Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
Using AWS Application Load Balancer with Elastic VMware Service VMs
The purpose of this article is to provide an example on how to setup AWS Application Load Balancer with backend VMs running on Elastic VMware Service and EC2. Consider this for recently migrated environments that have existing DMZ workloads, or as a means to migrate workloads from VMs running in EVS to EC2 instances where it makes sense.
Setup Networking and Security
Let’s make sure we have our networking and security group setup properly. You will need to have at least 1 subnet in a minimum of 2 different availability zones, a requirement of the load balancer. Currently EVS is deployed to a single AZ, so you will need to add a second EVS environment or a subnet for EC2 instances (we will be using the EC2 subnet for reference).
Check Your Subnets
Let’s make sure our subnets are created in different availability zones. I am using the public subnet that is created during the EVS deployment and a second subnet I created for EC2 instances:
Check the Route Tables
Next, let’s make sure we have an entry in the route table to send traffic to the EVS environment. Your IP ranges may vary, but here we are using 192.168.0.0/16 to route through the eni that is connected to the NsxPrivateUplink subnet that is created during deployment. This route should exist when you create the segment in NSX-T within the EVS environment.
Create Your Security Group
Next, we will create the security group to allow HTTP and HTTPS traffic inbound:
You may also need to create an allow rule within NSX-T if you have added rules in the EVS network to block this traffic.
Create Your Target Group
Our next step is to get the IP address(es) of the target virtual machines. You can get the IP information from the VMs in EVS by logging into your vCenter console and highlighting the VM. In the summary section, you should see the IP address. If the IP address is missing, you may need to install VMware tools on the VM.
To get your EC2 instance IP address, navigate to the instance in EC2, check the box and get the private IP address of the instance.
You can also run the following AWS CLI command, replacing the instance ID with your instance ID:
aws ec2 describe-instances --instance-ids i-1234567890abcdef0 --query 'Reservations[0].Instances[0].PrivateIpAddress' --output text
Once we have this information, you need to log into the AWS console and go to the EC2 service. On the left-hand side, scroll down to the Load Balancing section and click Target Groups. Click Create target group button on the right.
Specify Target Group Details
Here you will add the IP addresses, give the group a name, such as demo-evs-alb, choose the protocol and port to be used, the VPC where your load balancer will reside, the protocol version, any health checks, and any tags you need. I’ll be using the VPC where EVS is deployed.
Register Targets
Here we choose Other private IP addresses and input the IP address of our EVS virtual machine(s) and Click the Include as pending below button.
Once you have added all of the IPs for the EVS virtual machines, you can add the IP address of your EC2 instance. click the Create target group button.
Once you have created your target groups, make sure that they are reporting as healthy. You can do that by selecting the checkbox next to a target group.
Now that we have our target group created, it’s time to create our load balancer. For my example I will be using an Application Load Balancer, because my example runs over HTTP/HTTPS. If you need to run over other ports, you will need to use a Network Load Balancer, which allows other port and protocol options beyond what the ALB provides.
Creating the Load Balancer
To create your load balancer, on the left in the same section, click Load Balancers, then click Create load balancer on the right. Next, click the Create button for the type of load balancer you want to create.
Basic Configuration
In the Basic configuration section, we provide a name for the load balancer, choose whether it will internet-facing or internal (I chose internal for this demo), and choose IPv4 or Dualstack for you IP address type.
Network Mapping
In the Network Mapping section, we choose the VPC and the subnets that will be available to the load balancer. Make sure to choose the same VPC that you created the target groups in and the same 2 subnets we used earlier.
In the Security group section, make sure to include the security group we created that allows access and traffic to flow between end users and the target group.
Listeners and routing
In this section, you will create a listener for the load balancer on the protocol and port you used for the target groups that were created previously. For the default action, set it the demo-onprem target group that was created previously (or you can create one directly from the link).
Service Integrations
In the remaining section you can add some service integrations that can add additional protection, availability, or performance enhancements.
Review
Make sure to review all of your settings before clicking Create load balancer.
Once your load balancer is created, click the name link and get the DNS name to test your site access.
Add listener
You can also add an HTTPS listener and re-use the existing target group by clicking the Add listener button in the Listeners and rules section of the load balancer details. In the Listener details, change the group down to HTTPS and select the target group you previously created.
In the Secure listener settings that comes up when selecting HTTPS, you can select from existing TLS, FIPS, or FS policies. You can also select existing certificates from AWS Certificate Manager, IAM, or import an existing certificate.
Relevant content
- asked 2 years ago
