By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Moving from NLB to ALB w/o downtime

0

I'm very familiar with ALB but still trying to get my head around NLBs. I need to move some legacy routing from going through NLBs to ALBs and have some questions.

(1)

  • There is a Route53 Record for subdomain.domain.com CNAME to NLB url ending in elb.us-west-2.amazonaws.com.
  • There are three targets with the type of IP. These are network interfaces.
  • I can't work out how traffic gets routed from these network interfaces to the correct service / task running on ECS?!

(2) For Route53 there are public and private hosted zones for each domain name/subdomain name. We have records in the public hosted zone pointing to a private alb. Surely this makes no sense as it will just time out?

Topics
Networking & Content Delivery
Tags
Amazon Route 53
Language
English
AWS-User-8443772
asked 2 months ago268 views
1 Answer
2

Answer (1):

In AWS ECS, traffic from network interfaces to ECS tasks is routed through a Network Load Balancer (NLB) and target groups. The NLB is configured with target groups that are associated with listeners. These target groups use IP addresses as the target type. The network interfaces attached to ECS container instances have private IP addresses and are associated with specific ECS tasks. When traffic hits the NLB, it is forwarded to the target group, which routes the traffic to the correct target (network interface) based on its IP address. ECS then uses the IP address to identify the corresponding ECS task and processes the traffic accordingly.

Answer (2):

Having records in a public Route53 hosted zone that point to a private Application Load Balancer (ALB) may seem counterintuitive, but it can be a valid configuration depending on your network setup. When a client outside your network queries the public DNS record, it resolves to the private IP address of the ALB. For this to work, the client needs to be on the same network as the ALB or have a network path that allows it to reach the ALB. This could be achieved through a VPN connection, Direct Connect, or some other networking setup. If the client cannot reach the private ALB, it will indeed time out.

profile picture
EXPERT
Osvaldo Marte
answered 2 months ago
  • AWS-User-8443772
    2 months ago

    Thank you very much for the detailed answer. It is extremely helpful.

    I just noticed that we are using NLB to ALB via https://aws.amazon.com/blogs/networking-and-content-delivery/using-aws-lambda-to-enable-static-ip-addresses-for-application-load-balancers/ not the new ALB target group.

    Is there any benefit to having a NLB in front of the ALB other than IP addresses not changing? I'm just curious as to best practises.

  • Osvaldo Marte EXPERT
    2 months ago

    well, using a Network Load Balancer (NLB) in front of an Application Load Balancer (ALB) can provide several benefits beyond the stability of IP addresses:

    • Firstly, placing an NLB in front of an ALB can add an additional layer of security.
    • Secondly, while ALBs support cross-zone load balancing, using an NLB in front can provide more granular control over traffic distribution across multiple Availability Zones.
    • Thirdly, where you have a mix of on-premises and cloud resources (In hybrid cloud environments), an NLB can serve as a single entry point for traffic coming from on-premises to the cloud.
    • Fourthly, if you need to route non-HTTP/HTTPS traffic to your ALB, using an NLB in front can provide this capability.
    • And lastly, by placing an NLB in front of an ALB, you can potentially increase the overall throughput of your application.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content