- 新しい順
- 投票が多い順
- コメントが多い順
As far as I know, "pasv_address" is advertised by FTP server (vsftpd) to the client during the first control connection (open) and thus the successive data connection (passive) will go directly to the EC2, NLB is no more involved. Here an example found on the Internet: https://resetenv.com/2018/03/01/nlb/
I don't think that this will work. See comment below - make sure you're using the same target group for all listeners.
NLB uses a hash algorithm to distribute traffic to the target instances. In the documentation it says that the target is chosen based on based on the protocol, source IP address, source port, destination IP address, destination port, and TCP sequence number. Edit: As zob says - stick sessions change the way the hash algorithm works.
Edit: Therefore, if you do not use sticky sessions: Based on this, it's likely that (at least some of the time) the FTP control connection from the client will go to one target; and the data connection will go to another, resulting in the transfer failing. it may work some of the time; and not at others depending on whether the two connections are hashed to the same target.
NLB supports sticky sessions which works by reducing the tuples used for flow hashing to just the client IP. This is applied at the target group level, so multiple listeners going to the same TG will flow hash to the same target when stickiness is enabled.
Yes, when using NLB for FTP, it will be necessary to create a listener for each port number.
Therefore, in the following configuration, it is necessary to create three listeners, one for port 21, one for port 60001, and one for port 60002.
The number of listeners is also the number of simultaneous connections that can be made.
listen=YES
listen_ipv6=NO
ssl_enable=YES
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
pasv_enable=YES
pasv_min_port=60001 ←Designation of port range for data transfer (number of simultaneous connections possible)
pasv_max_port=60002 ←Designation of port range for data transfer
pasv_addr_resolve=YES
pasv_address=NLB DNS NAME
tcp_wrappers=NO
A too small number of ports can limit the number of connections. Is there any other solution? Is assigning a public IP to the EC2 and configuring "pasv_address" to this IP a viable alternative?
What if we stop using FTP and use SFTP with port forwarding in Systems Manager?
This would eliminate the need to create an NLB.
https://aws.amazon.com/jp/blogs/mt/use-port-forwarding-in-aws-systems-manager-session-manager-to-connect-to-remote-hosts/
関連するコンテンツ
AWS公式更新しました 1年前- AWS公式更新しました 4ヶ月前
In that case, why use NLB at all? Each of the FTP instances will need an Elastic IP so use DNS load-balancing instead.