[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Elastic Load Balancing: Deep Dive
and Best Practices
Pratibha Suryadevara
General Manager
Elastic Load Balancing
N E T 4 0 4 R
Will Rose
Sr Security Engineer
Netflix

Elastic Load Balancing automatically
distributes incoming application traffic across
multiple targets, such as Amazon Elastic
Compute Cloud (Amazon EC2) instances,
containers, and IP addresses

SecureElastic Integrated Cost effective

EC2
Instance

Load balancer used to
route incoming requests
to multiple EC2
instances, containers,
or IP addresses in your
VPC.
ELB
EC2
instance
EC2
instance
EC2
instance

Layer 7 (application)Layer 4 (network)
Supports TCP
Incoming client connection bound to
server connection
No header modification
Source IP is preserved in the
header or Proxy Protocol prepends
source and destination IP and ports
to request
Supports HTTP and HTTPS
Connection terminated at the load
balancer and pooled to the server
Headers may be modified
X-Forwarded-For header contains
client IP address

The Elastic Load Balancing (ELB) family
Application Load Balancer Network Load Balancer Classic Load Balancer
TCP Workloads
(VPC)
Previous generation
for HTTP, HTTPS, TCP
(Classic network)
HTTP & HTTPS (VPC)

Application Load Balancer
Advanced request routing with support for
microservices and container-based applications

Feature rich, layer 7 load-balanced platform
Content-based routing allows requests to be
routed to different applications behind a single
load balancer
Path- and host-based routing
Support for microservices and container-based
applications, including deep integration with
Amazon Elastic Container Service (Amazon
ECS)

Support for WebSockets and HTTP/2
Improved health checks and additional
Amazon CloudWatch metrics
Load balancer API deletion protection
Improved performance for real-time and
streaming applications
Improved Elastic Load Balancing API

 API Model
 Routing
 Security
 Availability
 Scalability & Integration
 Monitoring : Metrics & Access Logs
 Pricing
 Migration

Load Balancer
Target Group #1
Health Check Health Check Health Check
EC2 EC2 EC2 IP IP IP ECS ECS ECS
Listener Listener
Target Group #2 Target Group #3
Rule (default) Rule (*/img/*) Rule (default)

IPasatarget
Use any IPv4 address from the load balancer’s
VPC CIDR for targets within load balancer’s
VPC
Use any IP address from the RFC 6598 range
(100.64.0.0/10) and in RFC 1918 ranges
(10.0.0.0/8, 172.16.0.0/12, and
192.168.0.0/16) for targets located outside the
load balancer’s VPC (this includes Peered
VPC, EC2-Classic, and on-premises targets
reachable over Direct Connect or VPN)

Content-based routing
Route based on path or host field in the
HTTP header
Support multiple domains using a single
load balancer
Route each path or host name to a
different target group

Amazon EC2 instances
registered behind a
Classic Load Balancer
ELB
EC2
instance
EC2
instance
EC2
instance

Running two separate
services with Classic
Load Balancer
ELB
EC2
instance
EC2
instance
EC2
instance
EC2
instance
EC2
instance
ELB
EC2
instance
orders.example.com
images.example.com

ELB
/orders
example.com
EC2
instance
EC2
instance
EC2
instance
EC2
instance
EC2
instance
EC2
instance
/images
Application Load
Balancer allows for
multiple services to be
hosted behind a single
load balancer

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
HTTP://example.com to HTTP://example.org:8080H T T P t o H T T P r e d i r e c t s
Redirects in ALB
H T T P t o H T T P S r e d i r e c t s HTTP://example.com to HTTPS://example.com
HTTP://example.com:443 to HTTPS://example.com:40443
H T T P S t o H T T P S r e d i r e c t s HTTPS://example.com:443 to HTTPS://example.com:40443
U s e c a s e s
1
2
3
E x a m p l e s

Fixed response
You can control which of the client requests should
be served by the application fleet
Load balancer can auto respond to HTTP requests
based on any criteria supported by content-based
routing rules
You can configure HTTP response codes and
custom error messages to be returned to the clients

Slowstart
Slow start allows adding new targets without
overwhelming them with a flood of requests
Load balancer linearly increases the number of requests
sent to a new target up to its fair share
Allows targets to warm up before receiving their fair
share of requests
Useful for applications that depend on cache warming
for optimal performance

NativeIPv6support

ManagingTLS
Legacy Model
instances
Amazon
Route 53
users
HTTPS
Certificate
Authority
Admin
Cert Request
Signed Cert
Deploy
To Hosts

