Questions tagged with Elastic Load Balancing
Content language: English
Sort by most recent
I have an Elastic Beanstalk environment for test only, so I don't need an ELB on it. Is it still possible to use https?
Hello, my goal is to add HTTPS to my .NET 6 application.
I followed some tutorials but I have problems that exists only on my side.
The actual problem: I cannot add a Load Balancer to my Elastic Beanstalk Appliaction.
Also i don't have a custom domain and i am not able to create a Certificate
I'm implementing a model-based system
User -> AWS API Gateway -> AWS PrivateLink -> Network Load Balancer -> EC2 (Apache with PHP).
When I load test with the NLB endpoint directly there is absolutely no problem with high load.
But when testing with the API Gateway endpoint I get a lot of 500 error codes, Execution failed due to a network error communicating with the endpoint: Connection is closed, execution failed due to a timeout error (although it's a timeout error I get an error after very fast time).
I'm wondering if there's something wrong with AWS PrivateLink?
Can someone help me, thanks
Hello,
I have a script that creates a cluster and a service which runs a docker image. I am able to create the cluster but the service fails where it tries to create an elastic load balancer. This used to work a year ago, our project was put on hold so I'm trying to get it to run again. Can you please help with this error? Thank you.
Resource handler returned message: "Invalid request provided: CreateService error: The target group with targetGroupArn arn:aws:elasticloadbalancing:ca-central-1:xxxxxxxxxxxxx:targetgroup/grpc1/70c4efc846481f4b does not have an associated load balancer. (Service: AmazonECS; Status Code: 400; Error Code: InvalidParameterException; Request ID: fe4999db-66de-4940-842b-61a29b5e2c20; Proxy: null)" (RequestToken: b4fc4fad-a284-fb32-87a9-2abc841d069b, HandlerErrorCode: InvalidRequest)
Here is the part of the yaml for the elb:
Service:
Type: AWS::ECS::Service
Properties:
ServiceName: !Ref 'ServiceName'
Cluster:
Fn::ImportValue:
!Join [':', [!Ref 'StackName', 'ClusterName']]
DeploymentConfiguration:
MaximumPercent: 100
MinimumHealthyPercent: 0
DesiredCount: !Ref 'DesiredCount'
TaskDefinition: !Ref 'TaskDefinition'
NetworkConfiguration:
AwsvpcConfiguration:
Subnets:
- Fn::ImportValue:
!Join [':', [!Ref 'StackName', 'PrivateSubnetOne']]
- Fn::ImportValue:
!Join [':', [!Ref 'StackName', 'PrivateSubnetTwo']]
SecurityGroups: [!Ref 'PublicLoadBalancerSG']
AssignPublicIp: 'DISABLED'
LoadBalancers:
- ContainerName: !Ref 'ServiceName'
ContainerPort: !Ref 'ContainerPort'
TargetGroupArn: !Ref 'TargetGroup'
TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckProtocol: TCP
HealthCheckIntervalSeconds: 10
HealthyThresholdCount: 2
UnhealthyThresholdCount: 2
Name: !Ref 'ServiceName'
Port: !Ref 'ContainerPort'
Protocol: TCP
TargetType: ip
VpcId:
Fn::ImportValue:
!Join [':', [!Ref 'StackName', 'VPCId']]
PublicLoadBalancerListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- TargetGroupArn: !Ref 'TargetGroup'
Type: 'forward'
LoadBalancerArn:
Fn::ImportValue:
!Join [':', [!Ref 'StackName', 'PublicLoadBalancer']]
Port: !Ref ContainerPort
Protocol: TCP
I know that changing from http1 to http2 improves the speed.
So I allowed alb and cloudfront to be http2.
In the developer tools of the Chrome browser, I confirmed that the protocol was h2 and http2 was applied.
However, after searching for stalled, there was an opinion that changing the protocol of the aws elb target group to http2 would improve stalled and improve speed.
