By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Horizontal Scaling concerns, SSL issue with NLB

0

note: I'm new to scaling and firstly seeking advice on the best practices for horizontal scaling

I have the following setup:

EC2 Instances <-> ASG(created from Launch template) -> TG <-> ALB <-> TG <-> NLB

Traffic flows through NLB to ALB and finally to EC2 instances configured via ASG.

note: I'm assuming the above setup is the best one to go with horizontal scaling, if not please let me know.

the above setup works fine for HTTP whereas when I try to configure HTTPS, I don't see options to do so.

Issue1: Target Group(TG) doesn’t allow to create one with Load Balancer type with TLS port: 443 but allows only TCP: port 80,

**Question1: **how else should I redirect HTTPS traffic to ALB?

note: I need NLB because ALB doesn't provide Static IPs

Question2: wrt Static IPs: NLB doesn't allow <2 AZs which means I need to have 2 Static IPs linked to my domain?

any inputs would be really helpful!

Update1:

I've configured like below: In ALB listeners: HTTP(80) gets redirected to HTTPS HTTPS(443) gets forwarded to ASG

In NLB listeners: HTTP(80) gets forwarded to ALB

note: ALB's public URL is added to my domain(sample-alb.domain.com) NLB's public URL is added to my domain(sample-nlb.domain.com)

SSL works fine if the user enters by hitting sample-alb.domain.com whereas if the user enters by hitting sample-nlb.domain.com, it always fails with "ERR_CERT_INVALID"

any inputs on why this fails?

Update2:

I've got the answer to my Issue1/Question1 on how to redirect HTTPS traffic to ALB from here: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/application-load-balancer-target.html#configure-application-load-balancer-target

Listeners and routing

For Listeners, the default is a listener that accepts TCP traffic on port 80. Only TCP listeners can forward traffic to an Application Load Balancer target group. Keep the listener protocol set to TCP, but you can modify the port as required.

This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol.

so, I created a TG with TCP port 80 and listener to NLB, which redirects to ALB. (say for ex my NLB's public URL is 'nlb34323.amazonaws.com') now, when I hit my NLB's public URL with 'http://nlb34323.amazonaws.com', it does get redirected to 'https://nlb34323.amazonaws.com', but eventually fails with a timeout error.

note: whereas when I hit ALB's public URL, it is working fine

does it have anything to do with TLS termination as mentioned in the above documentation:

This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol.

what am I doing wrong here?

Topics
ComputeNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon EC2Networking & Content DeliveryElastic Load BalancingAWS Certificate ManagerNetwork Load Balancer
Language
English
Saru
asked 2 years ago515 views
2 Answers
0

Hi, @Saru

I understand that you need an L7 load balancer and a static IP address.

You can configure NLB --ALB --EC2.

Add two listeners to the NLB. (Separate target groups)
1: TCP443 targeting ALB
2: TCP80 targeting ALB

Add two listeners to ALB.
1: Transfer to the ASG target group via HTTPS 443
2: What redirects to HTTPS with HTTP 80

Above I was able to configure.
Please let me know if there are any parts that you cannot set.

In addition, you can also use the Global Accelerator to associate a static IP address with the ALB as an additional option.
https://docs.aws.amazon.com/global-accelerator/latest/dg/about-accelerators.alb-accelerator.html

profile picture
EXPERT
iwasa
answered 2 years ago
  • Saru
    2 years ago

    hi @iwasa, thank you for your response. I've configured the way as you've mentioned except for the difference of ASG in between instances & ALB like this: "NLB --ALB --ASG --EC2"

    this setup is working fine for HTTP connections (when I don't have "1: Transfer to the ASG target group via HTTPS 443", but once I add HTTPS listener to ALB), even the HTTP connection from NLB tries to get redirected to HTTPS and I think that's where the issue lies.

    with the above setup, I'm seeing: ALB HTTP URL --> working with domain URL (gets redirected to HTTPS) and also with AWS provided public URL ALB HTTPS URL --> working with domain URL but when I try with AWS provided public URL it says: 'your connection is not private', which is expected NLB HTTP URL --> working with AWS provided public URL but when linked to the domain as a CNAME record, it is NOT working but the URL gets redirected to HTTPS URL and eventually fails with error: "ERR_SSL_PROTOCOL_ERROR" NLB HTTPS URL --> NOT working fails for both domain & AWS provided public URL, fails with error: "ERR_SSL_PROTOCOL_ERROR"

    am I doing anything wrong here?

  • Saru
    2 years ago

    @iwasa FYI: i've updated my previous comment with more details for each tryout, kindly check once from your end.

    one more thing: I'm trying to avoid using global accelerator to reduce cost as the above architecture itself is costlier

  • iwasa EXPERT
    2 years ago

    I will provide you with a template that configures redirects. please wait a moment.

  • Saru
    2 years ago

    hi @iwasa, checking back on it to see if the template could be shared, thanks!

  • iwasa EXPERT
    2 years ago

    Hi, @Saru

    Sorry for being late.

    I have summarized the information in the following article. A link to CloudFormation is also attached in the article.

    https://dev.classmethod.jp/articles/nlb-target-alb-http-https-redirect/

0

While this is a valid configuration it complicates the setup considerably and also costs extra so consider using just the NLB if you can - it also makes troubleshooting a lot simpler. You don't say what you need the ALB for (WAF? path-based routing?) but again, although this is totally supported I would not use it unless absolutely necessary.

Note that if you need WAF then CloudFront is a great way of providing that; but then you lose the static IP. However:

I always have very long conversations with my customers about why static IP addresses are required. Most of the time it comes down to "we want to allow-list the IP addresses on our firewalls" which then leads to longer conversations about how that is a losing game. But I digress...

For question 1: Only a single port is allowed in this setup (see this blog post).

For question 2: Yes, you need a minimum of two AZs and that means two IP addresses.

profile pictureAWS
EXPERT
Brettski-AWS
answered 2 years ago
  • Saru
    2 years ago

    thank you for the response.

    if i use this setup: "NLB <-> ASG <-> Instances", then I wont be able to do these: 1.) Not able to redirect from HTTP to HTTPS (note: I can do this in ALB) 2.) I can only manually attach the Instances to NLB target, any instance created by ASG's is not being added to NLB's target automatically

    also, wrt SSL, I've updated the question with a setup aka related to Question1.

    please tell me if my understanding is wrong.

  • Brettski-AWS EXPERT
    2 years ago

    You should definitely be able to register instances in an ASG against the NLB - I don't know what's going wrong there but it's certainly a supported configuration.

    For the redirect not working: That's expected. The ALB is redirecting from port 80 to port 443; but the client is connecting to the NLB first which is only sending port 80 through. Again, a case where using both load balancers together is not a great combination.

  • Saru
    2 years ago

    i see that the TGs (created with TCP: 80 & 443, which are added to NLB as listeners) don't allow to add ASG as target, it only allows to add Instances(only that are running) to register as targets, which means the instances automatically created & terminated by ASG wont get added & removed respectively from this TG targets automatically. this is a huge bummer

    given the above circumstances, it looks like we cant use NLB alone, ALB is always required.

    ALB is working fine but the only concern with using ALB is that it doesn't provide a Static IP, I really wonder how others are doing it.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content