I need a ELB that has a static IP and fronts an auto scaling group.
Looking at the recent announcement, Network Load Balancers can do both of these things. However, when I try setting up a NLB I don't see where to set/get the static IP, nor do I see a way to associate it with an auto scaling group.
When I edit my auto scaling group I search for the NLB previously created in its list of ELBs and the NLB isn't present as a choice.
1) How do I associate an auto scaling group to a NLB?
I'm not sure I understand the concept of target groups with regards to a NLB and auto scaler. If I create a target group, it wants specific instance names or IP's of EC2 instances.
2) Given that those names/IPs change when auto scaler adds/removes instances, how do I know?
3) How/where do I get a static IP for my NLB?
1) use a command like aws autoscaling attach-load-balancers --auto-scaling-group-name my-asg --load-balancer-names my-lb, see http://docs.aws.amazon.com/autoscaling/latest/userguide/attach-load-balancer-asg.html?shortFooter=true
2) you don't need to know, the asg knows
3) attach an Elastic IP, one per subnet the NLB is associated with
OK, figured this out. The sequence is as follows:
Create an empty Target Group
Create a Network Load Balancer. Associate with the empty Target Group
Create an Autoscaling Group with your desired Launch Config, desired counts, and Target Group from above. Leave the Load Balancer empty.
Click on Network Interfaces (left side nav bar in the EC2
services area) and find those associated with your NLB (you can
search for the NLB name). The found entry(s) will show the static
IP of the NLB.
Related
I am reading up on AWS Auto Scaling Groups and trying to understand (from a network-perspective) how the following resources all fit together:
Auto Scaling Group (ASG)
Application Load Balancer (ALB)
Individual EC2 instances sitting behind the ALB
ALB Listeners
ALB Target Groups
Security Group(s) enforcing which IPs/ports are allowed access to the EC2 instances
I understand what each of these does in theory, but in practice, I'm having trouble seeing the forest through the trees with how they all snap together. For example: do I configure the EC2 instances to be members of the Security Group? Or do I do that at the balancer-level? If I attach the ALB to the Auto Scaling Group, then why would I need to do any additional configuration with an ALB Target Group? When it comes to routing, do I route port 80 traffic to the ALB or the Auto Scale Group?
I know these are lots of small questions, so the main question here is: how do all of these snap together to provide a load balanced web server hosted on EC2 instances? Ultimately I need to configure all of this inside a CloudFormation template, but a diagram or explanation to help me configure everything manually is probably the best place for me to start. Thanks for any help!
do I configure the EC2 instances to be members of the Security Group?
Or do I do that at the balancer-level?
The EC2 instances should be a member of one security group. The Load Balancer should be a member of another security group. The Load Balancer's security group should allow incoming traffic from the Internet. The EC2 instances should allow incoming traffic from the load balancer.
If I attach the ALB to the Auto Scaling Group, then why would I need
to do any additional configuration with an ALB Target Group?
If you are using an auto-scaling group to create the instances, then you don't have to do any manual updates to the target group, the auto-scaling group will handle those updates for you.
When it comes to routing, do I route port 80 traffic to the ALB or the
Auto Scale Group?
An Auto-scaling group is not a resource that exists in your network. It is a construct within AWS that just creates/removes EC2 servers for you based on metrics. The traffic goes to the load balancer, and the load balancer sends it to the EC2 instances in the target group.
I know these are lots of small questions, so the main question here is: how do all of these snap together to provide a load balanced web server hosted on EC2 instances? Ultimately I need to configure all of this inside a CloudFormation template, but a diagram or explanation to help me configure everything manually is probably the best place for me to start.
It's a bit much to ask somebody on here to spend their free time creating a diagram for you. I suggest looking at the AWS reference WordPress implementations which they tend to use for providing reference implementations of auto-scaled web server environments.
See the "WordPress scalable and durable" CloudFormation template example here.
