I have an AWS VPC subnet in which dynamically hosts are created and destroyed. My frontend will have to connect to them. My plan was to reverse proxy to them.
Backend creates an ec2 instance in said subnet
Backend reads its internal ip address
I send the internal IP address to the frontend
Frontend connects to DNS_NAME of load balancer of this network like this: my_public_dns_name.com/internal_ip
I wanted this load balancer to terminate TLS and forward to the request to the IP address in the path of the request. The subnet has a CIDR of 16, so it is a little impracticable to add 65k addresses manually for forwarding.
I couldn't figure out how to configure AWS application load balancer to do this. Is that even possible with it or do I have to use my own reverse proxy on an instance?
Related
I'm trying to build an voip application on EKS. My setup would be something like:
Asterisk -> Kamailio -> PSTN
Where it could be any number of asterisk behind kamailio, and the kamailio function is to give all the asterisk the same ip address in the eyes of the PSTN provider.
Kamailio is behind a load balancer, with a static IP address that I give to the pstn provider to authenticate my requests, but although I can receive traffic through the load balancer, when my kamailio sends a package to them, the IP is different which causes problems.
Is there a way that the load balancer and the ec2 instance running kamailio can share the same IP address?
Or there is another way of exposing kamailio eks service with a static IP address that is no trough a load balancer?
So I have just setup an application load balancer but I need a static IP to whitelist my database connection, I found Global Accelerator can do the job so I have set it up and assigned it to the ALB. All showing fine in the console but when I ping my domain (www.example.com), I don't see either of the 2 static IP's assigned... and when I whitelist both IP's my application still cannot connect.
Am I doing something wrong?
Edit: My database is Mongo DB hosted on the Atlas Cloud. In my staging environment I have secured the connection to a single server instance using that servers IP address. Now I'm moving to a production environment with a load balancer, I'm not quite sure how I would achieve the same result, since I have multiple EC2 instances which can be created/destroyed via autoscaling. My thinking is that I need to whitelist the load balancer IP address rather than individual instances.
I am assuming that your architecture is:
Domain name pointing to an Application Load Balancer in AWS
Load Balancer points to an Auto Scaling group of Amazon EC2 instances
The EC2 instances point to your MongoDB database hosted on the Atlas Cloud
You want an static IP address so that the database can permit access from the Amazon EC2 instances
While incoming traffic to the EC2 instances goes through the Load Balancer, please note that the connection from an EC2 instance to the database is a separate outbound connection that is established to the database. This traffic does not go through the Load Balancer. The only traffic coming 'out' of a Load Balancer is the response to requests that came 'in'.
The typical way to implement this architecture is:
Load Balancer in public subnets
Auto-Scaled Amazon EC2 instances in private subnets
A NAT Gateway in the public subnet(s)
This way, the instances in the private subnets can access the Internet via the NAT Gateway, yet they are fully isolated from traffic coming in from the Internet. It has the additional benefit that the NAT Gateway has a static IP address. All traffic going through the NAT Gateway to the Internet will 'appear' to be coming from this IP address.
For fault tolerance, it is recommended to put a NAT Gateway in at least two Availability Zones. Each will have its own static IP address.
Oh, and you could consider moving your database to Amazon DocumentDB (with MongoDB Compatibility), which would reduce latency between the application servers and the database.
I have ECS service running in AWS and I am going to create application load balancer for this service. I have read through this doc: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html but what I don't quite understand is how I can specify an entry endpoint IP address to my load balancer. This IP address will be used by client to send requests to my service. Based on my understanding, the IP should be configured in load balancer not my ECS service's task.
Using an IP address for connecting to an elastic load balancer is a bad idea. ELBs are elastic, which means there are multiple instances behind a single load balancer for fault tolerance. That's the reason AWS recommends to use the Hostname instead of IP address.
If you still want to test the connetivity using load balancer IP address, you can try the nslookup command
nslookup yourELBPublicDNS
This will give you multiple addresses back, you can try to hit one. But keep in mind that those IP addresses may change. The reason is simple, if the underlying host for the load balancer fails, it will be replaced by a new one, which most likely will have new IP. But what remains constant is the domain name, so using the hostname is recommended.
