By using AWS re:Post, you agree to the Terms of Use

Questions tagged with Network Load Balancer

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Health check at NLB level for a Fargate Service

I have a service using ECS Fargate behind an NLB, which runs my application at port 8443. The NLB target group health check shows the following settings (default for TCP health check). ``` Protocol TCP Port. Traffic port Healthy threshold 3 consecutive health check successes Unhealthy threshold 3 consecutive health check failures Timeout. 10 seconds Interval 30 seconds ``` The NLB target group also has the default target deregistration time of 60 seconds. With this, I wanted to understand the difference between the active health check and the passive health check done by the NLB for its targets. My understanding is that the above health check configuration is for the active health check. Would there also be a default passive health check in an NLB which responds to failed responses from the target? Further, i can see that the moment i stop my Fargate task, even in the absence of any traffic, the target(ECS IP) begins deregistration. There seems to be no 30 second time gap (active health check interval as above). The metric (healthy host as 1) stops getting published. Is this thus somehow configured in the NLB to get notified about terminating Fargate tasks? Finally, I wanted to understand how good is the NLB healthy task count metric to monitor my Fargate application. I was thinking that it is the best metric since it does a TCP ping at the port level (8443 port in my case) thus ensuring that the monitoring is done at the port (application) level as well as the task level.
1
answers
0
votes
282
views
asked 4 months ago

Not able to get complete response of a web page when using api gateway

Hi All, I have created API Gateway with mtls enabled and with integration type as vpc link to NLB. The resources and methods are as below, ``` / ANY GET OPTIONS /{proxy+} ANY OPTIONS ``` In URL Path Parameters , URL Query String Parameters , HTTP Headers are empty. In Method Execution, Authorization, Request Validator are set to None, API Key Required is false. In Method Response, HTTP Status is Proxy, HTTP Status is 200, Response Headers for 200 is Access-Control-Allow-Origin. Response Body for 200 is No models. wildcard custom domain name is created and cert is imported. NLB is listening on TCP 443 port and forwarding traffic to EC2 on a particular port where reverse proxy is running and forwarding traffic to backend servers based on host headers. The flow is like, After entering website url in browser (https://xxx.xx.abc.io), it is going to API Gateway (as CNAME record is created with API Gateway's domain name), In API Gateway, mentioned same website url (https://xxx.xx.abc.io) in Endpoint URL (to later match the host header in reverse proxy so that it will forward the traffic to the server where application is running) as anyway traffic goes to NLB (irrespective of what we mention in Endpoint URL) which should forward traffic to reverse proxy. Below are the API Gateway logs ``` (3cad-6a6c-2ff1-4dda-12345) Starting execution for request: 3ba352b-.... (3cad-6a6c-2ff1-4dda-12345) HTTP Method: GET, Resource Path: / (3cad-6a6c-2ff1-4dda-12345) Method request path: {} (3cad-6a6c-2ff1-4dda-12345) Method request query string: {} (3cad-6a6c-2ff1-4dda-12345) Method request headers: {sec-fetch-mode=navigate, sec-fetch-site=none, accept-language=en-GB,en;q=0.9, User-Agent=Mozilla/5.0 (X 10_15_7) WebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 S/537.36, Host=https://xxx.xx.abc.io, sec-fetch-user=?1, accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9, sec-ch-ua=" Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101", sec-ch-ua-mobile=?0, sec-ch-ua-platform="S", upgrade-insecure-requests=1, X-Forwarded-For=<my_ip>, accept-encoding=gzip, deflate, br, sec-fetch-dest=document} (3cad-6a6c-2ff1-4dda-12345) Method request body before transformations: (3cad-6a6c-2ff1-4dda-12345) Endpoint request URI: https://xxx.xx.abc.io (3cad-6a6c-2ff1-4dda-12345) Endpoint request headers: {sec-fetch-mode=navigate, sec-fetch-site=none, x-amzn-apigateway-api-id=2c2zsc3, accept-language=en-GB,en;q=0.9, User-Agent=Mozilla/5.0 (X 10_15_7) WebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 S/537.36, Host=https://xxx.xx.abc.io, sec-fetch-user=?1, accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9, sec-ch-ua=" Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101", sec-ch-ua-mobile=?0, sec-ch-ua-platform="macOS", upgrade-insecure-requests=1, X-Forwarded-For=<my_ip>, accept-encoding=gzip, deflate, br, sec-fetch-dest=document} (3cad-6a6c-2ff1-4dda-12345) Endpoint request body after transformations: (3cad-6a6c-2ff1-4dda-12345) Sending request to https://xxx.xx.abc.io (3cad-6a6c-2ff1-4dda-12345) Received response. Status: 200, Integration latency: 46 ms (3cad-6a6c-2ff1-4dda-12345) Endpoint response headers: {access-control-allow-methods=GET,PUT,POST,DELETE, access-control-allow-headers=x-http-method-override,x-requested-with,content-type,accept, Content-Type=text/html; charset=utf-8, Content-Length=303389, ETag=W/"41d-TlJhUL/tuywaSgaxKgTtn8", Date=Wed, 01 Dec 2021 13:15:15 GMT, X-Content-Type-Options=nosniff, Strict-Transport-Security=max-age=300;includeSubDomains;preload;always;, X-Frame-Options=deny} (3cad-6a6c-2ff1-4dda-12345) Endpoint response body before transformations: <!DOCTYPE html><html><head><meta charSet="utf-8"/><meta http-equiv="x-ua-compatible" content="ie=edge"/><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/><meta http-equiv="Content-Security-Policy" content="unsafe-inline"/><style> @keyframes spin{ 0%{transform:rotate(0)} 100%{transform:rotate(360deg)} } #___gatsby>div:empty{ position:fixed; (3cad-6a6c-2ff1-4dda-12345) Method response body after transformations: <!DOCTYPE html><html><head><meta charSet="utf-8"/><meta http-equiv="x-ua-compatible" content="ie=edge"/><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/><meta http-equiv="Content-Security-Policy" content="unsafe-inline"/><style> @keyframes spin{ 0%{transform:rotate(0)} 100%{transform:rotate(360deg)} } #___gatsby>div:empty{ (3cad-6a6c-2ff1-4dda-12345) Method response headers: {access-control-allow-methods=GET,PUT,POST,DELETE, access-control-allow-headers=x-http-method-override,x-requested-with,content-type,accept, Content-Type=text/html; charset=utf-8, Content-Length=303389, ETag=W/"41d-TlJhUL/tuywaSgaxKgTtn8", Date=Wed, 01 Dec 2021 13:15:15 GMT, X-Content-Type-Options=nosniff, Strict-Transport-Security=max-age=300;includeSubDomains;preload;always;, X-Frame-Options=deny} (3cad-6a6c-2ff1-4dda-12345) Successfully completed execution (3cad-6a6c-2ff1-4dda-12345) Method completed with status: 200 ``` The issue is website is just trying to load but its totally blank (no images nothing on page) On `dev-tools`, console tab, it shows below, ``` Refused to execute script from '<URL>' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. https://xxx.xx.abc.io/:1 Refused to execute script from 'https://xxx.xx.abc.io/component---src-pages-index-js-c14b2e4d69274.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. Refused to execute script from 'https://xxx.xx.abc.io/3-c31d8ae5a9706.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. ``` If I directly hit NLB DNS:app_port, the page loads properly. Can anyone suggest where is the problem? Thanks,
2
answers
0
votes
97
views
asked 4 months ago

