- Newest
- Most votes
- Most comments
I want to clarify your question first. I think it is "I want to connect to the NLB using api.example.com
as the DNS name rather than the default NLB name; and I want the ALB to do the TLS offload using api.example.com
as the certificate name."
If that's the case, what you need to do is create a DNS record (in Route 53 or your DNS provider) for api.example.com
and point that to the IP addresses of the NLB. Configure the NLB for TCP/443 (not HTTPS) because then it will forward the TCP session to the ALB.
Now, the clients can resolve api.example.com
to the NLB IP address which connects to the ALB which then presents the correct certificate.
Hi @rePost-User-2569874,
Elastic Load Balancing now supports forwarding traffic directly from Network Load Balancer (NLB) to Application Load Balancer (ALB). With this feature, you can now use AWS PrivateLink and expose static IP addresses for applications built on ALB
- Create a Network Load Balancer, and configure the Application Load Balancer as its target https://docs.aws.amazon.com/elasticloadbalancing/latest/network/application-load-balancer-target.html
- Enable VPC endpoint services (AWS PrivateLink) https://docs.aws.amazon.com/elasticloadbalancing/latest/network/application-load-balancer-target.html
If the Answer is helpful, please click Accept Answer
& UPVOTE
, this can be beneficial to other community members.
Hi @learn2skills,
Could you please elaborate on why enabling VPC endpoint services is needed ?
As per the docs - To use the Network Load Balancer that you set up in the previous step as an endpoint for private connectivity, you can enable AWS PrivateLink. This establishes a private connection to your load balancer as an endpoint service.
I m confused on to why I needed a private connectivity to my NLB , as per definition - AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet. I am exposing NLB to the public internet and I am trying to understand whether or not I can use https listener rules on ALB.
You need 2 listeners on the NLB and 2 ALB Target groups:
TCP 80 Listener on the NLB forwards traffic to TCP 80 ALB Target group. TCP 443 Listener on the NLB forwards traffic to TCP 443 ALB Target group.
Then you can have HTTP to HTTPS redirect on the ALB level.
Works for me.
Relevant content
- asked 2 years ago
- asked a year ago
- asked 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
This is what I love about AWS - there's always something new to learn even when you work here. Good info in the documentation that you've shown. You definitely want a TCP listener on NLB because you want it to pass the session directly through to the ALB. The ALB must be configured to listen for HTTPS. I'm not sure where that error is coming from but some extra debug output might be handy here.
Well, researched that error and it got me even thinking more https://aws.amazon.com/premiumsupport/knowledge-center/elb-fix-ssl-tls-negotiation-error/ A client TLS negotiation error means that a TLS connection initiated by the client was unable to establish a session with the load balancer. TLS negotiation errors occur when clients try to connect to a load balancer using a protocol or cipher that the load balancer's security policy doesn't support.
So it feels like I am back where I started. Have to try again and check Client TLS Negotiation errors on the Monitoring tab. Still not quite sure whether or not this is possible.
You are interpreting it correctly, yes. I already have a record in Route53 but I tried to setup not TCP/443 but TLS/443 on NLB, however this is when things don't work -
TLS listeners on Network Load Balancers cannot forward to ALB-type target groups. If you have a use case to terminate TLS, we recommend using HTTPS listeners on your ALB
as mentioned here - https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/Then in the docs - https://docs.aws.amazon.com/elasticloadbalancing/latest/network/application-load-balancer-target.html, I've found under Step 3, 7a:
For Listeners, the default is a listener that accepts TCP traffic on port 80. Only TCP listeners can forward traffic to an Application Load Balancer target group. Keep the listener protocol set to TCP, but you can modify the port as required. This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol.
Tried setting up forwarding from http rule to https rule but that doesn't work. Now if I tried what you suggested TCP/443 on NLB I get SSL error -
error:1408F10B:SSL routines:ssl3_get_record:wrong version number
.What the NLB should do when you select TCP/443 is send traffic directly to the ALB without modifying the payload. What happens if you try and connect to the ALB directly? You might have (temporarily) set up an EC2 instance in the VPC to do that; but it's worth trying.