Application Load Balancers are the best general-purpose service for distributing web traffic to many servers in multiple availability zones.
This section demonstrates the setup, management, and configuration you may run into in on an engagement concerning Load Balancers. While this is not an exhaustive look at LBs, this will give you the fundamentals to know where to start.
This section will get you familiar with the basic setup of an Application Load Balancer (ALB) and practical configurations you're likely to encounter in enterprises.
In Topic 6, you created Auto Scaling Groups (ASGs) with a number of instances. In this lab, we'll take an ASG with instances that serve a specific web page on port 80 with HTTP and balance traffic across the many instances with an ALB.
-
Working from the ASG Template, associate a target group with the autoscaling group, giving it a health check on
/index.html.- Be sure to use the Amazon Linux AMI, and not the Amazon Linux 2 AMI. If you
use the Amazon Linux 2 AMI (this is untested...), you'll have to use
amazon-linux-extrasinstead ofyumand installnginx1.12instead ofnginx
- Be sure to use the Amazon Linux AMI, and not the Amazon Linux 2 AMI. If you
use the Amazon Linux 2 AMI (this is untested...), you'll have to use
-
Create an internet-facing ALB
-
Create an ALB Listener that references the previously created target group and ALB.
-
Update the AutoScalingGroup to use 'ELB' for HealthCheckType and 30 for HealthCheckGracePeriod
-
Once created, go to the endpoint associated with the Load Balancer.
What is the benefit of breaking up the load balancer into specific listeners and target groups?
Now, let's update our health check to see what happens when things go haywire!
-
Modify the target group:
- Update the health check value to be
/BADindex.html - Change the interval to be 20
- Change the healthy threshold to 2
- Change the unhealthy threshold to 3
- Create a target group attribute with key
deregistration_delay.timeout_seconds, value 20
- Update the health check value to be
-
Wait about two minutes after the stack completes.
-
Go to your load balancer endpoint.
What can be controlled with the interval/healthy threshold/unhealthy threshold settings?
What's happening to the instances in the ASG? How do you know?
Let's fix that bad health check endpoint and add an https listener.
-
First, fix your health check and verify everything is working smoothly.
-
Via the aws acm CLI or AWS Certificate Manager console, import your newly created certificate, make note of its ARN.
-
Add a new listener to your previously created load balancer using HTTPS on port 443 and referencing your newly uploaded certificate.
-
Let's be extra secure and specify a security policy on that listener which requires Forward Secrecy (has FS in its name).
-
Visit your ALB endpoint, add the security exception and enjoy your encrypted session.
What is the trade off of going with a more secure SSL policy?
We imported a local certificate into ACM, what other options do you have? How do those processes work?
-
Load balancers are expensive so delete your stack.
-
Delete your imported self-signed cert.
Discuss with your mentor: What are some of the common cloud architectures where you would want to implement an ALB?