As mentioned in the answer IP is bad idea but not if its static IP. As NLB support static IP while application LB does not support static IP.
If you are looking for static IP, then you need to place network LB in the top of application LB, application LB will communicate with backend ECS services while the NLB will be for the client. The client will able to communicate using the static IP of NLB that will not change.
Against each availability zone, you have static IP for NLB, you can check further integration here.
If you are looking for allowing specific IP to use your Endpoint then you need AWS application firewall.
I am trying to create a load balancer on GCP that will route HTTP and HTTPS traffic to my single instance (I'm just testing things out so I have a single instance that serves http traffic).
My instance will be serving for many domains, and these domains are not owned by me but for my clients. I will simply manage the letsecrypt SSL certificates for these domains. They will point their domains to my service like a DNS record: service.example.com
Can I still use GCP load balancers for HTTPS traffic with the above considerations? I essentially need the load balancers to pass all SSL traffic to my instances.
I can't seem to figure out how to create a load balancer that will pass SSL traffic to my instances, is this possible?
If your goal is to create a load balancer that passes thru HTTPS traffic (and HTTP) directly to a backend instance(s), use the TCP Load Balancer.
Step 1. Create a "regional" static IP address before creating the load balancer. Create the IP address in the same region as your instance.
Step 2: Create a TCP Load Balancer. I will skip the minor details that are obvious.
Backend configuration:
Select Single region only. This will allow you to bypass having instance groups.
Select existing instances -> Select your vm.
Frontend configuration:
Protocol TCP. IP: select the static IP address that you created. Port: 80. Click Done.
Add another frontend. Protocol TCP. IP: same IP address. Port: 443. Click Done.
Once you create the load balancer, wait 5 or 10 minutes for everything to configure and startup.
Now your and HTTP and HTTPS traffic will be passed directly to your backend instance(s). Note that this configuration does not use autoscaling, managed instance groups, healthchecks, etc.
You will manage your SSL certificates on your backend instance(s) (your Compute Engine VMs). The load balancer just passes traffic thru with no SSL offload.
I have a load balancer configured to have an IPV4 Ip address. However, the provided IP is a DNS mapped IP address to the load balancer of the format *.ap-south-1.elb.amazonaws.com.
I need to configure IOT devices to send data to the load balancer and they do not support DNS. How can I assign a static IP address like ... to my load balancer so that I can configure my IOT devices to send data to it.
The Elastic IPs section does not provide a facility to allocate it to a load balancer and only supports ec2 instances.
Conclusion:
I have found a way to use DNS on my IOT device and working on this was vital. I am now aware of the option of manually hosting a load-balancer on an EC2 instance. A simper alternative is forwarding all requests at an elastic IP addressed EC2 instance to the load balancer. However, this will cause a bottleneck at the transparent proxy. Hence, I think using the DNS feature on the IOT device is the best option.
Elastic Load Balancers do not support static IP addresses. They only support DNS CNAMEs (or Aliases if you are using Route 53). This is because ELB DNS entries will resolve to different IP addresses depending on how it is scaling between availability zones. Also, over time, the IP addresses will/may change.
The AWS documentation also specifically states to create CNAME-records only when mapping custom DNS entries to your ELB. If you are using Route 53, you can create an Alias record, which look like an A-record to the outside world.
If you need a static IP address, then you cannot use ELB.
Instead, you will need to manage your own load balancer (HAProxy, nginx, etc.) on an EC2 instance using an Elastic IP address.
It would not be possible to assign a static IP with the elastic load balancer. You need to use DNS name only.
The only way I am aware of doing this is by setting up your instances within a VPC and having dedicated NAT instances by which all outbound traffic is routed.
Here is a link to the AWS documentation on how to set up NAT instances:
http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html
AWS Elastic Load Balancer does not support assigning a static IP address due to many reasons.
Looking at your problem, the issue you are facing is having large amount of data sources to pump data to AWS. I suggest you to use AWS Kinesis Firehose service instead of the current approach as Firehose specifically focus on streaming data into AWS.