How to Add Multiple Elastic IP to EC2 in the AWS for Multiple SSL Certificates

There are a few concepts you should probably understand right off the bat. Firstly, Amazon Web Services only allows five public IP addresses to be associated with a single EC2 instance. This is not necessarily a punishing or truly restrictive move on their part. The truth is that if you are trying to attach more than five public IPs to a single EC2 instance, then you are probably doing something wrong.

However, Amazon understands that there may a reason you truly do need more and so this is actually more of a soft-limit. You can request (once you have reached five Elastic IPs) for more. Although, you’ll have to present your case for doing so, and I have yet to hear of them turning anyone down that had a legitimate need for such a project.

Now, the second piece of the puzzle has been the transition from their legacy systems to the new VPC model. While its definitely caused some headaches, particularly for transition teams (whew, tell me about it!), this is ultimately a good thing for everyone. Because of Amazon’s push towards this end, you’ll ideally want your instance under VPC, and likewise the Elastic IPs that you’ll be requesting should be in the VPC domain.

Public IPs can only be associated to a single network interface. So if you need 4 public IP associations, then you’ll need to have 4 network interfaces for that instance. Simple 1:1 ratio.

    Once you’ve gotten those basic things out of the way and understood, then moving forward to actually accomplishing what you need is a relatively straightforward process.

For each public ID you will need to:

  1. Allocate a New Elastic IP Address (EC2 Dashboard -> Network & Security -> Elastic IPs -> Allocate New Address -> Select VPC -> Allocate)
  2. Create a new network interface.(EC2 Dashboard -> Network & Security -> Create Network Interface -> Create Network Interface -> Enter Settings -> Yes Create)
    1. I usually choose the name of the network adapter as the description (e.g. eth1)
    2. Be sure that your Subnet and Security Group match the same as the EC2 Instance
  3. Attach the network interface to the EC2 Instance (right-click -> Attach)
  4. Associate the Elastic IP address to the new Network Interface of the EC2 Instance.

Voila! You now have multiple public IP addresses attached to your EC2 instance.

Depending on your operating system you might have to do extra work, although I’ve never had any issues in any Linux distribution, its usually been a flawless effort. (In fact, I don’t recall even needing to do a reboot!)

After that you can freely assign your SSL certificates to their new IP addresses (and of course update your DNS server information to reflect the new Public IPs).

Personally I recommend using Let’s Encrypt by the ISRG foundation. Its a way to acquire free SSL certificates from a CA certifying authority  with extremely little hassle. If you are using their scripts in Linux, its the most painless SSL certificate process I have ever been through (and I’ve been through quite a few nightmare ones).

I could not possibly recommend them more.

From there, you merely need to update your Apache2 configuration to take advantage of the multiple certificates (you’ll be assigning them individually by Virtual Server as opposed to global settings).

Belisarius Smith consults as a software engineer, cloud engineer, and security advisor. He has a BSBA in Security Management, a Masters of Software Engineering from Penn State, and is doing graduate studies in Psychology. When he isn't traveling, mountain climbing, or reading, he spends his spare time on personal side projects and studies.

Leave a Reply