I have configured and passed the health check for my AWS ELB(load balancer), but I was trying to do a ping or send a packet to the tcp port 9300 there is no ip address for the ELB.
I have an EC2 instance at the end of the ELB which has Elasticsearch running on it.
The ELB that I configured is an internal ELB so it doesn't have a public IP address for it.
I was wondering if there is a way I can ssh? or do something to ping the ELB?
I am pretty new to AWS and read all the trouble shooting from AWS official website, but couldn't find a solution.
The goal that I am trying to achieve is to test whether my internal Amazon EC2 load Balancer is working properly.
I got the internal ELB ip address with the ping command, however, I am not able to ping or crul to that IP address.
I what to know what I am doing wrong.
Is it the way that I want to access a private network is in correct?
An Elastic Load Balancer is presented as a single service, but actually consists of several Load Balancing servers spread across the subnets and Availability Zones you nominate.
When connecting to an Elastic Load Balancer, you should always use the DNS Name of the Elastic Load Balancer. This will then resolve into one of the several servers that are providing the load balancing service.
Load Balancers are designed to pass requests and return responses. The next time a user sends a request, it might be sent to a different back-end service. Thus, it is good for web-type traffic but not suitable for situations requiring a permanent connection, such as SSH. You can configure sticky sessions for HTTP connections that will use cookies to send the user to the same back-end server if required.
The classic Elastic Load Balancer also supports TCP protocol, but these requests are distributed in a round-robin fashion to the back-end servers so they are also not suitable for long-lasting sessions.
Bottom line: They are great for request/response traffic that needs to be distributed across multiple back-end servers. They are not suitable for SSH.
Site-note: Using PING to test services often isn't a good idea. Ping is turned off in Security Groups by default since it can expose services and isn't good from a security perspective. You should test connectivity by connecting via the expected protocols (eg HTTP requests) rather than using Ping. This applies to testing EC2 connectivity, too.
Related
I have the cert applied on the load balancer, and https works fine, but i am wondering if I need to add the certs to nginx itself, which seems overkill but i am not sure.
No, one of the benefit of using a Load Balancer is you can hide your EC2 from public internet, making it less open and more secured.
Therefore, it is normal practice to use HTTP between your EC2 and load balancers, since they are in the same AWS Region (a safe and trusted internal environment).
By doing this you will also increase performance, because the https network overhead is only executed once in the load balancer, not twice. Your EC2 will focus the CPU resources on running the application logic instead.
Load Balancer is also Highly Available and can be configured to work with CloudFront and WAF for security and anti-DDoS controls.
No, you don't have to do this. The reason is that your load balancer (LB) is going to termiante the https connection, decrypt it using a SSL certificate you've deployed on it, and then forward HTTP connection to your ec2 instance(s).
Therefore, typical connections for LB with HTTPS have the following form:
client ---(HTTPS)---->LB---(HTTP)--->EC2 instance
This configuration is suited for most use-cases as HTTP traffic is happening withing AWS private network, not over the internet.
I am trying to understand in which scenario I should pick a service registry over a load balancer.
From my understanding both solutions are covering the same functionality.
For instance if we consider consul.io as a feature list we have:
Service Discovery
Health Checking
Key/Value Store
Multi Datacenter
Where a load balancer like Amazon ELB for instance has:
configurable to accept traffic only from your load balancer
accept traffic using the following protocols: HTTP, HTTPS (secure HTTP), TCP, and SSL (secure TCP)
distribute requests to EC2 instances in multiple Availability Zones
The number of connections scales with the number of concurrent requests that the load balancer receives
configure the health checks that Elastic Load Balancing uses to monitor the health of the EC2 instances registered with the load balancer so that it can send requests only to the healthy instances
You can use end-to-end traffic encryption on those networks that use secure (HTTPS/SSL) connections
[EC2-VPC] You can create an Internet-facing load balancer, which takes requests from clients over the Internet and routes them to your EC2 instances, or an internal-facing load balancer, which takes requests from clients in your VPC and routes them to EC2 instances in your private subnets. Load balancers in EC2-Classic are always Internet-facing.
[EC2-Classic] Load balancers for EC2-Classic support both IPv4 and IPv6 addresses. Load balancers for a VPC do not support IPv6 addresses.
