- EC2 Instances should only allow traffic coming directly from the load balancer.
- Therefore, the source of security group rule of your EC2 instances is not an IP range, it's a security group.
- So we're going to link the security group of the EC2 instances to the security group of the load balancer, which is an enhanced security mechanism.
1. Classic Load Balancer (CLB)
Step 1: Create an Instance
Add the script below into User Data:
#!/bin/bash
# Use this for your user data (script from top to bottom)
# install httpd (Linux 2 version)
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>Hello World from $(hostname -f)</h1>" > /var/www/html/index.html
Create / select an existing security group
Now we have lauched a new instance
Step 2: Create a Classic Load Balancer
Leave "Create an internal load balancer" unticked, because we want to access it from computer, so we don't keep it private.
IPv6 is not supported by CLB
The path for health check is /index.html
First, we perform a health check at /
Copy the public IP in URL and get the response:
Which also works well at index.html:
So this is the configuration:
Add EC2 Instances:
Then a new CLB is created successfully
Open the URL of DNS name of our CLB, the response is the same as if we had used the public facing IP, which means the CLB is working:
Note that one of the reasons why the CLB is out of service is that the rules of security group are not correct, for example, there's no port 80 available on the security group.
Step 3 Change the Inbound Rule to Tighten the Security
First, delete the existing HTTP rule;
Second, create a new rule with the source being the CLB security group.
In that way, we're allowing any traffic from the security group of CLB into the security group of EC2 instances. We want the ELB to access the instances, and we don't want users to directly access the instances.
Now if we try to access the public IP of the instances, we get an endless running cycle, but accessing from DNS name of the ELB is still working well.
So now, we can access the EC2 instances only through the ELB. We have enhanced the security. That is a very common pattern in AWS.
Add two more instances:
Add the new created intances into it:
Refresh the page, get a new EC2 instance replying, which means the load balancer is indeed load balancing the requests.
2. Application Load Balancer (ALB)
Step 1 Create an ALB
The Internal option is used for private traffic, but we want to publicly access the application, so we choose internet-facing scheme.
Take all 3 subnets, and they will automatically get the right subnet assigned to them:
Assign a security group to the load balancer:
Specify listeners and routing. This is actually saying if someone is accessing the load balancer from the protocol HTTP on port 80, then forward to the target group.
Step 2 Create a Target Group:
Register 2 out of the 3 instances we have. Make sure to only include 2. Click "Include as pending below"
Now backing to the load balancer page, refresh and select "my-first-target-group":
Now the DemoALB is active, we can go to the DNS name and open it
The DemoALB is working as expected:
Because this is an ALB, we can get some added benefits compared with CLB.
Step 3 create Another Target Group
The configuration of the 2nd security group is exactly the same as the 1st one, but for registering targets, we just add 1 instance this time
Now we have a 2nd target group:
If we go back into the ALB, right Now we have listener on port 80 forwarding to my-first-target-group, we can click "View/edit rules" to start leveraging other target groups, in other words, to have multiple listeners redirect to multiple target groups:
Click "Insert Rule"
Check it out:
If we do /constant, we get the error response directly sent by the load balancer
If we go to /test, we get a Not Found because the EC2 instance is not configured to reply to this type of query, but this query is actually being redirected to my-second-target-group:
amazon-web-services
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。