I'm not completely familiar with the load balancers in AWS. So, the idea is to set up a VPC with a public subnet and a private subnet. The instances and the ASG for the front-end will be in the public subnet, and the instances and the ASG for the backend will be in the private subnet. My question is which load balancer should I place between the front-end and the backend, and is it supposed to go in the public or the private subnet?
Any help is appreciated.
Hello I recommend you to use S3 + CloudFront for your web if its react app ( html,JS...) you can earn a lot with S3 + Cloudfront to have a serveless web hosting high scalable, and security also !!!
Regarding the back end part, the best practice is to put an ELB in your public subnet wich redirect traffic api to your back-end to a target group ASG in your private subnet.
You can add a certificate https ACM to your Alb to perform the transit security.
and the traffic from your ALB and instances ASG is in the http (port 80)
Finally the query will come from the client device wich whill get the app from cloudfront/S3 and perform a call to your ELB in public wichi redirect to your instances in private subnet.
Related
Using Terraform to setup a VPC with two EC2s in private subnets. The setup needs to SSH to the EC2s to install package updates from the Internet and install the application software. To do this there is an IGW and a NAT-GW in a public subnet. Both EC2s can access the Internet at this point as both private subnets are routing to the NAT-GW. Terraform and SSH to the private subnets is done via Client VPN.
One of the EC2s is going to host a web service so a Classic mode Load Balancer is added and configured to target the web server EC2. Using Classic mode because I can't find a way to make Terraform build Application mode LBs. The Load Balancer requires the instance to be using a subnet that routes to the IGW, so it is changed from routing to the NAT-GW, to the IGW. At this point, the Load Balancer comes online with the EC2 responding and public Internet can access the web service using the DNS supplied End Point for the LB.
But now the web server EC2 can no longer access the Internet itself. I can't curl google.com or get package updates.
I would like to find a way to let the EC2 access the Internet from behind the LB and not use CloudFront at this time.
I would like to keep the EC2 in a private subnet because a public subnet causes the EC2 to have a public IP address, and I don't want that.
Looking for a way to make LB work without switching subnets, as that would make the EC web service unavailable when doing updates.
Not wanting any iptables or firewalld tricks. I would really like an AWS solution that is disto agnostic.
A few points/clarifications about the problems you're facing:
Instances on a public subnet do not need a NAT Gateway. They can initiate outbound requests to the internet via IGW. NGW is for allowing outbound IPv4 connections from instances in private subnets.
The load balancer itself needs to be on a public subnet. The instances that the LB will route to do not. They can be in the same subnet or different subnets, public or private, as long as traffic is allowed through security groups.
You can create instances without a public IP, on a public subnet. However, they won't be able to receive or send traffic to the internet.
Terraform supports ALBs. The resource is aws_lb with load_balancer_type set to "application" (this is the default option).
That said, the public-private configuration you want is entirely possible.
Your ALB and NAT Gateway need to be on the public subnet, and EC2 instances on the private subnet.
The private subnet's route table needs to have a route to the NGW, to facilitate outbound connections.
EC2 instances' security group needs to allow traffic from the ALB's security group.
It sounds like you got steps 1 and 2 working, so the connection from ALB to EC2 is what you have to work on. See the documentation page here as well - https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
We have 10 instances which we deployed the app using the AWS ECS and ELB
Due to security reasons the API allows request only through specific IP whitelisted IP addresses.
So we are planning to pass the request through the proxy
How to route an API request go through a proxy
We are using nginx
Any specific way to route an API request go through a proxy will be helful
You won't need NGINX as a proxy for this use-case, I'd propose to consider looking into using AWS NAT Gateways. NAT Gateway is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC). Its the perfect place to provide a static IP to all your subnet's outbound traffic.
In order to provide a NAT Gateway with static IP (Elastic IP) for your cluster's outbound traffic. This will allow your different tasks running inside your ECS cluster's private subnets to look like a single requesting entity from an outsider's POV (in your case, the 3rd party API is the outsider). To achieve this, you will have to:
Create 2 route tables (1 for private subnets, 1 for public subnets)
Internet gateway on the public subnet
Elastic IP address
Create a NAT Gateway and attach the elastic IP to it (This will be the IP whitelisted to the 3rd party API)
Ensure that all your tasks are running inside private subnets of the VPC
Add a rule in your route table for your private subnets that redirects outbound 0.0.0.0/0 to the NAT Gateway.
Add a rule in your route table for your public subnets that redirects outbound traffic 0.0.0.0/0 to the internet gateway.
You should consider using NAT Gateway instead. I am assuming you already would have all your containers in a VPC, so you can create a new NAT Gateway within this VPC itself.