You can monitor your load balancer using CloudWatch metrics, access logs, and AWS CloudTrail.
You can associate your Internet-facing load balancer with your domain name.
etc.
So in this scenario I am failing to understand why I would pick something like consul.io or netflix eureka over Amazon ELB for service discovery.
I have a hunch that this might be due to implementing client side service discovery vs server side service discovery, but I am not quite sure.
You should think about it as client side load balancing versus dedicated load balancing.
Client side load balancers include Baker Street (http://bakerstreet.io); SmartStack (http://nerds.airbnb.com/smartstack-service-discovery-cloud/); or Consul HA Proxy (https://hashicorp.com/blog/haproxy-with-consul.html).
Client side LBs use a service discovery component (Baker Street uses a stateless pub/sub service discovery mechanism; SmartStack uses ZooKeeper; Consul HA Proxy uses Consul) as part of their implementation, but they provide the health checking / end-to-end functionality you're probably looking for.
AWS ELB and Eureka differ at many points:
Edge Services vs Mid-tier Services
AWS ELB is a load balancing solution for edge services exposed to end-user web traffic. Eureka fills the need for mid-tier load balancing.
Mid-tier server refers to an application server that sits between the user's machine and the database server where the processing takes place in. The middle tier server performs the business logic.
While you can theoretically put your mid-tier services behind the AWS ELB, in EC2
Classic you expose them to the outside world and thereby losing all the usefulness of the AWS security groups.
Dedicated vs Client side Load Balancing
AWS ELB is also a traditional proxy-based load balancing solution whereas with Eureka it is different in that the load balancing happens at the instance/server/host level in a round robin fashion. The client instances know all the information about which servers they need to talk to.
If you are looking for a sticky user session (all requests from a user during the session are sent to the same instance) based load balancing which AWS now offers, Eureka does not offer a solution out of the box.
Load Balancer Outages
Another important aspect that differentiates proxy-based load balancing from load balancing using Eureka is that your application can be resilient to the outages of the load balancers since the information regarding the available servers is cached on the Eureka client.
This does require a small amount of memory but buys better resiliency. The Eureka client gets all the registry information at once and in subsequent requests to the Eureka server, it only receives the delta i.e the changes in the registry information rather than the whole registry information. Also, Eureka servers can operate in cluster mode where each peer is not affected by the performance of other peers.
Scale and convenience
Also, imagine, 1000s of microservices running and each having multiple instances. You will require 1000 ELBs, one for each of the microservice, or something like HAProxy that sits behind the ELB to make layer 7 decisions based on the hostname, etc. and then forward the traffic to a subset of instances. While with Eureka, you only play with the application name which is far less complicated.
Service Discovery component usually has a notification component. It is not a load balancer eventhough some might have the capability to do so. It can notify registered clients about changes, for example a loadbalancer going down.
A client can query a service discovery/registry to get a load balancer that is running. Whereas a load balancer does not noitfy a client when it is down.
You should also read about EUREKA
Amazon ELB provides the EC2 instances to your service requests based on Load balancer and the IP addresses of the EC2 instances are not consistent so you can also use EUREKA which does the same job but is based on service registry and client side load balancing in which the Application client for each region has the registry.
You can read more about it here :
https://github.com/Netflix/eureka/wiki/Eureka-at-a-glance
kind of an unusual setting here:
We have an SMTP service running on Tomcat / Elastic Beanstalk on AWS in an auto-scaling group behind an ELB load-balancer.
Now, for one of our clients we need to have a static IP for the SMTP service. Since this is not possible with the out-of-the-box load-balancer on AWS, we have a separate HAProxy instance transparently routing the :25 traffic trough the AWS load-balancer.
For some reason, the HAProxy chokes after exactly 3 SMTP calls. After that connections either time out or take minutes to go through.
The interesting part is that the following configurations work perfectly fine:
Calling the SMTP service on the AWS load-balancer directly
Load-balancing the Elastic Beanstalk's nodes through HAProxy directly.
Target setting with HTTP calls on port 80, instead SMTP on port 25
Help is really appreciated
That sounds like EC2 rate limiting what appears -- to the system -- to be "outbound" SMTP from your HAProxy instance.
