Load BalancerNovember 24, 2023 at 2:43 PM
Table of Contents
Application Load Balancer (ALB) is a network service that distributes incoming public web traffic between virtual servers to provide fault tolerance for websites and applications.
How it works:
The Load Balancer (ALB) allows to easily configure web or TLS traffic to virtual machines, belonging to the same
Compute service based on a domain name in the HTTP protocol or the Server Name Indication (SNI) extension of TLS.
When the volume of incoming traffic changes dramatically, the balancer evenly distributes the entire volume of requests between resources according to the Round-robin algorithm. ALB provides automatic renewal of LetsEncrypt certificates and the ability to upload your own certificates. Forwarding through ALB does not require opening virtual machine destination ports in the Network Security Group in the
Firewall tab. ALB provides access on the main public address of the account only on ports 80 and 443. These ports can be reassigned in the
Health Check feature allows to exclude unhealthy servers from the load balancing rotation. ALB monitors the status of the virtual machines responsible for handling the web traffic route, and will consider VMs healthy as long as they return status codes between 2XX and 3XX to the health check requests (carried out every interval). If a VM is found to be unavailable (powered off or broken), the HealthCheck ensures that web traffic is not directed to that particular VM.
ALB management is only available to users with the Account Admin role.
Web Routes tab contains a list of ALB web traffic routes. The user can create, edit, view and delete routes.
Creating and Configuring a Route
Before creating a new route, the user has to configure a DNS CNAME record pointing to the ALB’s public host name to allow Internet traffic to access the ALB instance (CNAME record creation), and then prepare the virtual machine.
Note: By default we mean a prepared virtual machine with a web server on port 80.
- On the
Web Routestab, click
- In the popped-up modal window, enter:
- Name - the name for the route within the project;
- Hostname - public host name for the route;
- The Path that the router watches to route traffic to the service (optional);
- Target port for traffic (optional).
- In the
Target Services, select the Service(s) for load balancing (each service has a weight that determines the amount of traffic received).
- Select IP interface type: IPv4/IPv6.
- Configure HealthCheck to remove unhealthy VMs from the load balancing rotation.
- Path (optional) defines the server URL path for the health check endpoint .
- Scheme (optional) replaces the server URL scheme for the health check endpoint.
- Hostname (optional) sets the value of hostname in the Host header of the health check request.
- Port (optional) replaces the server URL port for the health check endpoint.
- Interval (default: 30s) defines the frequency of the health check calls.
- Timeout (default: 5s) defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
- Headers (optional) defines custom headers to be sent to the health check endpoint.
- Follow Redirects (default: true) defines whether redirects should be followed during the health check calls.
- Method (default: GET) defines the HTTP method that will be used while connecting to the endpoint.
Securitysettings for the routes by enabling the Secure Route checkbox, or you can leave it disabled.
If Secure Route is enabled, specify the TLS termination type:
With edge termination, the encrypted
TLS trafficis terminated on the ALB, then the already decrypted traffic is proxied to the internal IP addresses of the virtual machines on the
HTTP port (80/TCP). To terminate TLS traffic, the downloaded certificate is used if it matches the Hostname field of the Web route, otherwise, an attempt is made to issue a LetsEncrypt certificate. If the issue of the LetsEncrypt certificate fails for any reason (for example, the DNS record is not set to the ALB public hostname, the request limit has expired), then the default self-signed certificate will be used.
With passthrough termination, encrypted traffic is sent directly to the destination without decrypting the traffic. In this case, the balancer only allocates traffic between services according to weights. This is currently the only method that supports client certificate authentication (also known as two-way authentication).
This is a case of edge termination where the TLS protocol is terminated at the ALB with a certificate and then re-encrypts its connection to an endpoint on the
HTTPS port (443/TCP), which may have a different certificate. Therefore, the full connection path is encrypted even on the internal network. ALB uses performance checks to determine host availability.
Note: Re-encrypt ALB does not currently validate the destination host certificate, so self-signed certificates can be used.
- Select a policy for traffic on insecure schemes:
- allow - allows HTTP traffic to pass through;
- redirect - automatically redirects the client from HTTP to HTTPS (using HTTP code 301).
- Select one of the TLS Certificates associated with this route.
The new route will appear in the general list, where you can edit its settings or delete it using the side menu or by clicking the corresponding buttons in the
To view the details of the created route, simply click on it.
Users can add TLS certificates for edge and re-encrypted termination on the
Certificates tab. Certificates must be in PEM format. Users can add, edit, view, and delete certificates.
Users can upload certificates by dragging, selecting, or pasting them from the clipboard.
Addcertificate on the
- Enter a Name for the certificates;
Browseand add the needed certificates (or drag and drop, paste from clipboard);
The certificate will appear on the list. Click its name to view the details.
There are two ways to edit and delete certificates. Users can do this by using the side menu (icon with three dots) or by pressing the corresponding button in the
Note: When using your own certificates, only one certificate related to the domain name must be loaded into the system for correct operation.
For example, if the downloaded certificate has expired, you need to delete it and download the current one.