See the AWS WordPress Reference Architecture project here, which includes a diagram.
We know that in order to attach an Application/Network load balancer for an auto-scaling group, we need to attach the target group(s) to the existing Auto-scaling group in order to distribute the load. In the case of the Classic Load Balancer, we directly attach the load balancer to the ASG but in case of an ALB, we do it through the target groups consisting of targets which can be either an instance, IP or a lambda function.
My question is, are the instances in these target groups defined for an ALB and the instances in ASG different? Or are they the same? If they are the same, then do we have to create a new target group again with targets defined as the EC2 instances in ASG? I can't understand the mapping of instances in target-groups to the instances in ASG. I went through the documentation for attaching a load balancer to an existing ASG, but all it says is to select an existing target group.
Are the instances in these target groups defined for an ALB and the instances in ASG different? Or are they the same?
They are the same.
ELB -> Target Group -> EC2 (without ASG)
ELB -> Target Group -> ASG -> EC2 (with ASG).
Please read the link below for details.
If they are the same, then do we have to create a new target group
again with targets defined as the EC2 instances in ASG
This quote from the AWS document. We need to add ASG to ELB, then AWS takes care of the rest.
When you use your Elastic Load Balancing load balancer with an Auto
Scaling group, it's not necessary to register your EC2 instances with
the load balancer or target group. With Elastic Load Balancing,
instances that are launched by your Auto Scaling group are
automatically registered with the load balancer or target group, and
instances that are terminated by your Auto Scaling group are
automatically deregistered from the load balancer or target group
Ref: https://docs.aws.amazon.com/autoscaling/ec2/userguide/autoscaling-load-balancer.html
Thanks for your time in advance. I am pretty new to AWS and trying to setup a cloud facing application processing HTTP / HTTPS requests.
I have a domain-name (example.com) attached to the Elastic Load Balancer (ELB) and my requirement is just to have a ELB attached to a AutoScaling group (ASG) which would have a min-max of 2-5 EC2s. Preferably I would want to place my EC2s created by ASG to be placed in a private subnet.
I was following the solution provided here, but as I understand in step 5, it is for connecting the ELB to existing EC2 instances. But my requirement is to attach it to a ASG and hence cannot connect to specific EC2 instances.
I am focusing on just two AZ for now and created a public and private subnet each in both the AZ. After creating the ELB and attaching it to two public subnets, I proceeded for Launch-Configuration & ASG. I would request some clarification on the implication of the following selections while setting up the LC and ASG.
While creating a Launch Configuration for an ASG, in one of the steps (IP Address Type) I have three options, namely:
(1) Give Public IP to new instances if created in default VPC/SubNet
(2) Always Public IP for new instances
(3) No Public IP for new instances.
Which one of the above should be selected given my requirement?
Additional Questions
When selecting the subnets while creating ASG, should I select both public and private subnets or only public SN or only Private SN ? My guess was Private subnet only as I wanted to place the EC2 in private SN.
If the EC2s created by the ASG will be deployed in Private SN, what else should be present in the public subnet?
Thanks again for your time and guidance.
Update on 6/13
For the questions I had posted above, I went ahead with choices as below:
While creating a Launch Configuration for an ASG, IP Address Type : No Public IP for new instances.
When selecting the subnets while creating ASG : Only Private SN
I placed a NAT Gateway in the public subnet and updated the routing table of Private Subnet to include a route for 0.0.0.0/0 to NAT
Things are working now !!
You can find the AWS document on attaching to an autoscaling group here. You attach the ELB to the ASG, or if its an application load balancer you attach the target group for your ALB to the ASG:
To attach a load balancer to a group
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
On the navigation pane, under Auto Scaling, choose Auto Scaling
Groups.
Select your group.
On the Details tab, choose Edit.
Do one of the following:
[Classic Load Balancers] For Load Balancers, select your load
balancer.
[Target groups] For Target Groups, select your target group.
Choose Save.
