This guide shows how to support HTTPS traffic to Cortex APIs via a custom domain. It is also possible to use AWS API Gateway to enable HTTPS without using your own domain (see here for instructions).

In order to create a valid SSL certificate for your domain, you must have the ability to configure DNS to satisfy the DNS challenges which prove that you own the domain. This guide assumes that you are using a Route 53 hosted zone to manage a subdomain. Follow this guide to set up a subdomain managed by a Route 53 hosted zone.

Generate an SSL certificate

To create an SSL certificate, go to the ACM console and click "Get Started" under the "Provision certificates" section.

Select "Request a public certificate" and then "Request a certificate".

Enter your subdomain and then click "Next".

Select "DNS validation" and then click "Next".

Add tags for searchability (optional) then click "Review".

Click "Confirm and request".

Click "Create record in Route 53". A popup will appear indicating that a Record is going to be added to Route 53. Click "Create" to automatically add the DNS record to your subdomain's hosted zone. Then click "Continue".

Wait for the Certificate Status to be "issued". This might take a few minutes.

Take note of the certificate's ARN. The certificate is ineligible for renewal because it is currently not being used. It will be eligible for renewal once it's used in Cortex.

Create or update your cluster

Add the following field to your cluster configuration:

# cluster.yaml
ssl_certificate_arn: <ARN of your certificate>

Create a cluster:

cortex cluster up cluster.yaml

Or update an existing cluster:

cortex cluster configure cluster.yaml

Use your new endpoint

Wait a few minutes to allow the DNS changes to propagate. You may now use your subdomain in place of your API load balancer endpoint in your client. For example, this curl request:

curl -X POST -H "Content-Type: application/json" -d @sample.json

Would become:

# add the `-k` flag or use http:// instead of https:// if you didn't configure an SSL certificate
curl -X POST -H "Content-Type: application/json" -d @sample.json


Spin down your Cortex cluster.

If you created an SSL certificate, delete it from the ACM console: