Net404 Ara Mar 5 Wed 1130 Net4 1393063507 181211233035 PDF

NET404R
Elastic Load Balancing: Deep Dive

and Best Practices
Pratibha Suryadevara Will Rose
General Manager Sr Security Engineer
Elastic Load Balancing Netflix
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Elastic Load Balancing automatically
distributes incoming application traffic across
multiple targets, such as Amazon Elastic
Compute Cloud (Amazon EC2) instances,
containers, and IP addresses
Elastic Secure Integrated Cost effective
EC2
Instance
EC2
instance
Load balancer used to

EC2 route incoming requests
ELB
instance to multiple EC2
instances, containers,
or IP addresses in your
VPC.
EC2
instance
Layer 4 (network) Layer 7 (application)
Supports TCP Supports HTTP and HTTPS
Incoming client connection bound to Connection terminated at the load

server connection balancer and pooled to the server
No header modification Headers may be modified
Source IP is preserved in the X-Forwarded-For header contains

header or Proxy Protocol prepends client IP address
source and destination IP and ports
to request
The Elastic Load Balancing (ELB) family
Application Load Balancer Network Load Balancer Classic Load Balancer
HTTP & HTTPS (VPC) TCP Workloads Previous generation

(VPC) for HTTP, HTTPS, TCP
(Classic network)
Application Load Balancer
Advanced request routing with support for
microservices and container-based applications
Feature rich, layer 7 load-balanced platform
Content-based routing allows requests to be

routed to different applications behind a single
load balancer
Path- and host-based routing
Support for microservices and container-based

applications, including deep integration with
Amazon Elastic Container Service (Amazon
ECS)
Support for WebSockets and HTTP/2
Improved health checks and additional

Amazon CloudWatch metrics
Load balancer API deletion protection
Improved performance for real-time and

streaming applications
Improved Elastic Load Balancing API
 API Model
 Routing
 Security
 Availability
 Scalability & Integration
 Monitoring : Metrics & Access Logs
 Pricing
 Migration
Load Balancer
Listener Listener
Rule (default) Rule (*/img/*) Rule (default)
EC2 EC2 EC2 IP IP IP ECS ECS ECS
Health Check Health Check Health Check
Target Group #1 Target Group #2 Target Group #3

IP as a target
Use any IPv4 address from the load balancer’s
VPC CIDR for targets within load balancer’s
VPC
Use any IP address from the RFC 6598 range

(100.64.0.0/10) and in RFC 1918 ranges
(10.0.0.0/8, 172.16.0.0/12, and
192.168.0.0/16) for targets located outside the
load balancer’s VPC (this includes Peered
VPC, EC2-Classic, and on-premises targets
reachable over Direct Connect or VPN)
Content-based routing
Route based on path or host field in the
HTTP header
Support multiple domains using a single

load balancer
Route each path or host name to a

different target group
EC2
instance
Amazon EC2 instances

EC2
ELB
instance registered behind a
Classic Load Balancer
EC2
instance
EC2
orders.example.com instance
EC2
ELB
instance
EC2
instance
Running two separate
services with Classic
Load Balancer
EC2
instance
EC2
ELB
instance
EC2
images.example.com instance
EC2
instance
EC2
instance
/orders EC2
instance Application Load
Balancer allows for
ELB multiple services to be
EC2
example.com hosted behind a single
instance
load balancer
/images EC2
instance
EC2
instance
Redirects in ALB
Use cases Examples
1
HTTP to HTTP redirects HTTP://example.com to HTTP://example.org:8080
2
HTTP to HTTPS redirects HTTP://example.com to HTTPS ://example.com
HTTP://example.com: 443 to HTTPS ://example.com: 40443
3
HTTPS to HTTPS redirects HTTPS://example.com: 443 to HTTPS ://example.com: 40443
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Fixed response
You can control which of the client requests should
be served by the application fleet
Load balancer can auto respond to HTTP requests

based on any criteria supported by content-based
routing rules
You can configure HTTP response codes and

custom error messages to be returned to the clients
Slow start
Slow start allows adding new targets without
overwhelming them with a flood of requests
Load balancer linearly increases the number of requests

sent to a new target up to its fair share
Allows targets to warm up before receiving their fair