You do no need public IP addresses if your instances will be behind an ELB. You should also launch them in a private subnet. Your ELB will be in public subnets and relay communications to your instances in those private subnets. The ELB will also be assigned a DNS name you alias to a custom DNS name of your own.
From the docs above, you can also attach and detach using the CLI:
To attach a Classic Load Balancer
Use the following attach-load-balancers command to attach the
specified load balancer to your Auto Scaling group:
aws autoscaling attach-load-balancers --auto-scaling-group-name my-asg --load-balancer-names my-lb
To attach to a target group
Use the following attach-load-balancer-target-groups command to attach
the specified target group to your Auto Scaling group:
aws autoscaling attach-load-balancer-target-groups --auto-scaling-group-name my-asg --target-group-arns my-targetgroup-arn
To detach a Classic Load Balancer
Use the following detach-load-balancers command to detach a load
balancer from your Auto Scaling group if you no longer need it:
aws autoscaling detach-load-balancers --auto-scaling-group-name my-asg --load-balancer-names my-lb
To detach a target group
Use the following detach-load-balancer-target-groups command to detach
a target group from your Auto Scaling group if you no longer need it:
aws autoscaling detach-load-balancer-target-groups --auto-scaling-group-name my-asg --target-group-arns my-targetgroup-arn
ELB: Elastic Load Balancer
ALB: Application Load Balancer
I am trying to map elb/alb on aws to another elb (ex: http://my-elb-domain.com),
elb/alb -> elb
in alb: I didn't find a way to register elb as targets.
in elb: only maps to instances
This is not possible.
Both the Classic Load Balancer and Target Groups for the Application Load Balancer only accept Amazon EC2 instances as targets.
Explanation
We have found a roundabout way to accomplish this via the AWS CLI, and are currently using it in production to route traffic. Note that the solution below ends up routing to the same instances behind an ELB, but not through the ELB itself. Here's how it works:
When created an elastic beanstalk environment comes with an automatically generated autoscaling group
An auto-scaling group can be attached to up to 10 target groups via the CLI
That target group can be the direct target of an ALB
Visual Flow
Traffic -> ALB -> Target Group -> Autoscaling Group -> Same Instances ELB Points To
Setup Instructions
Create an Elastic Beanstalk application
Get the name of the Autoscaling group generated for the Elastic Beanstalk app
Create a target group (with no targets), save the ARN for the target group.
Create your ALB, setting its target to the target group create in step #3
Attach the target group to your Autoscaling group via the AWS CLI
aws autoscaling attach-load-balancer-target-groups --auto-scaling-group-name {AutoScalingGroupName} --target-group-arns {TargetGroupARN}
No. You can't map one ELB to another ELB directly.
I want to launch a single ec2 instance. The challenge that I am facing is I need to configure security group for this instance and I want only the instances coming from an Auto scale group to be allowed to access this. How do I set the inbound in such a case, since the instances coming from an Auto Scale will vary?
Security groups can refer to each other.
For example, if you had a load Balancer and an Auto Scaling group of Amazon EC2 instances, you would need to create two security groups:
A Load Balancer security group (let's call it LB-SG)
A Web Server security group (Web-SG) that is referenced by the Auto Scaling launch configuration
Configure your Web-SG to permit incoming traffic from the LB-SG. This can be referenced by name or by sg-xxxx identifier.
Permitting traffic from another security group is a way of saying "permit traffic from any instance that is associated with that security group". This includes the security group assigned to instances from Auto Scaling.
If you have another instance that should accept incoming traffic from instances in the auto scaling group, create another security group (eg Backend-SG) and permit incoming traffic from Web-SG.
Here is a sample diagram from a Rackspace article on Network Segregation in AWS. Notice how each security group refers to the one 'above' it:
You can add the source ID of load balancer security group in the inbound rule for needed protocols (HTTP, HTTPs). Then delete all the other inbound rules.
Ref: AWS Documentation