- Newest
- Most votes
- Most comments
I guess you want the NLB because you're intending to have more than one EC2 instance running your Software VPN in the future?
I'm not sure why that wouldn't work, but the options I've seen for managing horizontal scaling / load balancing don't include NLB:
- A simplistic method is to put 2 routes in your VPC route table so traffic targeting the bottom half of the on-prem network goes to one EC2 instance, and top half to the other.
- Or base it on source - have different route table entries in different subnets where some route to one EC2 instance and some the other.
- But more even distribution with less management can be done by recognising that it's the encrypt/decrypt that's limiting, not routing processing. So decouple the two, with multiple instances running tunnels, front-ended in the VPC by a single instance that route tables target. The front-end will need to do stateful "sticky" load-balancing. Or, with more setup, GRE tunnels between front and back ends.
We chose NLB to expose and manage both HTTP and TCP/UDP backend applications hosted by an EKS cluster.
On-prem corporate users reach the NLB cluster through a vpn site-to-site. Connections follow that chain:
users->vpn_site_to_site->nlb->reverse_proxy->application
both reverse proxy and backend application reside within the EKS cluster.
The issue is that NLB doesn't answer to client requests (TCP SYN timeout) I suppose because source IPs are not part of VPC IP addressing.
I workarounded the issue source-natting client requests on VPN gateway (at AWS side), but I'd rather use a cleaner solution.
Relevant content
- asked 6 months ago
- asked 16 days ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
did you check security group configuration to allow on-premises IP on the NLB's target group instances?
That's the solution! Many thanks. I hadn't really thought about enabling the client IPs on the backend instances (target groups), because I thought the connection would come with the IP address of the NLB instance. But how does it work that way? Maybe security group checks and it's able to verify proxy protocol attributes?
NLB preserves Source IP (except for IP Address targets), whereas servers behind CLB & ALB see load balancer IPs as Source IPs in client requests and rely on x-forwarded-for header to indicate true source.