Mixing
Load Balancing multiple Containerized Applications on a Group of Instances
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
The hypothetical scenario is you have 3 containerized (docker) web applications using different ports -- 1234, 5678, 7890.
Is it possible to have an Application Load Balancer that forwards HTTP/HTTPS traffic from app1.example.com, app2.example.com, and app3.example.com to a specific port on an EC2 Target Group?
Example:
All traffic coming from app1.example.com should go to the port 1234 of the EC2 Target Group.
Also, what would be the SSL Certificate Setup for this since the ELB will be having multiple subdomains?
amazon-web-services docker containers amazon-elb amazon-alb
edited Jan 4 at 5:35
Vikrant
3,994153857
asked Jan 3 at 2:56
Anathema LafarelAnathema Lafarel
81
add a comment |
The hypothetical scenario is you have 3 containerized (docker) web applications using different ports -- 1234, 5678, 7890.
Is it possible to have an Application Load Balancer that forwards HTTP/HTTPS traffic from app1.example.com, app2.example.com, and app3.example.com to a specific port on an EC2 Target Group?
Example:
All traffic coming from app1.example.com should go to the port 1234 of the EC2 Target Group.
Also, what would be the SSL Certificate Setup for this since the ELB will be having multiple subdomains?
amazon-web-services docker containers amazon-elb amazon-alb
edited Jan 4 at 5:35
Vikrant
3,994153857
asked Jan 3 at 2:56
Anathema LafarelAnathema Lafarel
81
add a comment |
The hypothetical scenario is you have 3 containerized (docker) web applications using different ports -- 1234, 5678, 7890.
Is it possible to have an Application Load Balancer that forwards HTTP/HTTPS traffic from app1.example.com, app2.example.com, and app3.example.com to a specific port on an EC2 Target Group?
Example:
All traffic coming from app1.example.com should go to the port 1234 of the EC2 Target Group.
Also, what would be the SSL Certificate Setup for this since the ELB will be having multiple subdomains?
amazon-web-services docker containers amazon-elb amazon-alb
edited Jan 4 at 5:35
Vikrant
3,994153857
asked Jan 3 at 2:56
Anathema LafarelAnathema Lafarel
81
The hypothetical scenario is you have 3 containerized (docker) web applications using different ports -- 1234, 5678, 7890.
Is it possible to have an Application Load Balancer that forwards HTTP/HTTPS traffic from app1.example.com, app2.example.com, and app3.example.com to a specific port on an EC2 Target Group?
Example:
All traffic coming from app1.example.com should go to the port 1234 of the EC2 Target Group.
Also, what would be the SSL Certificate Setup for this since the ELB will be having multiple subdomains?
amazon-web-services docker containers amazon-elb amazon-alb
amazon-web-services docker containers amazon-elb amazon-alb
edited Jan 4 at 5:35
Vikrant
3,994153857
asked Jan 3 at 2:56
Anathema LafarelAnathema Lafarel
81
edited Jan 4 at 5:35
Vikrant
3,994153857
asked Jan 3 at 2:56
Anathema LafarelAnathema Lafarel
81
edited Jan 4 at 5:35
Vikrant
3,994153857
edited Jan 4 at 5:35
Vikrant
3,994153857
edited Jan 4 at 5:35
Vikrant
3,994153857
3,994153857
asked Jan 3 at 2:56
Anathema LafarelAnathema Lafarel
81
asked Jan 3 at 2:56
Anathema LafarelAnathema Lafarel
81
asked Jan 3 at 2:56
Anathema LafarelAnathema Lafarel
81
81
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
In order to do this, first you'll need to create 3 separate target groups, each containing the same EC2's you want to redirect to, differentiated by the target port for each application (1234, 5678, etc).
Once you do this, you can create a new ALB with 2 listeners, one for HTTP on port 80, and another for HTTPS on port 443. If you're creating this through the AWS Console, set the availability zones you want to use, choose a security policy and certificate for the HTTPS listener, and choose or create a security group. For the routing configuration, just create some new arbitrary target group. We're going to simply delete it later (the wizard won't let you select the appropriate options on creation).
Once the ALB is created, we need to edit the rules of the 2 listeners. So select the ALB, go to the listeners tab, and click on the 'View/edit rules' link next to one of the listeners (Note this is NOT selecting the listener and clicking 'Edit', which is something entirely different). Now on this new screen, click on the pencil to edit the current default rule, delete the current 'THEN' action, and replace it with 'Return fixed response...'. For the fields here, I would just set a Response code of 400, with the response body being something like 'invalid host header'. This will only be returned if a client tries to access this load balancer with a host other than the ones we'll explicitly set.
