Integrate Cloudflare Load Balancer with AWS ALB endpoints for active-active deployment?

Question

Hi all,

I'm currently working on a multi-region active-active architecture for an application deployed on AWS. The domain is managed through Cloudflare DNS, and we plan to use Cloudflare Load Balancer to direct traffic based on latency/geolocation to two AWS regions.

Each region has:
* An Auto Scaling Group of EC2 instances (stateless),
* An AWS Application Load Balancer (ALB) that terminates TLS and distributes traffic to the EC2.

My goal is to use Cloudflare Load Balancer with two origin pools, each pointing to the ALB DNS names (e.g., abc.ap-southeast-3.elb.amazonaws.com, etc.), and let Cloudflare manage failover and load distribution.

My questions are:
1. Is it a supported or common practice to use AWS ALB DNS names as Cloudflare LB origins in a production environment?
2. Any considerations or any other solution of this case?

Thanks.

re:Post Agent · Answer

To implement your multi-region active-active architecture using Cloudflare Load Balancer with AWS ALB endpoints, here's what you should know:

1. Using AWS ALB DNS names as Cloudflare Load Balancer origins is a supported approach. The ALB provides a default DNS name (e.g., my-load-balancer-1234567890abcdef.elb.ap-southeast-1.amazonaws.com) that can be used as an origin in your Cloudflare configuration.

2. Key considerations for your implementation:

- DNS Resolution: When using Cloudflare Load Balancer, the DNS server will resolve your custom domain to the appropriate ALB DNS name based on your configured rules for latency/geolocation routing.

- IP Address Management: Each ALB has one IP address per enabled Availability Zone. These are the IP addresses that Cloudflare will ultimately route to. Be aware that these IP addresses can change over time, but the ALB DNS name remains stable.

- Host-based Routing: If you need to route traffic based on host headers (subdomains), the ALB can handle this through listener rules, allowing you to direct traffic to different target groups based on the incoming request.

- Alternative Approach: Instead of using Cloudflare Load Balancer directly with ALB DNS names, you could consider using AWS Global Accelerator as an entry point. Global Accelerator provides static IP addresses and improves availability by routing traffic to the nearest AWS edge location. You could then point Cloudflare to Global Accelerator's endpoints.

- TLS Termination: Since you mentioned TLS termination at the ALB level, ensure your certificates are properly configured in AWS Certificate Manager for your ALBs. If you're using Cloudflare's SSL/TLS features as well, you'll need to configure the appropriate encryption mode between Cloudflare and your ALBs.

- Health Checks: Configure proper health checks in both Cloudflare and AWS to ensure traffic is only routed to healthy endpoints.

This approach is commonly used for global applications requiring low latency and high availability across multiple regions.  
**Sources**  
[Load Balancer for multiple sub-domains | AWS re:Post](https://repost.aws/questions/QUjjqNkCCvRR6kTvI5ZOlm8g/load-balancer-for-multiple-sub-domains)  
[Load Balancer Migration to AWS: Recommended Strategies and Best Practices | Networking & Content Delivery](https://aws.amazon.com/blogs/networking-and-content-delivery/load-balancer-migration-to-aws-recommended-strategies-and-best-practices-2/)  
[Application Load Balancers - Elastic Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html)

Integrate Cloudflare Load Balancer with AWS ALB endpoints for active-active deployment?

Add your answer

Relevant content