Overview
- Layer 4 (TCP/SSL) + Layer 7 (HTTP/HTTPS simplified)
- Use cases
- Instances in EC2-Classic (other LBs can't do this)
Types
- Internet-facing
- Internal (VPC only)
- Routes to instances in private subnets
- DNS: internal-
name-123456789.region.elb.amazonaws.com- Resolves to private IPs of ELB nodes
Nodes
- Contains multiple nodes (in selected AZs)
- ELB DNS maps to IP addresses of the nodes
- IP addresses may change
- DNS TTL 60 seconds
- ELB node sends traffic to specific backend instances
Listeners
- HTTP
- HTTPS (secure HTTP)
- TCP
- SSL (secure TCP)
- session affinity not supported
- Not supported
- UDP (ELB wouldn't know if backend accepted a connection)
Routing Algorithm
- TCP Listeners - round robin
- HTTP(S) - least outstanding requests ("least busy")
Backend Types
- EC2 instances
- Autoscaling Groups
Sticky Sessions (session affinity)
- Allowed for HTTP/HTTPS listeners
- Application Cookie
- Follows duration of existing application session cookie
- Name must be provided
- If application cookie expires/gets removed the session stops being sticky
- ELB inserts new stickiness cookie when a new application cookie is created
- request routed to NEW instance
- continues to route to NEW even if old comes back after failure
- Follows duration of existing application session cookie
- ELB Cookie
- Cannot set "secure" or "HttpOnly" on this cookie
- Contains mapping to a specific instance
- Duration
- By default: browser session
- Can be specified
- Stickiness lost when switching to different listener (e.g. HTTP -> HTTPS)
- May cause scaling issue
- Clients stay on the instances
- Even though you may add a lot of backend instances they will not receive any traffic
Proxy Protocol
- Passes source/destination - (IP,port) for TCP/SSL requests
- Human Readable header added to the request
PROXY TCP4 198.51.100.22 203.0.113.7 35646 80\r\n
- Must be supported by backend instance
- Configured via Policy Type
Connection Draining
- Instance status: "InService: instance deregistration currently in progress"
- Default: 300s (5 minutes), Max 3600s (1h)
Dualstack
- EC2-Classic supported
- Communication to backend over IPv4
- DNS names
name-123456789.region.elb.amazonaws.comipv6.name-123456789.region.elb.amazonaws.comdualstack.name-123456789.region.elb.amazonaws.comReturns both IPv4 and IPv6
Security
- Security Policy
- SSL Protocol: SSL 2.0, SSL 3.0, TLS 1.0 (=SSL 3.1), TLS 1.1, TLS 1.2
- SSL Ciphers
- ECDHE for Perfect Forward Secrecy (ephemeral keys are not stored)
- Server Order Preference
- Enabled: ELB selects first cipher from its list that is on client list (i.e. ELB has the final say)
- Disabled: client decides
- Types of policy
- Predefined (versioned)
- Customer Defined
- Security Group - allows backend server to restrict access (i.e. traffic via ELB only)
- Supports certificates from IAM and AWS Certificate Manager
Metrics
- SurgeQueueLength - how many requests queued up on ELB waiting to be serviced
- Queue length is 1024
- SpillOverCount - queue grew too much and requests were rejected by ELB
- BackendConnectionsErrors - how are backend servers behaving
Prewarming
- Takes time to scale-out ELB when flash traffic expected
- Possible to call support and ask for pre-warming
Backend Server Authentication Type
- Optional authentication when using HTTPS
- Process
- Add certificate name and "pem"-encoded certificate to ELB
- Enable
Misc
- Cross Zone Load Balacing
- evens out imbalance between AZs
- ensures there is no 503 when there are no backend instances in the zone
- ELB scaling typically takes 1-7 minutes
- ELB sends traffic to primary private IP address
- Sending traffic to instance in private subnet
- For each subnet EC2 instance gets a public IP
- hence: add public subnets to ELB only
- For each subnet EC2 instance gets a public IP
- Single instance can be added to multiple ELBs
Subnets
- Public subnet for "public ELB" and private subnet for "internal ELB"
- Max 1 subnet per AZ
- ELB creates a load balancing node in each subnet
- Specify at least 2 subnets
References
No comments:
Post a Comment