You're accessing the ELB from the HAProxy by one of this outside addresses, and this is causing your traffic to be treated as Internet-bound.
In order to maintain the quality of Amazon EC2 addresses for sending email, we enforce default limits on the amount of email that can be sent from EC2 accounts. If you wish to send larger amounts of email from EC2, you can apply to have these limits removed from your account by filling out this form.
https://portal.aws.amazon.com/gp/aws/html-forms-controller/contactus/ec2-email-limit-rdns-request
One solution is to had those limits removed, but consider your next step carefully -- you'd be better served by load-balancing the EB nodes through the HAProxy directly, using the nodes' private IP addresses -- because there is a charge for traffic to your ELB from within EC2 on the public IP.
Data Transfer OUT From Amazon EC2 To ... Amazon Elastic Load Balancing ... in the same Availability Zone ... Using a public or Elastic IP address ... $0.01/GB.
http://aws.amazon.com/ec2/pricing/
Not a massive charge, perhaps, but it should be an avoidable charge nonetheless.
Additionally, there's no way to configure HAProxy to look up the IP address behind the hostname you've configured for the ELB with each request. HAProxy resolves hostnames on startup and if the ELB's IP address changes, HAProxy will not detect this change.
On the flip side, you can't reliability configure HAProxy to directly connect to the EB instances, since they're dynamically-addressed as well.
The simplest way to prove that my diagnosis is correct is to set the ELB's TCP listener on another port, such as 587 (or 2025, or whatever), mapped to port 25 on the EB instances. Then have the HAProxy target the traffic to port 587. That should eliminate the EC2 rate limiting on SMTP, although you do still have an issue to deal with if the ELB's external IP changes.
I am working on AWS. I have a doubt regarding how many applications a load balancer can support.
Like if I have an application whose traffic is routed and managed by one load balancer, then can I use that LB for another application also???
Also if I can use that ELB for another applications also than how ELB will get to know that which traffic should be routed to Application A server and which to Application B server??
Thanks
I think you may be misunderstanding the role of the load balancer. The whole point of a load balancer is that any of the servers behind it can provide any of the services. By setting it up this way you ensure that the failure of any one server will not affect availability of the service.
You can load balance any TCP service such as HTTP just by adding it as a "listener" for the ELB. The ELB can therefore support as many applications as you want to forward to the servers behind it.
If you set up an image of a server that provides all the services you need, you can even have the ELB auto scale the number of servers up and down by launching or terminating instances from that image as the load varies.
With a webserver (apache or nginx) I am able to find the x-forwarded-for header and find the client IP rather than the ELB's IP.
Can I do the same thing using IPTables so that I am able to block certain IP addresses?
I can do this at the webserver level. However, I think this is a bit inefficient and I am hoping I can achieve this with IP Tables or something similar?
Since July 30th ELB supports Proxy Protocol. As stated in the end of this thread in the AWS forum:
Elastic Load Balancing (ELB) now supports Proxy Protocol version 1.
This feature allows you to identify the client’s connection
information when using TCP load balancing, providing additional
insight into visitors to your applications. Having this information
can be useful for analyzing traffic logs, gathering connection
statistics, troubleshooting, or managing whitelists of IP addresses.
You must enable Proxy Protocol in the ELB.
The developers guide has more information about Proxy Protocol.
You can't do this with iptables, because iptables will only ever see the IP address of the elastic load balancer, since the ELB is what is establishing the connections to your instance.
Using the web server to block certain x-forwarded-for values isn't particularly inefficient, but if you want to control who can access your ELB by IP address, that can also be accomplished with the Security Group attached to the ELB.
Update: Your comment is partially correct, because, at least as of now, ELB on EC2 "classic" does not support an inbound security group or network access control list, but ELB on VPC does.
Q: Can I configure a security group for the front-end of the Elastic Load Balancer?
If you are using Amazon Virtual Private Cloud, you can configure security groups for the front-end of your Elastic Load Balancer. — http://aws.amazon.com/ec2/faqs/#ELB6
Security groups are easiest to use when you need to allow a relatively small set of specific IP address ranges. If you want to allow most but block a few, then a VPC Network Access Control List is the easier approach.