I have a website hosted on Site Ground let's say www.test.com
I create a subdomain xyz.test.com and routed the traffic to a backend server A through a load balancer which is hosted in a privated subnet in a VPC. It works fine since I have create a listener on which forwards the traffic from 443 to 3000. Now I want to add one backend server B in the same private subnet and want the traffic hitting port 444 of the ELB to be routed to this server.I want the requests xyz.test.com:444 to go to to port 3010 of the server B. In short I want to route traffic to different instances behind a load balancer but my URL is the same just the ports are different.
How can I achieve this?
You want to setup an Application Load Balancer. From the documentation (emphasis mine):
A load balancer serves as the single point of contact for clients. The load balancer distributes incoming application traffic across multiple targets, such as EC2 instances, in multiple Availability Zones. This increases the availability of your application. You add one or more listeners to your load balancer.
A listener checks for connection requests from clients, using the protocol and port that you configure, and forwards requests to one or more target groups, based on the rules that you define. Each rule specifies a target group, condition, and priority. When the condition is met, the traffic is forwarded to the target group. You must define a default rule for each listener, and you can add rules that specify different target groups based on the content of the request (also known as content-based routing).
Some of the benefits that may interested you, over a Classic Load Balancer are:
Support for path-based routing. You can configure rules for your
listener that forward requests based on the URL in the request. This
enables you to structure your application as smaller services, and
route requests to the correct service based on the content of the URL.
Support for host-based routing. You can configure rules for your listener that forward requests based on the host field in the HTTP
header. This enables you to route requests to multiple domains using a
single load balancer.
Support for routing requests to multiple applications on a single EC2 instance. You can register each instance or IP address with the
same target group using multiple ports.
Support for registering targets by IP address, including targets outside the VPC for the load balancer.
Related
with this flow:
external world --> AWS API Gateway ---> VPC Link ---> Network Load Balancer ---> my single EC2 instance
How can I configure AWS Netword Load Balancer such that:
Requests to https://myapp.com is routed into port 80 of my EC2 instance.
Requests to https://myapp.com/api/* is routed into port 3000 of my EC2 instance.
?
Currently I have only configured one Listener on the NLB that listens on port 80 and all traffics from the API Gateway are routed to port 80 of my EC2 instance.
I have found that in Application Load Balancer, you can configure "Rules" that map path to different ports: Path based routing in AWS ALB to single host with multiple ports
Is this available with NLB?
This is not possible with the Network Load Balancer, because it operates on a level of the network stack that has no concept of Paths.
The NLB operates on Layer 4 and supports the protocols TCP and UDP. These essentially create a connection between ports on two machines that allow data to flow between them.
Paths as in HTTP(S) Paths are a Layer 5+ concept and belong to the HTTP Protocol. They're not available to the NLB because it can only work based on data that's guaranteed to be available there.
You can use an Application Load Balancer as the target for your Network Load Balancer and then configure the Path-based rules there, because the ALB is a layer 5+ load balancer and understands the Layer 5 protocol HTTP.
Here is a blog detailing this: Application Load Balancer-type Target Group for Network Load Balancer
I Would like to understand what is the difference between WAF, Security Group, and a routing table.
Let's say I have a VPC, 2 subnets (a private one) and I want to deploy a web application (UI and backend service and a database (RDS)), In this scenario where does WAF and security groups come into the picture.
Can someone help me to understand a use case?
HTTP protocol is built on top of the TCP protocol.
WAF inspects the HTTP traffic before it reaches your web application in order to block malicious web traffic.
In order to implement WAF in front of a containerized application (running on ECS for example) or in front of an application running on EC2 you should use an Application Load Balancer in front of the application servers and associate the WAF with that load balancer.
If your application runs on Lambda you can do the same but using API Gateway.
A Security Group accepts or blocks networking protocols such as TCP, UDP, ICMP - based on ports. Open up port 443 and 80 if you want to expose your web application.
Routing tables should be associated with your subnets so that the network traffic (TCP) can knows where to go.
Best practice is to put your application servers and databases in private subnets (with routing tables that does not route traffic from the Internet) and then put e.g Application Load Balancer in the public subnets in order to accept traffic from the Internet and route it to your private subnets.
I'm following along a course and I don't really get the difference between an aws load balancer and an aws target group. The course kinda talks about them interchangeably. Does an aws target group include an aws load balancer? What's the theoretical and practical difference?
In AWS, a load balancer is an actual server (or cluster of servers) managed entirely by Amazon that accepts incoming traffic and routes the traffic across multiple backend servers, thus distributing the load.
A target group is simply a list of target servers that the load balancer should distribute the load to.
You configure the load balancer by telling it to send all traffic that matches a certain pattern (like all traffic that comes in on a certain port, or all traffic that is for a certain domain name) to a specific target group.
Load Balancer - AWS thing..
Target Group - your thing.
Target group is collection of your own servers ( one or more than one server)..
Load balancer help to distribute incoming traffic (API Request etc.) to these different target groups based on rules and listeners.
You need to assign DNS/domain name to load balancer, all incoming traffic first comes to this then it distribute to target groups servers..
I am trying to create a load balancer on GCP that will route HTTP and HTTPS traffic to my single instance (I'm just testing things out so I have a single instance that serves http traffic).
My instance will be serving for many domains, and these domains are not owned by me but for my clients. I will simply manage the letsecrypt SSL certificates for these domains. They will point their domains to my service like a DNS record: service.example.com
Can I still use GCP load balancers for HTTPS traffic with the above considerations? I essentially need the load balancers to pass all SSL traffic to my instances.
I can't seem to figure out how to create a load balancer that will pass SSL traffic to my instances, is this possible?
If your goal is to create a load balancer that passes thru HTTPS traffic (and HTTP) directly to a backend instance(s), use the TCP Load Balancer.
Step 1. Create a "regional" static IP address before creating the load balancer. Create the IP address in the same region as your instance.
Step 2: Create a TCP Load Balancer. I will skip the minor details that are obvious.
Backend configuration:
Select Single region only. This will allow you to bypass having instance groups.
Select existing instances -> Select your vm.
Frontend configuration:
Protocol TCP. IP: select the static IP address that you created. Port: 80. Click Done.
Add another frontend. Protocol TCP. IP: same IP address. Port: 443. Click Done.
Once you create the load balancer, wait 5 or 10 minutes for everything to configure and startup.
Now your and HTTP and HTTPS traffic will be passed directly to your backend instance(s). Note that this configuration does not use autoscaling, managed instance groups, healthchecks, etc.
You will manage your SSL certificates on your backend instance(s) (your Compute Engine VMs). The load balancer just passes traffic thru with no SSL offload.
Currently we have a loadbalancer where a listener listens on https and then escorts to a target group where our ec2 windows instance is the target.
Now we have another ec2 instance (linux). The should be accessible via another subdomain. Do I need a new load balancer (which costs money..) or can I use one and split the targets somehow?
You didn't specify which type of Load Balancer you are using? If you are using ALB (application load balancer) you can configure "Host conditions" to route to different domains.
Based on AWS ALB documentation:
You can use host conditions to define rules that forward requests to different target groups based on the host name in the host header (also known as host-based routing). This enables you to support multiple domains using a single load balancer.
If you are using classic ELB, you need different load balancers to support different domains.