AWS Multi ELB In One VPC

amazon-elastic-ipamazon-web-services

I am trying to figure out the best solution for my use case.

Say I have 10 websites to host in my VPC. Each of these websites need to be behind an Elastic Load Balancer. From my understanding, each ELB needs to be assigned an Elastic IP (EIP). I am also creating Multi-AZ NAT instances to allow communication from my instances to outside the VPC (These also need EIP's associated with them). In addition I also have a few small websites I need to create (blogs, internal tools, etc..) that I have already assigned some EIP's to.

Should I be assigning each of these an EIP like I want to (I will have to request more EIP's due to the Region EIP limitations) or should I setup these sites in a better way?

I could setup these using apache's name based virtual hosts and have one ELB routing traffic and selecting the correct doc root based on the domain name.

Is there any other type of solution I could consider? Like some kind of Route53 solution that sends the traffic to the correct load balancer based on the domain?

Best Answer

As mentioned in comments, ELBs do not use Elastic IP addresses (EIP). Further, the instances behind ELB do not typically need public IP addresses -- inbound, they're accessed through the ELB (which receives their reply traffic also, forwarding replies to the requester) and outbound -- for back-end service requests, the instances can use a NAT instance for their Internet access.

When you create an ELB, a hostname is assigned to the load balancer. This hostname is mapped (internally) to one or more IP addresses, dynamically assigned from a public pool, at least one IP address per availability zone where the ELB Is associated with a subnet. Since ELB automatically scales with load, and these addresses are dynamic, you can't point traffic to these IP addresses directly.

"An" elastic load balancer is actually a cluster of one or more load balancer instances, each with a public and private IP address, all having exactly the same provisioning and behavior. These instances are largely invisible to you, managed by AWS, and they are included in the ELB price, regardless of how many of them the infrastructure decides you need, in order to serve the load you offer to it. (Your charge only varies by bandwidth).

Because of the dynamic nature of ELB, you need to route traffic to the ELB endpoint via your DNS configuration, to hit the hostname that was assigned to the ELB (it's not configured in your web server, it's only used in DNS). If the web site is a hostname in your domain, like www in www.example.com, then you can use a CNAME in DNS, and DNS can be hosted anywhere... but if the web site is at a zone apex (the top level of your domain, like example.com) then you need to use Route 53 to host your DNS so that you can use an Alias A record to route traffic for the site to your ELB. (All hostnames can use Alias records, but they are only required at the zone apex, where CNAME records are not valid). With an Alias in place, route 53 will then return one valid IP for your ELB, with a short TTL, in response to each request.

EC2 instances can be associated with any number of ELBs, but one ELB can only send requests to one group of instances -- ELB does not select instances based on any criteria other than balancing the load among all the healthy instances associated with it.

If your sites are not using SSL, then you can host the sites with a single ELB on one or more instances, using virtual hosting configuration to serve the correct content... but all of the instances connected to a single ELB need to be prepared to serve the content of all the sites.

If your sites use SSL, then you need one ELB per SSL certificate. If the SSL certificate is a wildcard, or a multi-domain "UCC" certificate, then you may still only need the one ELB... but if you need multiple certs, then you need one ELB per cert, though the ELBs can still front-end for a common group of EC2 instances, so long as all of those instances are prepared to serve all the sites.

(There are alternative configurations involving ELB in transparent TCP mode and a web server that understands the PROXY protocol and SNI, but I would suggest that these are advanced topics outside the scope of the question).

You will, in any event, learn the most by doing. Set up an ELB and it should be more apparent, from observation, how it works.

Note also that, somewhat counter-intuitively, when provisioning ELB, it is often wrong to put the ELB on the same subnet as the instances. The ELB, for certain, needs to be on a "public" subnet, where the default route points to the igw-xxxxxxxx Internet Gateway object, in the VPC route table, but your instances, since they only need to be accessible from the ELB, not the Internet, can go on a "private" subnet. Unlike on a traditional network, where the router can be a choke point, the "router" in VPC is actually used for all traffic, even on the same subnet, so there is no performance penalty for devices to be on different subnets.

Related Solutions

Nginx AWS ELB – How to Set Real IP from AWS ELB Load Balancer Address

If you can guarantee that all requests will be coming from ELB (I'm not familiar with it), you could try:

real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;

That should tell nginx to trust an X-Forwarded-For header from anyone. The downside is that if anyone directly accesses your server, they would be able to spoof an X-Forwarded-For header and nginx would use the wrong client ip address.

AWS Static IP – How to Assign a Static IP Address for Outgoing Traffic from AWS Autoscaling Group

You need a NAT. This configuration is commonly used to support private subnets in VPC, there's quite a detailed guide here. Once your VPC is configured to use the NAT instance all the outbound traffic will be attributed to the EIP of the NAT instance.

If so, does that instance need to be solely for this purpose or can it be one of the instances that's running my app?

Technically you probably could, but it's not a good idea:

It's good security to have roles isolated.
You want your application servers to have similar or identical load profiles. If one instance has an extra 10% load because of the NAT then you'll have to scale up prematurely when you hit the limits of that instance. This will get worse as the NAT gets busier as more instances get added to your cluster.
You want your application servers to be identical and ephemeral so you can tear them down and/or replace them whenever there's an issue or you need to scale. Having one application server which is different to the rest would be a major headache.

You might be able to get away with it if your instances are containerised but it's still probably not a great idea.

Also keep in mind that your NAT instance could be a single point of failure, so you may want to think about redundancy.

Best Answer

Related Solutions

Nginx AWS ELB – How to Set Real IP from AWS ELB Load Balancer Address

AWS Static IP – How to Assign a Static IP Address for Outgoing Traffic from AWS Autoscaling Group

Related Topic