- Newest
- Most votes
- Most comments
Hi, @Saru
I understand that you need an L7 load balancer and a static IP address.
You can configure NLB --ALB --EC2.
Add two listeners to the NLB. (Separate target groups)
1: TCP443 targeting ALB
2: TCP80 targeting ALB
Add two listeners to ALB.
1: Transfer to the ASG target group via HTTPS 443
2: What redirects to HTTPS with HTTP 80
Above I was able to configure.
Please let me know if there are any parts that you cannot set.
In addition, you can also use the Global Accelerator to associate a static IP address with the ALB as an additional option.
https://docs.aws.amazon.com/global-accelerator/latest/dg/about-accelerators.alb-accelerator.html
While this is a valid configuration it complicates the setup considerably and also costs extra so consider using just the NLB if you can - it also makes troubleshooting a lot simpler. You don't say what you need the ALB for (WAF? path-based routing?) but again, although this is totally supported I would not use it unless absolutely necessary.
Note that if you need WAF then CloudFront is a great way of providing that; but then you lose the static IP. However:
I always have very long conversations with my customers about why static IP addresses are required. Most of the time it comes down to "we want to allow-list the IP addresses on our firewalls" which then leads to longer conversations about how that is a losing game. But I digress...
For question 1: Only a single port is allowed in this setup (see this blog post).
For question 2: Yes, you need a minimum of two AZs and that means two IP addresses.
thank you for the response.
if i use this setup: "NLB <-> ASG <-> Instances", then I wont be able to do these: 1.) Not able to redirect from HTTP to HTTPS (note: I can do this in ALB) 2.) I can only manually attach the Instances to NLB target, any instance created by ASG's is not being added to NLB's target automatically
also, wrt SSL, I've updated the question with a setup aka related to Question1.
please tell me if my understanding is wrong.
You should definitely be able to register instances in an ASG against the NLB - I don't know what's going wrong there but it's certainly a supported configuration.
For the redirect not working: That's expected. The ALB is redirecting from port 80 to port 443; but the client is connecting to the NLB first which is only sending port 80 through. Again, a case where using both load balancers together is not a great combination.
i see that the TGs (created with TCP: 80 & 443, which are added to NLB as listeners) don't allow to add ASG as target, it only allows to add Instances(only that are running) to register as targets, which means the instances automatically created & terminated by ASG wont get added & removed respectively from this TG targets automatically. this is a huge bummer
given the above circumstances, it looks like we cant use NLB alone, ALB is always required.
ALB is working fine but the only concern with using ALB is that it doesn't provide a Static IP, I really wonder how others are doing it.
Relevant content
- asked 9 months ago
- asked 4 years ago
- asked 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
hi @iwasa, thank you for your response. I've configured the way as you've mentioned except for the difference of ASG in between instances & ALB like this: "NLB --ALB --ASG --EC2"
this setup is working fine for HTTP connections (when I don't have "1: Transfer to the ASG target group via HTTPS 443", but once I add HTTPS listener to ALB), even the HTTP connection from NLB tries to get redirected to HTTPS and I think that's where the issue lies.
with the above setup, I'm seeing: ALB HTTP URL --> working with domain URL (gets redirected to HTTPS) and also with AWS provided public URL ALB HTTPS URL --> working with domain URL but when I try with AWS provided public URL it says: 'your connection is not private', which is expected NLB HTTP URL --> working with AWS provided public URL but when linked to the domain as a CNAME record, it is NOT working but the URL gets redirected to HTTPS URL and eventually fails with error: "ERR_SSL_PROTOCOL_ERROR" NLB HTTPS URL --> NOT working fails for both domain & AWS provided public URL, fails with error: "ERR_SSL_PROTOCOL_ERROR"
am I doing anything wrong here?
@iwasa FYI: i've updated my previous comment with more details for each tryout, kindly check once from your end.
one more thing: I'm trying to avoid using global accelerator to reduce cost as the above architecture itself is costlier
I will provide you with a template that configures redirects. please wait a moment.
hi @iwasa, checking back on it to see if the template could be shared, thanks!
Hi, @Saru
Sorry for being late.
I have summarized the information in the following article. A link to CloudFormation is also attached in the article.
https://dev.classmethod.jp/articles/nlb-target-alb-http-https-redirect/