Now click the 'Update' button to save the changes for this default rule, and then click the '+' button to add a new rule above the default rule. For this new rule, add the condition 'Host is...', and set it to one of the app domains (i.e. app1.example.com). Now add the condition for this rule to 'Forward to...', and select the target group for this app that you created earlier.
Now repeat step 4 for all apps you need to service for this load balancer
Now repeat steps 3-5 for the other listener on the ALB
You can now delete the extra target group you may have made earlier during the creation of the ALB via the wizard in the console. Other than that, you should be done.
Note: There is no way to have a single HTTPS listener use multiple different certificates, even though you can route based on the host header. In order for SSL to be valid across multiple different apps, you will be REQUIRED to use a wildcard certificate that is valid for all your apps at the same time. If you use ACM, you can generate free wildcard certificates and use them on the ALB.
answered Jan 3 at 8:18
cheeseandcerealcheeseandcereal
263
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54015754%2fload-balancing-multiple-containerized-applications-on-a-group-of-instances%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
In order to do this, first you'll need to create 3 separate target groups, each containing the same EC2's you want to redirect to, differentiated by the target port for each application (1234, 5678, etc).
Once you do this, you can create a new ALB with 2 listeners, one for HTTP on port 80, and another for HTTPS on port 443. If you're creating this through the AWS Console, set the availability zones you want to use, choose a security policy and certificate for the HTTPS listener, and choose or create a security group. For the routing configuration, just create some new arbitrary target group. We're going to simply delete it later (the wizard won't let you select the appropriate options on creation).
Once the ALB is created, we need to edit the rules of the 2 listeners. So select the ALB, go to the listeners tab, and click on the 'View/edit rules' link next to one of the listeners (Note this is NOT selecting the listener and clicking 'Edit', which is something entirely different). Now on this new screen, click on the pencil to edit the current default rule, delete the current 'THEN' action, and replace it with 'Return fixed response...'. For the fields here, I would just set a Response code of 400, with the response body being something like 'invalid host header'. This will only be returned if a client tries to access this load balancer with a host other than the ones we'll explicitly set.
Now click the 'Update' button to save the changes for this default rule, and then click the '+' button to add a new rule above the default rule. For this new rule, add the condition 'Host is...', and set it to one of the app domains (i.e. app1.example.com). Now add the condition for this rule to 'Forward to...', and select the target group for this app that you created earlier.
Now repeat step 4 for all apps you need to service for this load balancer
Now repeat steps 3-5 for the other listener on the ALB
You can now delete the extra target group you may have made earlier during the creation of the ALB via the wizard in the console. Other than that, you should be done.
Note: There is no way to have a single HTTPS listener use multiple different certificates, even though you can route based on the host header. In order for SSL to be valid across multiple different apps, you will be REQUIRED to use a wildcard certificate that is valid for all your apps at the same time. If you use ACM, you can generate free wildcard certificates and use them on the ALB.
answered Jan 3 at 8:18
cheeseandcerealcheeseandcereal
263
add a comment |
In order to do this, first you'll need to create 3 separate target groups, each containing the same EC2's you want to redirect to, differentiated by the target port for each application (1234, 5678, etc).
Once you do this, you can create a new ALB with 2 listeners, one for HTTP on port 80, and another for HTTPS on port 443. If you're creating this through the AWS Console, set the availability zones you want to use, choose a security policy and certificate for the HTTPS listener, and choose or create a security group. For the routing configuration, just create some new arbitrary target group. We're going to simply delete it later (the wizard won't let you select the appropriate options on creation).
Once the ALB is created, we need to edit the rules of the 2 listeners. So select the ALB, go to the listeners tab, and click on the 'View/edit rules' link next to one of the listeners (Note this is NOT selecting the listener and clicking 'Edit', which is something entirely different). Now on this new screen, click on the pencil to edit the current default rule, delete the current 'THEN' action, and replace it with 'Return fixed response...'. For the fields here, I would just set a Response code of 400, with the response body being something like 'invalid host header'. This will only be returned if a client tries to access this load balancer with a host other than the ones we'll explicitly set.
Now click the 'Update' button to save the changes for this default rule, and then click the '+' button to add a new rule above the default rule. For this new rule, add the condition 'Host is...', and set it to one of the app domains (i.e. app1.example.com). Now add the condition for this rule to 'Forward to...', and select the target group for this app that you created earlier.
Now repeat step 4 for all apps you need to service for this load balancer
Now repeat steps 3-5 for the other listener on the ALB
You can now delete the extra target group you may have made earlier during the creation of the ALB via the wizard in the console. Other than that, you should be done.