You can refer to articles attached below to do this:
https://docs.aws.amazon.com/appstream2/latest/developerguide/add-nat-gateway-existing-vpc.html
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
Note: NAT Gateways have price associated with them.
If needed, you can use the elastic IP provided by NAT Gateways on your lambdas as well.
From AWS infrastructure side sometimes the client suggests on having their whole application to be in private subnet (both fronetend and backend), so that their application is secure . Now i do understand that for an Application to be in private subnet , we cant have internet facing App Load Balancer as AWS doesnt allow it . So in this kind of scenario , how this can be handled please. I know that we can make use of VPC endpoints so that the internal traffic doesnt leave AWS network. Is there any way this can be done that i am not aware. Thanks in advance
What you've described is a very broad topic and probably sits within the realms of "How do I architect a web app securely in AWS?"
As with most things, there isn't just one answer. Below is a common approach to deploying a simple web app behind a load balancer
Internet facing load balancer with application in private subnet
The application can be deployed in private subnets (so instances are not assigned public IP addresses). You can then deploy an internet facing load balancer to the public subnets which will be able to route traffic to your private subnets (assuming your VPC route tables are configured correctly)
If the instances deployed in the private subnets need and outbound Internet comnection you can deploy a NAT Gateway (with the appropriate routes in your VPC route table of course)
In this setup your inbound traffic goes:
Internet Gateway --> Load Balancer Node (Public Subnet) --> Target Group (Private Subnet)
And your outbound traffic (if needed) goes:
Instance (private subnet) --> NAT Gateway --> Internet Gateway
You can't have an internet facing load balancer in private subnets (Quote from your question)
That is true, but as described above you can deploy an internet facing load balancer into public subnets and still have it route traffic to your private subnets. Just make sure your VPC route table is setup correctly (i.e. there is a route in the route tables associated with your subnets for your VPC CIDR block)
I configured an internet facing ALB in AWS with two listeners (80 and 443) and the target groups are in private network (10.0.1.0/24). When http/https request are sent by ALB to the target group in 10.0.1.0 network, how the request is sent back to ALB? ALB has a public IP, and the target group do not have a route to internet. I can configure a NAT gateway and setup a route 0.0.0.0/0 to use the NAT gateway. But the web response will go all the way to internet and then comeback to ALB. Highly undesirable. I can't put these instances in public facing subnet either.
Can some one help how this can be done? I thought of VPC endpoint, and configured one with the load balancer (I used ELB, as I couldn't find ALB endpoint service). Now, the endpoint shows it has an IP in the 10.0.1.0 subnet. However, I don't know how this will work. Can someone suggest what's to be done. Thanks.
Not sure exactly what your question here is. But giving you a simple explanation of how AWS ELB works.
In both AWS Classic Load Balancers and Application Load Balancers, two connections are involved:
A connection between client (browser, etc) and ELB
A connection between ELB and backend target instances (webservers)
When creating an Internet facing ELB, you are given the option of selecting two subnets. These subnets should be public subnets which have a route to an Internet Gateway. The ELB will launch at least one ELB node in each of these subnets. Clients on the Internet will be able to connect to these ELB nodes using their public IPs through the IGW.
Once the ELB receives the request from the client, it forwards the request to its backend targets. This communication uses the PRIVATE IPs of the ELB nodes and the target instances. Therefore, even if the instances are in the private subnet, the ELB will still be able to forward requests to them because the connection is over private IPs which uses the 'local' route in the route tables. The response from the target then goes to the ELB over private IP, and is then forwarded to the client over public IP.
Client <--public IP--> ELB <--private IP--> Targets
The connection between client and ELB is over public IP, the connection between ELB and webservers is over private IPs which does not need a route to an IGW or NAT.
Don't worry about NAT Gateways for your private subnets. Just make sure the subnets you choose when creating the ELB are public and have a route to an internet gateway.
I've spent the majority of today reading google results and documentation on how to connect AWS API Gateway to EC2 instances (created by Elastic Beanstalk) in a private subnet. I know that API Gateway requires targets to be publicly addressable, so...
I manually created an Application Elastic Load Balancer that listens for (and terminates) HTTPS at a public IP address;
I created a VPC with two subnets: one public (holds load balancer) and one private (holds EC2 instances); and,
I believe I have to create security groups that allow everyone/everywhere to connect to the load balancer, but only entities in my public subnet to connect to my EC2 instances.
Unfortunately I'm unable to view the sample Beanstalk application via the load balancer's DNS name. The connection just times-out.
Can someone please confirm I've identified all the steps? Is there any way I can trace my requests to see where they're failing? Or (even better) why they're failing? Thanks!
Check your security groups to make sure that HTTPS traffic is allowed
Make sure your Network ACLs are allowing traffic from your load balance to your EC2 instances
Check your VPC routes to ensure there is a route from your load balancer to your EC2 instance