Load BalancerMay 24, 2023 at 4:41 PM
Table of Contents
Application Load Balancer (ALB) is a network service that distributes incoming public web traffic between virtual servers to provide fault tolerance for websites and applications.
How it works:
The Load Balancer (ALB) allows to easily configure web or TLS traffic to virtual machines, belonging to the same
Compute service based on a domain name in the HTTP protocol or the Server Name Indication (SNI) extension of TLS.
When the volume of incoming traffic changes dramatically, the balancer evenly distributes the entire volume of requests between resources according to the Round-robin algorithm. ALB provides automatic renewal of LetsEncrypt certificates and the ability to upload your own certificates.
Forwarding through ALB does not require opening virtual machine destination ports in the Network Security Group in the
ALB provides access on the main public address of the account only on ports 80 and 443.
These ports can be reassigned in the
ALB management is only available to users with the Account Admin role.
Web Routes tab contains a list of ALB web traffic routes. The user can create, edit, view and delete routes.
Creating and Configuring a Route
Before creating a new route, the user has to configure a DNS CNAME record pointing to the ALB’s public host name to allow Internet traffic to access the ALB instance (CNAME record creation), and then prepare the virtual machine.
Note: By default we mean a prepared virtual machine with a web server on port 80.
- On the
Web Routestab, click
- In the popped-up modal window, enter:
- Name - the name for the route within the project;
- Hostname - public host name for the route;
- The Path that the router watches to route traffic to the service (optional);
- Target port for traffic (optional).
- In the
Target Services, select the Service(s) for load balancing (each service has a weight that determines the amount of traffic received).
- Select IP interface type: IPv4/IPv6.
Securitysettings for the routes by enabling the Secure Route checkbox, or you can leave it disabled.
If Secure Route is enabled, specify the TLS termination type:
With edge termination, the encrypted
TLS trafficis terminated on the ALB, then the already decrypted traffic is proxied to the internal IP addresses of the virtual machines on the
HTTP port (80/TCP). To terminate TLS traffic, the downloaded certificate is used if it matches the Hostname field of the Web route, otherwise, an attempt is made to issue a LetsEncrypt certificate. If the issue of the LetsEncrypt certificate fails for any reason (for example, the DNS record is not set to the ALB public hostname, the request limit has expired), then the default self-signed certificate will be used.
With passthrough termination, encrypted traffic is sent directly to the destination without decrypting the traffic. In this case, the balancer only allocates traffic between services according to weights. This is currently the only method that supports client certificate authentication (also known as two-way authentication).
This is a case of edge termination where the TLS protocol is terminated at the ALB with a certificate and then re-encrypts its connection to an endpoint on the
HTTPS port (443/TCP), which may have a different certificate. Therefore, the full connection path is encrypted even on the internal network. ALB uses performance checks to determine host availability.
Note: Re-encrypt ALB does not currently validate the destination host certificate, so self-signed certificates can be used.
- Select a policy for traffic on insecure schemes:
- allow - allows HTTP traffic to pass through;
- redirect - automatically redirects the client from HTTP to HTTPS (using HTTP code 301).
- Select one of the TLS Certificates associated with this route.
The new route will appear in the general list, where you can edit its settings or delete it using the side menu or by clicking the corresponding buttons in the
To view the details of the created route, simply click on it.
Users can add TLS certificates for edge and re-encrypted termination on the
Certificates tab. Certificates must be in PEM format. Users can add, edit, view, and delete certificates.
Users can upload certificates by dragging, selecting, or pasting them from the clipboard.
Addcertificate on the
- Enter a Name for the certificates;
Browseand add the needed certificates (or drag and drop, paste from clipboard);
The certificate will appear on the list. Click its name to view the details.
There are two ways to edit and delete certificates. Users can do this by using the side menu (icon with three dots) or by pressing the corresponding button in the
Note: When using your own certificates, only one certificate related to the domain name must be loaded into the system for correct operation.
For example, if the downloaded certificate has expired, you need to delete it and download the current one.