Note: There is no way to have a single HTTPS listener use multiple different certificates, even though you can route based on the host header. In order for SSL to be valid across multiple different apps, you will be REQUIRED to use a wildcard certificate that is valid for all your apps at the same time. If you use ACM, you can generate free wildcard certificates and use them on the ALB.
answered Jan 3 at 8:18
cheeseandcerealcheeseandcereal
263
add a comment |
In order to do this, first you'll need to create 3 separate target groups, each containing the same EC2's you want to redirect to, differentiated by the target port for each application (1234, 5678, etc).
Once you do this, you can create a new ALB with 2 listeners, one for HTTP on port 80, and another for HTTPS on port 443. If you're creating this through the AWS Console, set the availability zones you want to use, choose a security policy and certificate for the HTTPS listener, and choose or create a security group. For the routing configuration, just create some new arbitrary target group. We're going to simply delete it later (the wizard won't let you select the appropriate options on creation).
Once the ALB is created, we need to edit the rules of the 2 listeners. So select the ALB, go to the listeners tab, and click on the 'View/edit rules' link next to one of the listeners (Note this is NOT selecting the listener and clicking 'Edit', which is something entirely different). Now on this new screen, click on the pencil to edit the current default rule, delete the current 'THEN' action, and replace it with 'Return fixed response...'. For the fields here, I would just set a Response code of 400, with the response body being something like 'invalid host header'. This will only be returned if a client tries to access this load balancer with a host other than the ones we'll explicitly set.
Now click the 'Update' button to save the changes for this default rule, and then click the '+' button to add a new rule above the default rule. For this new rule, add the condition 'Host is...', and set it to one of the app domains (i.e. app1.example.com). Now add the condition for this rule to 'Forward to...', and select the target group for this app that you created earlier.
Now repeat step 4 for all apps you need to service for this load balancer
Now repeat steps 3-5 for the other listener on the ALB
You can now delete the extra target group you may have made earlier during the creation of the ALB via the wizard in the console. Other than that, you should be done.
Note: There is no way to have a single HTTPS listener use multiple different certificates, even though you can route based on the host header. In order for SSL to be valid across multiple different apps, you will be REQUIRED to use a wildcard certificate that is valid for all your apps at the same time. If you use ACM, you can generate free wildcard certificates and use them on the ALB.
answered Jan 3 at 8:18
cheeseandcerealcheeseandcereal
263
In order to do this, first you'll need to create 3 separate target groups, each containing the same EC2's you want to redirect to, differentiated by the target port for each application (1234, 5678, etc).
Once you do this, you can create a new ALB with 2 listeners, one for HTTP on port 80, and another for HTTPS on port 443. If you're creating this through the AWS Console, set the availability zones you want to use, choose a security policy and certificate for the HTTPS listener, and choose or create a security group. For the routing configuration, just create some new arbitrary target group. We're going to simply delete it later (the wizard won't let you select the appropriate options on creation).
Once the ALB is created, we need to edit the rules of the 2 listeners. So select the ALB, go to the listeners tab, and click on the 'View/edit rules' link next to one of the listeners (Note this is NOT selecting the listener and clicking 'Edit', which is something entirely different). Now on this new screen, click on the pencil to edit the current default rule, delete the current 'THEN' action, and replace it with 'Return fixed response...'. For the fields here, I would just set a Response code of 400, with the response body being something like 'invalid host header'. This will only be returned if a client tries to access this load balancer with a host other than the ones we'll explicitly set.
Now click the 'Update' button to save the changes for this default rule, and then click the '+' button to add a new rule above the default rule. For this new rule, add the condition 'Host is...', and set it to one of the app domains (i.e. app1.example.com). Now add the condition for this rule to 'Forward to...', and select the target group for this app that you created earlier.
Now repeat step 4 for all apps you need to service for this load balancer
Now repeat steps 3-5 for the other listener on the ALB
You can now delete the extra target group you may have made earlier during the creation of the ALB via the wizard in the console. Other than that, you should be done.
Note: There is no way to have a single HTTPS listener use multiple different certificates, even though you can route based on the host header. In order for SSL to be valid across multiple different apps, you will be REQUIRED to use a wildcard certificate that is valid for all your apps at the same time. If you use ACM, you can generate free wildcard certificates and use them on the ALB.
answered Jan 3 at 8:18
cheeseandcerealcheeseandcereal
263
edited Jan 3 at 8:25
answered Jan 3 at 8:18
cheeseandcerealcheeseandcereal
263
answered Jan 3 at 8:18
cheeseandcerealcheeseandcereal
263
answered Jan 3 at 8:18
cheeseandcerealcheeseandcereal
263
263
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54015754%2fload-balancing-multiple-containerized-applications-on-a-group-of-instances%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