share of requests
Useful for applications that depend on cache warming

for optimal performance
Native IPv6 support
Managing TLS
Legacy Model Cert Request
Admin Signed Cert
Deploy
To Hosts Certificate
Amazon
Authority
Route 53
HTTPS
users
instances
Using Application Load Balancer
Upload to AWS Cert Request
Identity and
Access
Management
(IAM) Signed Cert
Admin
Amazon IAM
Route 53
Deploy
To ALB Certificate
Authority
HTTPS Application
Load Balancer
users
instances
Application Load Balancer & AWS Certificate Manager
(ACM) Cert Request
Admin
AWS
Certificate
Manager
Amazon (ACM)
Route 53
HTTPS Application
Load Balancer instances
users
Predefined security policies
ELBSecurityPolicy-TLS-1-1-2017-01 – Supports TLS 1.1
and above
ELBSecurityPolicy-TLS-1-2-2017-01 – Strictly supports
TLS1.2
ELBSecurityPolicy-2016-08 – New default policy -Same
as Classic Load Balancer default policy
Windows XP Security Policy
ELBSecurityPolicy-FS-2018-06 – Supports ciphers that
ensure Forward secrecy
ELBSecurityPolicy-TLS-1-2-Ext-2018-06 –
Strictly supports TLS 1.2 protocol
Application Load Balancer with AWS WAF
Monitor web requests and protect web
applications from malicious requests at the load
balancer X
Block or allow requests based on conditions such
as IP addresses
Preconfigured protection to block common attacks

like SQL injection or cross-site scripting
Set up web ACLs and rules from AWS WAF

console and apply them to the load balancer
Server Name Indication (SNI)
Host multiple TLS secured applications, each
with its own TLS certificate
Bind multiple certificates to the same secure

listener on your load balancer
ALB will automatically choose the optimal

TLS certificate for each client
Support for both the classic RSA algorithm

and the newer, faster Elliptic-curve based
ECDSA algorithm
Authentication in ALB
Authenticate users accessing
applications
Native integration with any OIDC

compliant IDPs
Authenticate with Social Identities

Integration with Amazon Cognito
Authenticate with Enterprise IDPs with

SAML
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
whoami
Will Rose
Senior Security Engineer
Netflix Information Security
Netflix Identity Platform
Landscape
Hundreds of applications, growing daily
Languages and Frameworks galore
With Great Freedom comes
Great Variability
Identity Challenges
Just use Client Libraries to Federate!
Always playing catch-up to new languages

and frameworks
Open source options of varying quality
and completeness
Developer friction around configuration
Identity Challenges
Ok, then just use Authenticating Proxies!
Proxy Layer
Additional critical infrastructure to maintain
Additional infrastructure cost to operate
Potential bottlenecks and new failure modes

to address Application Layer
Please select one
C. None of the above
Crazy Talk
Why not Application Load Balancers!?
Auth == Undifferentiated Heavy Lifting!
Let’s talk to Amazon!
Please
?
Alphabet Soup
Ingredients
1 x AWS
1 x ALB
1 x OIDC
Simmer for 6 months
Serves: everyone
Under the Hood
Identity Headers
X-Amzn-OIDC-Identity: will.rose@domain.com
X-Amzn-OIDC-Access-Token: 1waGF…YW50
X-Amzn-OIDC-Data: eyJhbG...y4MbQQ
Adoption
Native Spinnaker integration
Fully self-service with only a few clicks
Identical integration experience across all languages
No new infrastructure required
Our recommended integration path for all applications
Thank
you!
Filtering by TAGs in console
Filter load balancers and target groups
by tags
Enables you to view only the resources

that you or your group is responsible
for
Reduces human errors of making

changes to a wrong load balancer or
target group
Resource level and tag based permissions
Implement fine-grained access controls
on load balancer resources using IAM
policies
Create policies either based on resource

ARNs or specific tags on resources
Create access control policies for load

balancer, listener, rule, or target groups
Cross-zone load balancing
Requests distributed evenly across multiple Availability Zones
Load balancer absorbs impact of DNS caching
Eliminates imbalances in backend instance utilization
No additional bandwidth charge for

cross-zone traffic
Enabled on all ALBs by default

Health checks allow for traffic
to be shifted away from failed
instances
Health checks
EC2
instance
Health checks ensure