So I changed the protocol to http2 with the same settings as http1, but a 502 error occurred. (When connecting to a random port (eg: 8080 port) with the load balancer dns address) There was no error in the http1.1 setting.
The question is, if h2 is displayed when checking the protocol in the browser, is it applied to http2 or should the target group protocol be set to http2 internally?
If I need to set it up, how can I avoid getting a 502 error?
Hi there,
I have a service *(a simple NextJS website)* deployed in ECS behind an ALB. The ALB routes both HTTP (port 80) and HTTPS (port 443) traffic to the tasks. This model works well when a single production listener is defined in the CodeDeploy Application Deployment Group definition, but I was wondering if there was a way of supporting more than one listener in the Application Deployment Group definition.
For now, I've set the second listener *(Port 80)* as the test listener port, and this works, but it does seem like a bit of a hack.
Appreciate any answers.
Kind regards
Erich
I need the following:
- Use AWS Network load balancer for high performance
- Sticky sessions for better user experience
- TLS encryption due to government regulation
How should I configure my NLB to have stickiness and end to end encryption ? Thanks
Hi,
Is it possible to define a NLB as an HTTPS endpoint, terminating SSL and forwarding traffic to an EKS cluster? (Assuming I don't need URL routing)
I'm trying to figure out which option would be cheaper, ALB or NLB, assuming both are possible.
Thank you!
I have cluster in EKS with NLB (internet-facing) and then ingress-nginx. During Qualys PCI scan i got CVE-2004-0230 alert on 80 and 443 port (Tested on port 80/443 with an injected SYN/RST offset by 16 bytes.) How i can fix it? I cant found where this problem can persist, on load balancer or on ingress side. Maybe anyone can help?
Thanks in advance!
We used a simulator to check whether a policy has the permission to perform specific actions on specific ELB resources. The simulator returned `implicitDeny` instead of `allowed`. This result is erroneous, because the actions and the resources in the policy document were the same as the parameters of the simulator. To test this, we attached the policy to a role and used this role to perform the actions on the resources in a live AWS environment, and we were successful.
We will now attempt to reproduce this error as minimally as possible.
Both the AWS SDK for Python (a.k.a. `boto3`)
```python
import boto3
policy_input_list = [
"""{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"
]
}
]
}"""
]
action_names = ["elasticloadbalancing:AddTags"]
resource_arns = ["arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"]
boto3.client("iam").simulate_custom_policy(
PolicyInputList=policy_input_list,
ActionNames=action_names,
ResourceArns=resource_arns,
)
```
and the AWS CLI
```bash
policy_input_list='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["elasticloadbalancing:AddTags"],"Resource":["arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"]}]}'
action_names='elasticloadbalancing:AddTags'
resource_arns='arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*'
aws iam simulate-custom-policy \
--policy-input-list $policy_input_list \
--action-names $action_names \
--resource-arns $resource_arns
```
*erroneously* evaluate this to `implicitDeny`.
Interestingly, the IAM Policy Simulator
[IAM Policy Simulator](/media/postImages/original/IMdG9fTE2ASeqa9lEG610T3A)
*correctly* evaluates this to `allowed`.
The problematic statement
```json
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
]
}
```
originates from the policy document of the AWS Load Balancer Controller (https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json). Any combination of these actions and resources (and only them) will be evaluated correctly by the IAM Policy Simulator, but incorrectly by `boto3` and the AWS CLI.
Note that we are using the latest versions of `boto3` (`v1.27.72`) and the AWS CLI (`v1.27.72`).
We recently migrated a project to a different domain and also changed most of the linked projects. Now there are still a few projects left which link to the old URL. Is there any way with ALB to get the referer Header into the Access Logs?
We use an SSO third-party tool and redirect to ALB DNS after successful login. This proxy server periodically pings to the AWS ALB IPs to keep the connection active. When the ping doesn't receive any response after multiple attempts, the connection between the proxy and ALB disconnects for good. Why is ALB not reachable sometimes?