Friday, July 14, 2017

Migrating some services from AWS to Pivotal Web Services

My objective is to run some services on Pivotal Web Services (PWS; hosted instance of Pivotal Cloud Foundry), and have them respond to requests to `` at various paths. Currently these services run on AWS, along with services that respond at other subdomains of

TL;DR: this is easy enough for HTTP requests and prohibitively difficult for real HTTPS, for only one subdomain.

This posts describes some tricky bits in this process, and the bits that leave me stuck.

Prerequisites: I have PWS set up and a few apps deployed. Meanwhile all our existing infrastructure runs on AWS.

First: multiple apps responding at

The instructions tell me how to point my own domain at a single app in PWS, but I want multiple apps to serve paths from my domain. The caller should not know or care which service is responding to its request for a resource.

To do this, I set up a route in cloud foundry, with a hostname (which seems to be PCF's name for the third-from-the-right segment of the domain name, anyone know why?) that doesn't correspond to any one app.

`cf create-route jessitron --hostname satellite-of-love`

Here, jessitron is my space in PWS. is PWS's domain, this gets requests into Cloud Foundry for routing. satellite-of-love is a domain name that I like, it matches my github org.

That path is going to 404, but I have called dibs on It'll route to my jessitron space and no one else's.

Now I can make routes for each endpoint and tell it which app serves it. For the /vote endpoint on Kitty Survey, I have an app running called london, so I hook that up:

`cf map-route london --path /vote`

Now I can hit and my london app receives a request at path /vote. This is good for testing.

This part totally works with HTTPS. If you don't mind changing your clients to point to this URL, stop here.

Second: HTTP: pointing to

This is DNS setup. We happen to use AWS Route53 for this. I go into the AWS console to set up a CNAME record for -> There was one tricky bit to this in Route53: I clicked on the existing record (if it didn't exist I would click Create Record Set), and tried to enter my target BUT NO
It was all "The record set could not be saved because:
- Alias Target contains an invalid value."

Here's the trick: choose Alias: No.
Alias: No is the "Do Things Right Button" for CNAME records in Route53 that point externally
With a regular CNAME (the Alias ones are an internal-to-AWS thing), I can route to an external domain from Route53.

Next, over in Cloud Foundry land, I can tell it about this domain.

 `cf create-domain atomist`

Here, atomist is my PWS org. Then I tell it to send requests to my space please:

`cf create-route jessitron`

And then I create routes for each of the endpoints, but with this new domain. (I'm pretty sure this is necessary.)

`cf map-route london --path /vote`

I'll need to make these two routes (or at least the last one) for every endpoint I add to my service. Soon I'll add this to my "add REST endpoint" automation in Rug.

Third: security certificates and https

There are two ways to get an HTTPS:// endpoint on PWS. They recommend using CloudFlare, which can be free. There are two problems with that. 

CloudFlare -> Cloud Foundry

The first is, to route anything at through CloudFlare, I have to route through CloudFlare. I have to change the routing for my entire company. :-(

Even if I did reroute our whole domain through CloudFlare, the second problem appears: I can get the appearance of security but not actual end-to-end SSL. The easy option to choose is "Flexible", meaning users get SSL from browser<->CloudFlare and it looks secure to them, but behind the scenes it's HTTP between CloudFlare and my app. This seems unprofessional to me, letting everyone's requests happen without SSL behind the scenes while telling them it's secure.

The other option to choose is "Full SSL," but then I need SSL on Cloud Foundry anyway, so ...

SSL in Cloud Foundry 

There's a Pivotal SSL service available in the PWS marketplace for SSL termination. For $20/month (they don't mention that in the documentation), it'll let you upload one certificate.

Currently, we use AWS Certificate Manager, which provides free certificates that only work on AWS.
Can I get that for separately, while leaving the rest of alone? I'm going to try that, from some other source -- but not today.

Therefore, because our security certificates are tied to AWS
and because I decline to change the routing of our entire domain in order to experiment with this subdomain,
I give up. My toy website doesn't need HTTPS anyway.

The moral is: if you want to experiment with moving part of your infrastructure off of AWS (designated by a subdomain), be prepared to change how requests are routed to the root domain.

Thank you to Glenn Oppegard for information about SSL on PWS, and Simon Brown who is finding this just fine with CloudFlare. 


  1. I work at Pivotal and tried this for the first time. To use Pivotal SSL:

    1) You don't need to create the service in a separate space. A separate space is useful if there are multiple devs with PWS accounts and you don't want all of them to be able to update or delete the Pivotal SSL service.

    2) You'll need to change the CNAME in Route53 from to the hostname generated by the Pivotal SSL service. It'll be something like '

    I did the above and had SSL routing to two different apps: and

    1. Thank you! I'll try this. Then I won't need CloudFlare?