Horizontal Scaling concerns, SSL issue with NLB

note: I'm new to scaling and firstly seeking advice on the best practices for horizontal scaling **I have the following setup:** *EC2 Instances <-> ASG(created from Launch template) -> TG <-> ALB <-> TG <-> NLB* Traffic flows through NLB to ALB and finally to EC2 instances configured via ASG. note: I'm assuming the above setup is the best one to go with horizontal scaling, if not please let me know. the above setup works fine for HTTP whereas when I try to configure HTTPS, I don't see options to do so. Issue1: Target Group(TG) doesn’t allow to create one with Load Balancer type with TLS port: 443 but allows only TCP: port 80, **Question1: **how else should I redirect HTTPS traffic to ALB? note: I need NLB because ALB doesn't provide Static IPs **Question2:** wrt Static IPs: NLB doesn't allow <2 AZs which means I need to have 2 Static IPs linked to my domain? any inputs would be really helpful! **Update1:** I've configured like below: In ALB listeners: HTTP(80) gets redirected to HTTPS HTTPS(443) gets forwarded to ASG In NLB listeners: HTTP(80) gets forwarded to ALB note: ALB's public URL is added to my domain(sample-alb.domain.com) NLB's public URL is added to my domain(sample-nlb.domain.com) SSL works fine if the user enters by hitting sample-alb.domain.com whereas if the user enters by hitting sample-nlb.domain.com, it always fails with "ERR_CERT_INVALID" any inputs on why this fails? **Update2:** I've got the answer to my Issue1/Question1 on how to redirect HTTPS traffic to ALB from here: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/application-load-balancer-target.html#configure-application-load-balancer-target > **Listeners and routing** > For Listeners, the default is a listener that accepts TCP traffic on port 80. Only TCP listeners can forward traffic to an Application Load Balancer target group. Keep the listener protocol set to TCP, but you can modify the port as required. > > This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol. so, I created a TG with TCP port 80 and listener to NLB, which redirects to ALB. (say for ex my NLB's public URL is 'nlb34323.amazonaws.com') now, when I hit my NLB's public URL with 'http://nlb34323.amazonaws.com', it does get redirected to 'https://nlb34323.amazonaws.com', but eventually fails with a timeout error. note: whereas when I hit ALB's public URL, it is working fine does it have anything to do with TLS termination as mentioned in the above documentation: > This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol. what am I doing wrong here?
2
answers
0
votes
44
views
asked 5 months ago