ELB EC2 that request traffic is
instance shifted away from a
failed instance
EC2
instance
Health checks
Support for HTTP and HTTPS health checks
Customize the frequency and failure

thresholds
Consider the depth and accuracy of your

health checks
Customize list of successful response codes, for

example 200-300
Details of health check failures are now returned

by the API and Management Console
Amazon EC2 Auto Scaling
Amazon
Route 53
instance
HTTPS
Application
instance
users Load Balancer
instance
Auto Scaling group
Amazon EC2 Auto Scaling
Amazon
Route 53 Launch
instance instance Configure
Serve
=
HTTPS Minutes
Application
instance instance
users Load Balancer
instance instance
Auto Scaling group
Amazon Elastic Container Service
Amazon
Route 53
instance
HTTPS
Application
users Load Balancer
instance
Elastic Container Service
Containers: ALB integration with Kubernetes / EKS
ALB Ingress Controller – Enabling host or path based routing to Kubernetes cluster.
• ALB fronts multiple services and act as a “smart router” or entry
point into the Kubernetes cluster
• Rich Layer 7 routing features of ALB
https://github.com/kubernetes-sigs/aws-alb-ingress-controller
ALB w/ Amazon ECS || Amazon EKS Scaling
Amazon
Route 53 Start
Run
instance =
Seconds
HTTPS
Application
users Load Balancer
instance
Elastic Container Service
CloudWatch metrics provided for each load
balancer
Provide detailed insight into the health of the load

balancer and application stack
CloudWatch alarms can be configured to notify or

take action should any metric go outside the
acceptable range
All metrics provided at the 1-minute granularity

Access logs
Provide detailed information on each
request processed by the load balancer
Includes request time, client IP address,

latencies, request path, and server
responses
Delivered to an Amazon S3 bucket every

5 or 60 minutes
Exampleloadbalancer.com
AWS
Certificate
Amazon Manager
Route
53
HTTPS ECS
users Application
container
Load Balancer
ECS
VPC container
peering
EU-WEST-2
AWS
permissions
WAF
Amazon © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cognito
Application Load Balancer pricing
With the Application Load Balancer, you only pay for what you use. You are
charged for each hour or partial hour your Application Load Balancer is running
and the number of Load Balancer Capacity Units (LCU) used per hour
• $0.0225 per Application Load Balancer-hour (or partial hour)

• $0.008 per LCU-hour (or partial hour)
Hourly charge is 10% less expensive than

Classic Load Balanacerthan Classic Load
Balancer; reducing the cost for the virtually all
of our customers
Load balancer capacity units
An LCU measures the dimensions on which the Application Load Balancer

processes your traffic (averaged over an hour). The four dimensions measured
are as follows:
• New connections: Up to 25 new connections per second

• Active connections: Up to 3,000 active connections
• Bandwidth: Up to 2.22 Mbps (1 GB per hour)
• 1000 Rules Evaluation
You are charged only on the dimension with the highest

usage over the hour
Migrating to Application Load Balancer
Publishing LCU Metrics for Classic Load Balancer which allows customers
to estimate pricing if they migrate from Classic to ALB
Migration is as simple as creating a new Application

Load Balancer, registering targets, and updating
DNS to point at the new CNAME
Classic Load Balancer or Application Load

Balancer migration utility
https://github.com/aws/elastic-load-balancing-tools
Network Load Balancer
Network Load Balancer
New, layer 4 load-balancing platform
Connection-based load balancing
TCP protocol
High performance
Can handle millions of requests per sec
Static IP support
Ideal for applications with long running

connections
Resources same as ALB
Improved Elastic Load Balancing API
Listeners
Target groups
Targets
 Static IP
 Preservation of Source IP
 Availability
 Monitoring : Metrics & Flow Logs
 Pricing
 Migration
Static IP
Automatically gets assigned a single IP per
Availability Zone
Assign an EIP per AZ to get Static IP
Helps with white-listing for firewalls and

zero dollar billing use cases
Assign Elastic IP addresses
TargetGroup 1
1a
34.214.45.162
EC2 instances
EC2 instance
Assigning Elastic IP
provides a single IP
Network Load
Balancer
address per Availability
Zone per load balancer
that will not change.
EC2 instances
54.69.111.179 EC2 instance
1b
Preserve source IP
Preserves client IP to backends
Can be used for logging and other

applications
Removes need for Proxy Protocol
Support for Proxy Protocol V2 when load

balancing to IP addresses
Firewall example with NLB
Internet
External facing NLB uses fewer addresses

outside.domain.com
External facing
Network Load
Used for firewalls, proxies, or third-
Balancer (NLB)
party load balancers
FW FW FW FW
Auto Scaling
Preserves source IP helping firewalls with
Internal Network Load
features like Geo-IP blocking
inside.domain.com
Balancer (NLB)
Internal NLB doesn’t change IPs

