Static ip for alb - static-ip-address

I have alb with port 3838,8787 running on it.
I have created 2 tgs with http-3838,http-8787 to instance.later i have created the nlb tg with port 80 forwarding to alb.
The alb tgs are healthy where ad the nlb tg are unhealthy.
Static ip for the alb to map it to domain register

Related

How to use port 8443 with ECS Fargate and ALB?

Is it possible to run spring boot containerized apps on port 8443 going through a 443 ALB listener and deployed on ECS Fargate in AWS? The 443 listener would have an issued cert, not a self-signed cert. I would use an NLB but I need to set route paths, so that's a no go. Would using nginx as a proxy be used in a situation like this?
Is it possible to run spring boot containerized apps on port 8443
going through a 443 ALB listener and deployed on ECS Fargate in AWS?
Yes it is absolutely possible, there should be no issue with this at all. What you are describing is actually just a very standard and basic ECS/Fargate setup.
Would using nginx as a proxy be used in a situation like this?
Only if you want to. You don't need Nginx just to make this work.

NET::ERR_CERT_COMMON_NAME_INVALID error occuring while AWS ACM certificate loaded on HTTPS load balancer for a domain created in GoDaddy

I have a node js app deployed onto EC2 instance running on port 300 and it is exposed to internet via port 80 & 443 via http load balancers.
My security group allows inbound rules on 80 & 443. I have created SSL certificates with ACM for a domain created on GoDaddy (domain name:- www.abcd-example.com).
For CNAME I added these values, Host(Name): _57xxxxxxxxxxxxxxx5d, Points to(value): _68xxxxxxxxxxx67.bxxxxxxxxxxxj.acm-validations.aws.
My ACM certificate was issued and I had loaded these certificate on to load balancer. Now when I try to access the load balancer with https://, I am getting this error : NET::ERR_CERT_COMMON_NAME_INVALID.
I am not sure why this is happening as I had followed all the steps mentioned in AWS docs to dot. Can anyone help me out in this?

GCP Global load balancer health checks fail for k8s cluster autoscaling group

I've installed haproxy ingress in the GKE cluster since the default ingress (integration with global load balancer) was not satisfying my needs.
So port 80 is the target HTTP port for the load balancer backend on all cluster hosts.
I've simply configured a global HTTPS load balancer to terminate SSL and balance traffic between the k8s nodes auto-scaling group.
Everything seems correctly configured, but I can see backend health checks fail.
I've tried two methods HTTP on /healthz and TCP on port 80.
Both checks fail, and service is unavailable in 99% of the time.
Can anybody help me with this situation?
The problem was the firewall rules.
Health checks were not allowed to access GCE nodes associated with the GKE cluster.
I've added a new rule to VPC to allow 35.191.0.0/16,130.211.0.0/22 source IP ranges and 10253 TCP port associated with haproxy ingress health port.
After adding the rule, health checks passed, and the load balancer started to work.

Terraform: Security group to connect an ASG to an ALB

My settings
I am building a pretty standard stack of an Auto Scale group of EC2 instances, receiving traffic via an ALB.
The instances expose port 80 to the entire VPC, and the ALB exposes port 443 with a certificate externally to receive traffic from the Internet.
My problem
I would like enable port 80 access from the ALB only, not from the entire VPC.
My question
How can I define a security group in Terraform, that exposes port 80 of the instances to the ALB only, but not to other parts of the VPC?
Maybe this is helpful:
resource "aws_security_group_rule" "opened_to_alb" {
type = "ingress"
from_port = 80
to_port = 80
protocol = "tcp"
source_security_group_id = "${var.alb_sg_id}"
security_group_id = "${aws_security_group.your_sg.id}"
}
var.alb_sg_id can be replaced with your actual alb security group id.
You can create a security group (aws_security_group) for your load balancer and give that access to port 80 using an aws_security_group_rule.
Then, in the security group of the servers, you want to only have allow access to them from for port 80 only from the load balancer security group like so source_security_group_id = "${aws_security_group.mylb.id}"
Does this make sense? If not, I can elaborate further.

AWS - SSL/HTTPS on load balancer

I have a problem to add https to my EC2 instance and maybe you guys can have the answer to make it work.
I have a load balancer that is forwarding the connection to my EC2 instance, I've add the SSL certificate to the load balancer and everything went fine, I've add a listener to the port 443 that will forward to the port 443 of my instance and I've configured Apache to listen on both port 443 and 80, now here the screenshot of my load balancer:
The SSL certificate is valid and on port 80 (HTTP) everything is fine, but if I try the with https the request does not got through.
Any idea?
Cheers
Elastic Load Balancer can not forward your HTTPS requests to the server. This is why SSL is there : to prevent a man in the middle attack (amongst others)
The way you can get this working is the following :
configure your ELB to accept 443 TCP connection and install an SSL certificate through IAM (just like you did)
relay traffic on TCP 80 to your fleet of web servers
configure your web server to accept traffic on TCP 80 (having SSL between the load balancer and the web servers is also supported, but not required most of the time)
configure your web servers Security Group to only accept traffic from the load balancer.
(optional) be sure your Web Servers are running in a private subnet, i.e. with only private IP addressed and no route to the Internet Gateway
If you really need to have an end-to-end SSL tunnel between your client and you backend servers (for example, to perform client side SSL authentication), then you'll have to configure your load balancer in TCP mode, not in HTTP mode (see Support for two-way TLS/HTTPS with ELB for more details)
More details :
SSL Load Balancers : http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_SettingUpLoadBalancerHTTPS.html
Load Balancers in VPC :
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/UserScenariosForVPC.html
Do you have an HTTPS listener on your EC2 instance? If not, your instance port should be 80 for both load balancer listeners.