UsingApplication Load Balancer
instances
Amazon
Route 53
users
HTTPS
Certificate
Authority
Admin
Cert Request
Signed Cert
Deploy
To ALB
Application
Load Balancer
IAM
Upload to AWS
Identity and
Access
Management
(IAM)

Application Load Balancer &AWSCertificateManager
(ACM)
instances
Amazon
Route 53
users
Application
Load Balancer
AWS
Certificate
Manager
(ACM)
HTTPS
Admin
Cert Request

Predefined security policies
ELBSecurityPolicy-TLS-1-1-2017-01 – Supports TLS 1.1
and above
ELBSecurityPolicy-TLS-1-2-2017-01 – Strictly supports
TLS1.2
ELBSecurityPolicy-2016-08 – New default policy -Same
as Classic Load Balancer default policy
Windows XP Security Policy
ELBSecurityPolicy-FS-2018-06 – Supports ciphers that
ensure Forward secrecy
ELBSecurityPolicy-TLS-1-2-Ext-2018-06 –
Strictly supports TLS 1.2 protocol

Application Load Balancer withAWSWAF
Monitor web requests and protect web
applications from malicious requests at the load
balancer
Block or allow requests based on conditions such
as IP addresses
Preconfigured protection to block common attacks
like SQL injection or cross-site scripting
Set up web ACLs and rules from AWS WAF
console and apply them to the load balancer
X

ServerName Indication (SNI)
Host multiple TLS secured applications, each
with its own TLS certificate
Bind multiple certificates to the same secure
listener on your load balancer
ALB will automatically choose the optimal
TLS certificate for each client
Support for both the classic RSA algorithm
and the newer, faster Elliptic-curve based
ECDSA algorithm

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Authenticate users accessing
applications
Native integration with any OIDC
compliant IDPs
Authenticate with Social Identities
Integration with Amazon Cognito
Authenticate with Enterprise IDPs with
SAML
Authentication in ALB

whoami
Will Rose
Senior Security Engineer
Netflix Information Security

NetflixIdentityPlatform

Landscape
Hundreds of applications, growing daily
With Great Freedom comes
Great Variability
Languages and Frameworks galore

IdentityChallenges
Just use Client Libraries to Federate!
Always playing catch-up to new languages
and frameworks
Open source options of varying quality
and completeness
Developer friction around configuration

IdentityChallenges
Ok, then just use Authenticating Proxies!
Additional critical infrastructure to maintain
Potential bottlenecks and new failure modes
to address
Additional infrastructure cost to operate
Proxy Layer
Application Layer

Pleaseselectone
C. None of the above

CrazyTalk
Auth == Undifferentiated Heavy Lifting!
Why not Application Load Balancers!?
Let’s talk to Amazon!
Please
?

AlphabetSoup
Ingredients
1 x AWS
1 x ALB
1 x OIDC
Simmer for 6 months
Serves: everyone

Under theHood
Identity Headers
X-Amzn-OIDC-Identity: will.rose@domain.com
X-Amzn-OIDC-Access-Token: 1waGF…YW50
X-Amzn-OIDC-Data: eyJhbG...y4MbQQ

Adoption
Native Spinnaker integration
Fully self-service with only a few clicks
No new infrastructure required
Identical integration experience across all languages
Our recommended integration path for all applications

Thank
you!

Filtering by TAGs in console
Filter load balancers and target groups
by tags
Enables you to view only the resources
that you or your group is responsible
for
Reduces human errors of making
changes to a wrong load balancer or
target group

Resourcelevel and tag based permissions
Implement fine-grained access controls
on load balancer resources using IAM
policies
Create policies either based on resource
ARNs or specific tags on resources
Create access control policies for load
balancer, listener, rule, or target groups

Requests distributed evenly across multiple Availability Zones
Load balancer absorbs impact of DNS caching
Eliminates imbalances in backend instance utilization
No additional bandwidth charge for
cross-zone traffic
Enabled on all ALBs by default
Cross-zone load balancing

Healthchecks allow for traffic
to be shifted away from failed
instances

ELB
EC2
instance
EC2
instance
EC2
instance
Health checks ensure
that request traffic is
shifted away from a
failed instance
Health checks

Support for HTTP and HTTPS health checks
Customize the frequency and failure
thresholds
Consider the depth and accuracy of your
health checks
Customize list of successful response codes, for
example 200-300
Details of health check failures are now returned
by the API and Management Console
Health checks

