By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Websocket - TLS termination - Global Accelerator

0

Hello,

I have a service using websocket on an ec2 instance which needs to be fronted by supposedly a load balancer to do TLS termination (the server side service does not support TLS but the calling api uses TLS) and I want it all to be behind a global accelerator.

The ec2 and the load balancer are all on a private subnet without access to an internet gateway. Within the vpc, there is another subnet that has an internet gateway.

I have tried a single stack (ipv4) internet facing network load balancer with tls protocol and forwarding to a tcp target (target type is instance ec2 with ip preservation) but somehow the packets never reach the target. Cross zone traffic is disabled. The application load balancer only supports https and https so I don't think it could work for websockets.

I notice that the network load balancer prints a warning when created on the private subnet because the subnet does not have an internet gateway. But I understand from the global accelerator doc that:

Is there something I forgot to do or that I am missing? How can I have a websocket fronted by tls termination behind a global accelerator?

  • SebEske
    a year ago

    As a side note, if I add an internet gateway to the subnet, then it all works fine.

Topics
Networking & Content DeliveryInternet of Things (IoT)
Tags
AWS Global AcceleratorElastic Load BalancingTransport Layer Security (TLS)Network Load Balancer
Language
English
SebEske
asked a year ago696 views
1 Answer
0

Here are the things which you need to do -

  1. As you have already found out, have an internet facing NLB for the Global Accelerator endpoint. So, configure an internet gateway in the vpc.
  2. However, need to ensure that the NLB doesn't receive any traffic directly from the internet. This can be done by not allocating any public IP address for the NLB or the EC2 instances, and by not having a route for the internet gateway in the subnet route table.

To learn more, refer https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc-connections.html

profile picture
zafar_khan
answered a year ago
  • SebEske
    a year ago

    Hello and thank you for taking the time to answer my question. As I already wrote "Within the vpc, there is another subnet that has an internet gateway." So item 1 is already done. For item 2, I had not paid attention to the issue of public ip addresses for the instance and nlb. I managed to do it for the subnet, then recreated the ec2 without public ip and recreated the nlb. But I think that internet facing nlb always have a public IP. As for the route, this is the issue: if I don't add it, I can't connect to the service. But if I add it then the NLB could receive internet traffic which I don't want.

  • zafar_khan
    a year ago

    Hi there ! Okay. Can you please confirm if you have the following setup currently.

    1. NLB is in a public subnet.
    2. EC2 instances(targets) are in a private subnet.

    NLB don't have client IP preservation so the target instances sees the Global Accelerator IP addresses in the packets. To ensure that all traffic comes from the GA, we can update the security group of the target EC2 instances with the list of GA IP addresses. Refer this link for the configuration - https://repost.aws/knowledge-center/globalaccelerator-limit-endpoint-access-by-securitygroup. Alternatively(easier approach), use the GA security group as the source in the EC2 security group. Please note that GA creates a specific security group for each VPC.

  • SebEske
    a year ago

    I have all that except for the NLB which is on a private subnet (meaning a subnet without an internet gateway). Because if there is an internet gateway (meaning a route in the subnet route table that routes traffic to and from the internet gateway) in the NLB subnet, how do I ensure that the NLB only get traffic from the global accelerator?

  • SebEske
    a year ago

    I tried adding a route to the private subnet: 0.0.0.0/0 to the network interface of the global accelerator but that does not solve the problem.

  • SebEske
    a year ago

    there is the same question here by the way https://repost.aws/questions/QUahnyBTcxQXywDFkqUHZkJQ/global-accelerator-nlb-and-private-subnets#COvFcrZpUmTNO6lTLkuW9mxg but it is unanswered

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content