer signature and expiration date.

If the certificate is valid, the service allows the client to access all secure resources. But if the certificate is invalid, the service drops the client request during the SSL handshake.

You can add an SSL certificate at the time of enabling client authentication, or select from an existing certificate in the certificate store.

  1. Click Configure SSL Settings.

    Configure SSL settings

  2. In the Select SSL Setings page, click Create.
  3. In the Create SSL Policy page, select Client Authentication and click Create.

    Create SSL policy

  4. Select the SSL policy and click Add.
  5. Add a CA certificate, and then click Create. Note: An SSL certificate is required if the HTTPS protocol is selected.
Add endpoints