How to use AWS ACM properly?

244 views Asked by At

We have everything for our infrastructure setup in us-west-2. We have a ssl cert setup in us-east-1. It's required to be in this region by API Gateway.

In us-west-2 we are using the certificate in API Gateway just fine. We would like to use it on our ELB as well. But the ELB requires the ACM certificate to be in the same region.

The certificate is a *.domain.com so it works with all our subdomains. What is the proper way to use the certificate with both API Gateway and ELB?

1

There are 1 answers

4
Jamie Starke On

This is a scenario that I've come across many times. API Gateway with ACM actually creates a CloudFront Distribution behind the scenes (See Set up Custom Domain Name for API Host Name). CloudFront runs out of AWS Global, which is in the us-east-1 region.

The limitation here is that ELB requires the certificate to be in the same region as the ELB.

The good news is that you can create a second wildcard certificate in us-west-2 and use that in the ELB, as ACM doesn't care about duplicate domains across certificates.

If you absolutely need the ELB and API Gateway to use the same certificate, the only option I'm aware of would be to move your infrastructure into us-east-1. Having two certificates seems like the much better option in my opinion.