How do I terminate HTTPS traffic on Amazon EKS workloads with ACM?

Last updated: 2020-03-10

I want to terminate HTTPS traffic on Amazon Elastic Kubernetes Service (Amazon EKS) workloads with AWS Certificate Manager (ACM).

Short description

To terminate HTTPS traffic at the Elastic Load Balancing level for a Kubernetes Service object, you must:

  1. Request a public ACM certificate for your custom domain.
  2. Publish your Kubernetes service with the type field set to LoadBalancer.
  3. Specify the Amazon Resource Name (ARN) of your ACM certificate on your Kubernetes service using the annotation. The annotation allows the Kubernetes API server to associate that certificate with the Classic Load Balancer when it's created.
  4. Associate your custom domain with the load balancer.

The following resolution assumes that:

  • You have an active Amazon EKS cluster with associated worker nodes.
  • You are working with a Classic Load Balancer.

Note: If you want to use an Application Load Balancer, then you must deploy the ALB Ingress Controller. When you deploy the Ingress, you can specify the certificate with the annotation, or let the Ingress Controller auto-discover the ACM certificate based on the host value.

Note: Terminating TLS connections on a Network Load Balancer is supported only in Kubernetes 1.15 or greater.


1.    Request a public ACM certificate for your custom domain.

2.    Identify the ARN of the certificate that you want to use with the load balancer's HTTPS listener.

3.    To identify the nodes registered to your Amazon EKS cluster, run the following command in the environment where kubectl is configured:

$ kubectl get nodes

4.    In your text editor, create a deployment.yaml manifest file based on the following:

apiVersion: apps/v1
kind: Deployment
  name: echo-deployment
  replicas: 3
      app: echo-pod
        app: echo-pod
      - name: echoheaders
        imagePullPolicy: IfNotPresent
        - containerPort: 8080

5.    To create a Kubernetes Deployment object, run the following command:

$ kubectl create -f deployment.yaml

6.    To verify that Kubernetes pods are deployed on your Amazon EKS cluster, run the following command:

$ kubectl get pods

Note: The pods are labeled app=echo-pod. You can use this label as a selector for the Service object to identify a set of pods.

7.    In your text editor, create a service.yaml manifest file based on the following example. Then, edit the annotation to provide the ACM ARN from step 2.

apiVersion: v1
kind: Service
  name: echo-service
    # Note that the backend talks over HTTP. http
    # TODO: Fill in with the ARN of your certificate. arn:aws:acm:{region}:{user id}:certificate/{id}
    # Only run SSL on the port named "https" below. "https"
    app: echo-pod
  - name: http
    port: 80
    targetPort: 8080
  - name: https
    port: 443
    targetPort: 8080
  type: LoadBalancer

8.    To create a Service object, run the following command:

$ kubectl create -f service.yaml

9.    To return the DNS URL of the service of type LoadBalancer, run the following command:

$ kubectl get service

Note: If you have many active services running in your cluster, be sure to get the URL of the right service of type LoadBalancer from the command output.

10.    Open the Amazon EC2 console, and then choose Load Balancers.

11.    Select your load balancer, and then choose Listeners.

12.    For Listener ID, confirm that your load balancer port is set to 443.

13.    For SSL Certificate, confirm that the SSL certificate that you defined in the YAML file is attached to your load balancer.

14.    Associate your custom domain name with your load balancer name.

15.    In a web browser, test your custom domain with the following HTTPS protocol:

A successful response returns a webpage with details about the client, including the hostname, pod information, server values, request information, and request headers.

Did this article help?

Do you need billing or technical support?