Configuring Internet-Facing NLB to Route Traffic to Internal ALB with Context Path-Based Routing

I am running two distinct applications, each with context paths '/app1' and '/app2,' on Amazon EC2 instances that do not have public IP addresses. To manage incoming traffic, I have set up an internal Application Load Balancer (ALB) that performs context path-based routing across multiple target groups. Other than the above mentioned context path, I don't have any application running on root context path "/".

When I SSH into one of the EC2 instances and make a CURL request using the ALB's DNS name, everything works as expected. However, I am now seeking guidance on how to configure an Internet-facing Network Load Balancer (NLB) to effectively route traffic to this internal ALB.

My goal is to make these applications accessible via the internet by directing traffic through the NLB while preserving the context path-based routing performed by the internal ALB. Any assistance on the configuration steps and best practices for achieving this would be greatly appreciated.

Topics

Compute Networking & Content Delivery

Tags

Amazon EC2 Elastic Load Balancing Application Load Balancer Network Load Balancer

Language

English

Harsh

asked 7 months ago650 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Hello.

Since you can set ALB as the target of NLB, I think you should set NLB to public.
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type

Please refer to the following document for the setting method.
https://repost.aws/knowledge-center/alb-static-ip

EXPERT

Riku_Kobayashi

answered 7 months ago

Harsh
7 months ago
My NLB is internet facing so by default it will make it public. I have created target group named "alb-tg" with ALB as target type. Same target group I am passing as target for the NLB. But for the health configuration inside "alb-tg", I need to pass either "/app1" or "/app2" for health check path to route traffic from NLB to ALB. If I pass "/" under health check path then it's not working.
Riku_Kobayashi EXPERT
7 months ago
Yes, as you know, you cannot register multiple health check passes, so you need to register either "/app1" or "/app2". Another method is to create a health check path on the application side and make it pass the ELB health check. For example, if you create a path called "/health" on the application endpoint and a GET request is made to that path, requests will be sent to "/app1" and "/app2", and if there is a normal response, the status will be How about creating an application for the "/health" path to return code 200?
Harsh
7 months ago
Yes, as you know, you cannot register multiple health check passes, so you need to register either "/app1" or "/app2".

I agree but there should be alternative and a stable way to check all the microservices are healthy. Isn't it?

Another method is to create a health check path on the application side and make it pass the ELB health check. For example, if you create a path called "/health" on the application endpoint and a GET request is made to that path, requests will be sent to "/app1" and "/app2", and if there is a normal response, the status will be How about creating an application for the "/health" path to return code 200?

Sorry didn't understand fully. If we have HTTP GET "/health" endpoint set for all the applications still context path set for the app will be appended as prefix. Ex. "/app1/health", "/app2/health". As there are no app running with root context path "/" we can't set health-check path to "/health"
Riku_Kobayashi EXPERT
7 months ago
Rather than creating "/health" under "/app1" or "/app2", it feels like adding a new health check application as "/health". This means creating a health check application that can react to health checks from the load balancer, and adding an application that returns status code 200 if "/app1" and "/app2" are normal.
Harsh
7 months ago
Got your point. But is it viable to implement in this way. What if microservices grow in future? Do we have any official article from AWS on how to system design microservices architecture with the use of ALB and NLB?

Relevant content

Can ALB route traffic except path?
AWS-User-3427223
asked 2 years ago
Can ALB route traffic except path?
AWS-User-3427223
asked 2 years ago
Putting ALb-NLB-ALB route for requests is giving 502 for application
rePost-User-7130205
asked 2 years ago
How to direct traffic from Cloudfront via ALB to a specific context path on a EC2 port
rePost-User-2862453
asked a year ago
How do I achieve path-based routing on an Application Load Balancer?
AWS OFFICIALUpdated 2 years ago
How do I securely deploy my application and route traffic to my Elastic Beanstalk environment URL?
AWS OFFICIALUpdated 10 months ago
How do I avoid asymmetry in route-based VPN with static routing?
AWS OFFICIALUpdated a year ago
How do I add routes to the main route table in my VPC with CloudFormation?
AWS OFFICIALUpdated 2 years ago
External Traffic Fails to Reach EKS Pods with NLB Client IP Preservation
EXPERT
Shubham Sharan
published 7 months ago
Configuration of Dynamic Routing (BGP) - Based AWS Site-to-Site VPN with MikroTik Router for Secure Data Transmission
EXPERT
Vinay Gugueoth
published 9 months ago

Configuring Internet-Facing NLB to Route Traffic to Internal ALB with Context Path-Based Routing

Yes, as you know, you cannot register multiple health check passes, so you need to register either "/app1" or "/app2".

I agree but there should be alternative and a stable way to check all the microservices are healthy. Isn't it?

Sorry didn't understand fully. If we have HTTP GET "/health" endpoint set for all the applications still context path set for the app will be appended as prefix. Ex. "/app1/health", "/app2/health". As there are no app running with root context path "/" we can't set health-check path to "/health"

Relevant content