Amazon EC2AutoScaling
instance
Amazon
Route 53
users
HTTPS
Auto Scaling group
instance
instance
Application
Load Balancer

instance
Amazon
Route 53
users
HTTPS
Auto Scaling group
instance
instance
instance
instance
instance
Launch
Configure
Serve
=
Minutes
Amazon EC2 Auto Scaling
Application
Load Balancer

instance
Amazon
Route 53
users
HTTPS
Elastic Container Service
instance
Amazon Elastic Container Service
Application
Load Balancer

Containers: ALB integration with Kubernetes / EKS
ALB Ingress Controller – Enabling host or path based routing to Kubernetes cluster.
• ALB fronts multiple services and act as a “smart router” or entry
point into the Kubernetes cluster
• Rich Layer 7 routing features of ALB
https://github.com/kubernetes-sigs/aws-alb-ingress-controller

ALB w/Amazon ECS||Amazon EKSScaling
instance
Amazon
Route 53
users
HTTPS
instance
Start
Run
=
Seconds
Application
Load Balancer
Elastic Container Service

CloudWatch metrics provided for each load
balancer
Provide detailed insight into the health of the load
balancer and application stack
CloudWatch alarms can be configured to notify or
take action should any metric go outside the
acceptable range
All metrics provided at the 1-minute granularity
AmazonCloudWatch metrics

Provide detailed information on each
request processed by the load balancer
Includes request time, client IP address,
latencies, request path, and server
responses
Delivered to an Amazon S3 bucket every
5 or 60 minutes
Access logs

Exampleloadbalancer.com
Amazon
Route
53
users
AWS
Certificate
Manager
HTTPS
AWS
WAF
permissions
Amazon
Cognito
ECS
container
VPC
peering
EU-WEST-2
Application
Load Balancer
ECS
container

Application Load Balancer pricing
With the Application Load Balancer, you only pay for what you use. You are
charged for each hour or partial hour your Application Load Balancer is running
and the number of Load Balancer Capacity Units (LCU) used per hour
• $0.0225 per Application Load Balancer-hour (or partial hour)
• $0.008 per LCU-hour (or partial hour)
Hourly charge is 10% less expensive than
Classic Load Balanacerthan Classic Load
Balancer; reducing the cost for the virtually all
of our customers

Load balancer capacity units
An LCU measures the dimensions on which the Application Load Balancer
processes your traffic (averaged over an hour). The four dimensions measured
are as follows:
• New connections: Up to 25 new connections per second
• Active connections: Up to 3,000 active connections
• Bandwidth: Up to 2.22 Mbps (1 GB per hour)
• 1000 Rules Evaluation
You are charged only on the dimension with the highest
usage over the hour

Migrating to Application Load Balancer
Publishing LCU Metrics for Classic Load Balancer which allows customers
to estimate pricing if they migrate from Classic to ALB
Migration is as simple as creating a new Application
Load Balancer, registering targets, and updating
DNS to point at the new CNAME
Classic Load Balancer or Application Load
Balancer migration utility
https://github.com/aws/elastic-load-balancing-tools

Network Load Balancer

New, layer 4 load-balancing platform
Connection-based load balancing
TCP protocol
High performance
Can handle millions of requests per sec
Static IP support
Ideal for applications with long running
connections
Network Load Balancer

Improved Elastic Load Balancing API
Listeners
Target groups
Targets
Resources same as ALB

 Static IP
 Preservation of Source IP
 Availability
 Monitoring : Metrics & Flow Logs
 Pricing
 Migration

Static IP
Automatically gets assigned a single IP per
Availability Zone
Assign an EIP per AZ to get Static IP
Helps with white-listing for firewalls and
zero dollar billing use cases

AssignElasticIP addresses
Network Load
Balancer
EC2 instance
EC2 instances
EC2 instance
EC2 instances
Assigning Elastic IP
provides a single IP
address per Availability
Zone per load balancer
that will not change.
1a
1b
TargetGroup 1
34.214.45.162
54.69.111.179

Preserve source IP
Preserves client IP to backends
Can be used for logging and other
applications
Removes need for Proxy Protocol
Support for Proxy Protocol V2 when load
balancing to IP addresses

