Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 months ago.
Improve this question
I have an nginx that is configured for SSL Termination and work as expected for my application.
For Disaster Recovery purposes I want to set up an AWS Application Load Balancer in fron of my HTTPS NGINX. The ALB will be exposed with a Network LoadBalancer that will do the region switch.
The issue is that if I call my application, the AWS Application Load Balancer it's doing the SSL Termination and the certificates are not reaching NGINX:
400 No required SSL certificate was sent
400 Bad request
Since I would like to keep my SSL termination at the NGINX level, can I configure the AWS Application LoadBalancer Listener to forward the certificates for the nginx aslo?
ALBs are layer 7 load balancers that only support HTTP/HTTPS listeners. SSL passthrough has to happen before layer 7 actions so it's not possible to configure ALBs for SSL passthrough. However you should be able to do this with a network load balancer, using TCP listeners.
This AWS blog outlines a similar setup, but for ECS - https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-using-the-network-load-balancer-with-amazon-ecs/
Related
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 days ago.
Improve this question
Frontend and backend service seem to be working fine separately on its own, but when I try to communicate between frontend and backend I keep getting ERR_NAME_NOT_RESOLVED error.
Service discovery are all connected
All security groups are open
I think our architecture is very similar to this if that helps.
(https://mohamedwaelbenismail.medium.com/microservices-architecture-deployed-on-ecs-fargate-based-cluster-using-cloudformation-878cb6f90571)
It only works if we change the internal load balancer to public load balancer allow internet traffic and allow 0.0.0.0/0.
Status of health check are all 'healthy'
Based on your schematic illustration, your React web application front end will never be able to reach your backend. Your front end executes on a client side in their browsers/mobiles. This means that the only way to reach backend is through internet. So your backend can't be in a private subnet behind an internal load balancer.
You have to re-architect your application. Both frontend and backund must be accessible from the internet, for your front end to be able to query the backend.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I'm learning about network load balancers in AWS and I'm stuck trying to use secure layer connections.
I created
the Load balancer of type network.
one target group for my application (port 3000 / TCP)
one listener for port 443 with protocol TLS and as default action I'm forwarding to the previous target group. I added also the certificate of my domain.
an alias to the Load Balancer in route53
What I'd expect is, if I type https://www.this-is-an-example.com:443/home it should proxy to my application (running in port 3000) but keeping a secure connection or using https. But it doesn't work.
When I do curl https://www.this-is-an-example.com:443/home I receive the following response: curl: (52) Empty reply from server
If I try using Postman Error: socket hang up
I understand that network load balancers don't care about https, however, how can I use https with my domain and be able to hit the listener and utilize https from client to Load balancer.
the problem is your security group. You cannot associate a security group to network load balancer and since they operate at layer 4, you have to make sure your target instances have proper security group that allows access from NLB/Client to the target. this depends if you are using instance target type or IP target type. in instance target type, the source will be actual client and port should be target port(3000) and not 443. in case of IP target type, the source will be NLB's IP and target port is again your target port. you can get more detailed information here
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I am trying to deploy a Kafka cluster on AWS (using CloudFormation). My advertised listeners are (using a private DNS namespace to resolve the internal IP):
INTERNAL://kafka-${id}.local:9092
EXTERNAL://<public-ip>:9092
However, Kafka complains that two listeners cannot share the same port. The problem is I'm using a load balancer for external traffic, and I'm not sure if there's a way to redirect that traffic to a different port.
My desired configuration would be:
INTERNAL://kafka-${id}:9092
EXTERNAL://<public-ip>:19092
But the load balancer takes the incoming request and passes it to the internal IP at the same port. Ultimately I'd like to have the load balancer take connections on port 19092 and pass them to 9092, but I don't see any way to configure that.
If there are any recommendations on alternative ways to do this, I'm happy to hear them. Currently, I need services that are on other VPCs to be able to communicate with these brokers, and I'd prefer to use a load balancer to handle these requests.
Based on the comments.
The NLB does not support redirection rules in its listeners. It only has forwarding rules. But a listener can use different port that its targets defined by a target group. So a possible setup could be:
Client ---> Listener on port 19092 ---> NLB ---> Target group with port 9092
#Marcin answered this for me. See comments for details.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
Can we use AWS ACM certificate to achieve TLS/SSL encryption till EC2 level. My EC2 sit behind loadbalancer. I learned that ACM certs can be used only on managed services like load balancer and cloudfront etc... and cant be used on EC2. which means the connection will be http from ALB to EC2. How can we achieve an end-to-end https if ACM can be used only on AWS ALB? Can it be done with a combination of ACM and self-signed certificate ... any article which throws light on this setup ...?
How can we achieve an end-to-end https if ACM can be used only on AWS ALB?
You need to use self-signed certificate between ALB and your instances. ALB does not change the validity of the certificate on the instance, thus as long as you have it setup it, you will be fine.
How to setup self-signed certificate solely depends on your use case (which linux distro, do you use nginx or not, and more). For example, for instances with Ubuntu 18.04 I was using the following guide from DigitalOcean without issues in the past:
How To Create a Self-Signed SSL Certificate for Nginx in Ubuntu 18.04
This is another alternative using third party certificate. Check link
https://aws.amazon.com/premiumsupport/knowledge-center/acm-ssl-certificate-ec2-elb/
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I have application deployed on tomcat server on machine A,B,C,D
I want to load balance using the Nginx using two load balancer nodes LB1 & LB2.
All configuration I got is using only one node as load balancer.
is it possible using Nginx.
If we have a critical application running on server require the zero down time. If we go with one LB and for some reason LB itself fails,then there will be an issue.
We have this set up initially using AWS Load balancer, but recently we start using the websockets. The web sockets are not working correctly on EC2 load balancer.
if some one has better option please suggest.
Use Amazon ELB and forward TCP:80/443 instead of HTTP:80/443
The only downside of balancing TCP is that your appservers have to deliver SSL certificates themselves if you use HTTPS.
If you want to run the loadbalancer yourself without having a single point of failure you can use haproxy to fall back to a standby machine when the primary balancer fails.
http://www.loadbalancer.org/blog/transparent-load-balancing-with-haproxy-on-amazon-ec2