Questions tagged with Network Load Balancer

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Hi, I am trying to setup Lambda functions with API Gateway as the trigger. I'll be making external API calls from the functions and I need my IP to be allowlist with the provider, so it should be static. I also need to provide them the hostname from where the API calls will originate from, so the API gateway will be using custom domain. I have the domain registered on Godaddy and for this API Gateway, I want to use a subdomain. At the moment, what I have done is: 1. Created a VPC Endpoint with subnets in all the availability zones in the region. 2. Created a private Rest API and assigned the above VPCE to it. 3. Created the same number of Elastic IPs as the availability zones. 4. Requested a new certificate from ACM for the subdomain, put the CNAME records on GoDaddy and got the certificate issued. 5. Created a Target Group with IP as target type, TLS as protocol and HTTPS as health check protocol and registered the default subnet's IPs of each availability zone. I used 403 as the health check status expected as this will be the status when the API will be invoked using NLB's DNS for health checks. The health check comes out to be positive. 5. Created Internet Facing, IPv4 Network Load Balancer. The listener was setup with TLS as the protocol. I assigned the above created EIPs to this load balancer and the above generated certificate too. At this point, I am successfully able to invoke the private API Gateway using the NLBs domain. However, I get a security warning because the domain for which the certificate was issued for is not being used to invoke the API. I created a Custom domain for the API and assigned the same certificate to it as well. But still, I get the same warning on the client side. And if I try to invoke the API with the custom domain name, I get no response at all because the name does not get resolved. If I had my domain registered on AWS Route 53, I would've been able to create an Alias record that pointed to the NLB. Can I still do this with external registrar and will this even do anything for me? Can somebody please guide me what needs to be done to get this working? Really appreciate it & thanks in advance. PS. Sorry for the long detail if it's unnecessary.
0
answers
0
votes
9
views
asked 3 hours ago
We have build a tier-1 service and we want to ensure 100% availability during the deployment. Our Service needs 15 tasks to serve 850 tps traffic. We are looking for deployment configuration (1) Desired count is 15 as of now To ensure the service is always available I had set minimumHealthyPercent to 100%, but during deployment I had seen there is spike in the unhealthy hosts. (2) what should be the minimumHealthyPercent ? (3) what should be maximumPercent ? (4) Should we modify the health check associated with target group ?
1
answers
0
votes
23
views
asked 2 days ago
i sign on t3.nano by migration of free account, but my connections to the internet continue with very slow speed. Please, help me, the t3.nano is up Up to 5 Gigabit on networ performance! SOrry on my english language is wrong. Please help me!
1
answers
0
votes
11
views
asked 3 days ago
PrivateLink partially works with Network Load Balancers - allowing listeners to be TCP, but not UDP. Is there a defined technical reason for this - as opposed to "doesn't do that". Might it?
1
answers
0
votes
14
views
asked 4 days ago
Is it possible to create a cross region VPC link from REST API gateway to an NLB? e.g. API gateway is in eu-west-1, NLB is in us-west-1 I can see from this article that VPC link uses AWS private link https://aws.amazon.com/blogs/compute/understanding-vpc-links-in-amazon-api-gateway-private-integrations/ and I can see from this article that private link supports inter-region VPC peering https://aws.amazon.com/about-aws/whats-new/2018/10/aws-privatelink-now-supports-access-over-inter-region-vpc-peering/ so it seems like it should be possible, however, I'm not sure how to achieve it
1
answers
0
votes
24
views
asked 10 days ago
We have an ASG with 100+ hosts in us-east-1, that is distributed across all 6 Availability Zones. This ASG is added as a target group to our Network Load Balancer which is also enabled in all 6 AZs. Currently, we have Cross-Zone Load Balancing enabled in our NLB, which distributes the incoming traffic to all the hosts across all AZs equally. But, this cross-zone load balancing is adding a significant cost to our monthly bills. All our clients connect to our service through VPC peering (private links) and all these clients are also distributed equally across all AZs. From a networking stand point, we don't see a necessity to enable cross-zone load balancing and so we are planning to turn this feature off in our prod environments. We went through the following AWS docs ([1](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-termination-policies.html?icmpid=docs_ec2as_help_panel)) & ([2](https://docs.aws.amazon.com/autoscaling/ec2/userguide/auto-scaling-benefits.html)), and understood that EC2 ASGs by default, will try to maintain an equivalent number of hosts across all AZs to the maximum extent, while adding hosts to ASGs or when a scale-in event occurs. We would like to understand how the following scenario would work with cross-zone load balancing disabled and if it poses any availability risk to our service. We use "In-Place" deployment type in our CodeDeploy's deployment groups. While hosts are being de-registered from NLB during in-place deployments, will CodeDeploy ensure that hosts are taken down evenly across all AZs? [Our deployment configuration makes sure that at-least 70% of the hosts are healthy during the course of deployment. Could there be a case where CodeDeploy takes down more number of hosts (or all 30% of hosts) from a single AZ, putting the availability of NLB node in that AZ at risk (since cross-zone routing is turned-off)?]
0
answers
0
votes
20
views
asked 17 days ago
How do i reduce my data transfer out cost in AWS shield Advanced? Any heads up to follow?
2
answers
0
votes
20
views
asked 22 days ago
I have a spring boot application in the ecs fargate within a private subnet. I have configured NAT gateways for my 2 subnets. I would like to build and connect to a REST API. I have a network load balancer attached to my fargate service 1) how do I configure health checks for my springboot microservices using network load balancer 2) how do I go about the architecture design
2
answers
0
votes
42
views
Joash
asked 24 days ago
I was trying to create a network loadbalancer that maps to different subnets that are in different availability zones , however it keeps saying "Allocation 'elasticipID' can be used for one subnet only". How can I solve this issue, thanks!
1
answers
0
votes
33
views
asked a month ago
Currently doing a migration and the one of the teams in their current architecture has an F5 Load balancer listed as part of the network. My questions are: What is a F5 Load Balancer ? What is the equivalent of an F5 Load Balancer in AWS? Is it an Application Load balancer or a Network Load balancer?
1
answers
0
votes
24
views
asked 2 months ago
Hello, for production on an EC2 machine, I usually associate an Elastic IP address with it. There are a lot of clients connecting to that address. If I lose this Elastic IP address (wrong manipulation, errors, etc...), I will never be able to find the same address and I will have to update all the clients to give them the new Elastic IP address? What are my options to avoid this? Thanks for your help
2
answers
0
votes
24
views
asked 2 months ago
Our infrastructure is in AWS. We use AWS Security Group to define inbound/outbound traffic rules. Our servers are ip restricted, as in only traffic from one particular ip is allowed as per the Security Group rule. Say, we have 2 EC2 apps that serve web traffic. And, as per the Security Group rule, only traffic from that one ip is allowed to these servers on port 80 and 443. We now need for these apps to communicate with each other, i.e. send each other HTTP requests. We want the 2 apps to communicate with each other internally because they belong to the same Public Subnet and VPC. If the communication is not internal, traffic from one app would reach the other app via the internet, and this would not be allowed by the existing Security Group rules. Is trying to keep the communication internal between the 2 apps the standard way? I need some guidance on how to best implement this idea.
2
answers
0
votes
75
views
prasvin
asked 2 months ago