Firewall example with NLB
External facing NLB uses fewer addresses
Used for firewalls, proxies, or third-
party load balancers
Preserves source IP helping firewalls with
features like Geo-IP blocking
Internal NLB doesn’t change IPs
Allows firewalls, WAFs, and proxies
to maintain a single addresses for NAT
FW FWFW FW
External facing
Network Load
Balancer (NLB)
Internal Network Load
Balancer (NLB)
Auto Scaling
Auto Scaling
Web Servers
inside.domain.com
outside.domain.com
Internet

Supports both network and application target
health checks
Network health checks
Based on overall response of yourtarget to
normal traffic
Will fail unresponsive targets in millisecond
Application level health checks
HTTP, HTTPS and TCP HC
Customize frequency, failure thresholds
Health checks

Availability Zone fail-over
Customer VPC
EC2
InstancesNLB
NLB
EC2
Instances
us-west-1aus-west-1b
Amazon
Route 53
TargetGroup 1
Health Check
Health Check
34.214.45.162
54.69.111.179
34.214.45.162
54.69.111.179

Availability Zone fail-over
Customer VPC
EC2
InstancesNLB
NLB
us-west-1aus-west-1b
Amazon
Route 53
TargetGroup 1
Health Check
Health Check
54.69.111.179
34.214.45.162
34.214.45.162
54.69.111.179

CloudWatch metrics provided for each load
balancer.
Provide detailed insight into traffic and capacity,
errors and backend health for the Network Load
Balancer
CloudWatch alarms can be configured to notify or
take action should any metric go outside the
acceptable range
All metrics provided at the 1-minute granularity
AmazonCloudWatch metrics

Traffic and capacity metrics
ActiveFlowCount - Total number of
concurrent TCP flows (or connections)
from clients to targets
NewFlowCount - Total number of new
TCP flows (or connections) established
from clients to targets
ProcessedBytes - Total number of bytes
processed by the load balancer

ResetCounts
TCPClientResetCount – Number of reset
(RST) packets sent from a client to a target
TCPELBResetCount – Number of reset
(RST) packets generated by the load
balancer
TCPTargetResetCount – Number of reset
(RST) packets sent from a target to a client

Backend health
HealthyHostCount – Number of targets
that are considered healthy
UnHealthyHostCount – Number of
targets that are considered unhealthy

Captures the network flow for a
specific quintuple, for a specific
capture window
Packets
Bytes
Capture window start and end
Action - Accepted or Rejected
status
Log status
Flow logs

Network Load Balancer pricing
With the Network Load Balancer, you only pay for what you use. You are
charged for each hour or partial hour your Network Load Balancer is running
and the number of Load Balancer Capacity Units (LCU) used per hour
• $0.0225 per Network Load Balancer-hour (or partial hour)
• $0.006 per LCU-hour (or partial hour)
Hourly charge is 10% cheaper than Classic Load
Balancer; Data Processing charge is 25%
cheaper than Classic and Application Load Balancer;
reducing the cost for virtually all of our customers

Load balancer capacity units - TCP
An LCU measures the dimensions on which the Network Load Balancer
processes your traffic (averaged over an hour). The three dimensions measured
are as follows
• New connections: Up to 800 new connections per second
• Active connections: Up to 100,000 active connections
• Bandwidth: Up to 2.22 Mbps (1 GB per hour)
You are charged only on the dimension with the highest
usage over the hour

Migrating to Network Load Balancer
Migration is as simple as creating a new Network
Load Balancer, registering targets, and updating
DNS to point at the new CNAME
Classic Load Balancer to Network Load Balancer
migration utility
https://github.com/aws/elastic-load-balancing-tools

Which load balancer should I pick?

Application Load Balancer Network Load Balancer Classic Load Balancer
Protocol HTTP, HTTPS,HTTP/2 TCP TCP, SSL, HTTP, HTTPS
SSL offloading and
Encryption to Backend-
server
✓ ✓
IP address as a target
✓ ✓
Path-based routing, Host-
based routing
✓
Static IP and Elastic IP
✓
WebSockets
✓ ✓
Preserve client IP
✓
Container support
✓ ✓
User Authentication
✓

For TCP in VPC, use Network Load
Balancer
For all other use cases in VPC , use
For Classic networking, use Classic Load
Balancer

Thank you!
Pratibha Suryadevara
suryadp@amazon.com
Will Rose
wrose@netflix.com

[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) - AWS re:Invent 2018

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie [REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) - AWS re:Invent 2018

Ähnlich wie [REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) - AWS re:Invent 2018 (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) - AWS re:Invent 2018