Allows firewalls, WAFs, and proxies
Auto Scaling
Web Servers
to maintain a single addresses for NAT
Health checks
Supports both network and application target
health checks
Network health checks

Based on overall response of yourtarget to
normal traffic
Will fail unresponsive targets in millisecond
Application level health checks

HTTP, HTTPS and TCP HC
Customize frequency, failure thresholds
Availability Zone fail-over
34.214.45.162 TargetGroup 1
54.69.111.179 Customer VPC
us-west-1a
34.214.45.162
EC2
NLB Instances
Health Check
Amazon
Route 53
us-west-1b
Health Check EC2
NLB
54.69.111.179 Instances
Availability Zone fail-over
34.214.45.162 TargetGroup 1
Customer VPC
54.69.111.179
us-west-1a
34.214.45.162
EC2
NLB Instances
Health Check
Amazon
Route 53
us-west-1b
Health Check
NLB
54.69.111.179
CloudWatch metrics provided for each load
balancer.
Provide detailed insight into traffic and capacity,

errors and backend health for the Network Load
Balancer
CloudWatch alarms can be configured to notify or

take action should any metric go outside the
acceptable range
All metrics provided at the 1-minute granularity
Traffic and capacity metrics
ActiveFlowCount - Total number of
concurrent TCP flows (or connections)
from clients to targets
NewFlowCount - Total number of new

TCP flows (or connections) established
from clients to targets
ProcessedBytes - Total number of bytes

processed by the load balancer
ResetCounts
TCPClientResetCount – Number of reset
(RST) packets sent from a client to a target
TCPELBResetCount – Number of reset

(RST) packets generated by the load
balancer
TCPTargetResetCount – Number of reset

(RST) packets sent from a target to a client
Backend health
HealthyHostCount – Number of targets
that are considered healthy
UnHealthyHostCount – Number of
targets that are considered unhealthy
Flow logs
Captures the network flow for a
specific quintuple, for a specific
capture window
Packets
Bytes
Capture window start and end
Action - Accepted or Rejected
status
Log status
Network Load Balancer pricing
With the Network Load Balancer, you only pay for what you use. You are
charged for each hour or partial hour your Network Load Balancer is running
and the number of Load Balancer Capacity Units (LCU) used per hour
• $0.0225 per Network Load Balancer-hour (or partial hour)

• $0.006 per LCU-hour (or partial hour)
Hourly charge is 10% cheaper than Classic Load

Balancer; Data Processing charge is 25%
cheaper than Classic and Application Load Balancer;
reducing the cost for virtually all of our customers
Load balancer capacity units - TCP
An LCU measures the dimensions on which the Network Load Balancer
processes your traffic (averaged over an hour). The three dimensions measured
are as follows
• New connections: Up to 800 new connections per second

• Active connections: Up to 100,000 active connections
• Bandwidth: Up to 2.22 Mbps (1 GB per hour)
You are charged only on the dimension with the highest

usage over the hour
Migrating to Network Load Balancer
Migration is as simple as creating a new Network

Load Balancer, registering targets, and updating
DNS to point at the new CNAME
Classic Load Balancer to Network Load Balancer

migration utility
https://github.com/aws/elastic-load-balancing-tools
Which load balancer should I pick?
Application Load Balancer Network Load Balancer Classic Load Balancer
Protocol HTTP, HTTPS,HTTP/2 TCP TCP, SSL, HTTP, HTTPS
SSL offloading and

✓ ✓
Encryption to Backend-
server
✓ ✓
IP address as a target
Path-based routing, Host- ✓

based routing
✓
Static IP and Elastic IP
✓ ✓
WebSockets
✓
Preserve client IP
✓ ✓
Container support
✓
User Authentication
For TCP in VPC, use Network Load
Balancer
For all other use cases in VPC , use

For Classic networking, use Classic Load

Balancer
Thank you!
Pratibha Suryadevara Will Rose
suryadp@amazon.com wrose@netflix.com

Net404 Ara Mar 5 Wed 1130 Net4 1393063507 181211233035 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Net404 Ara Mar 5 Wed 1130 Net4 1393063507 181211233035 PDF

Caricato da

Copyright:

Formati disponibili

NET404R

Elastic Load Balancing: Deep Dive

Load balancer used to

Incoming client connection bound to Connection terminated at the load

No header modification Headers may be modified

Source IP is preserved in the X-Forwarded-For header contains

Application Load Balancer Network Load Balancer Classic Load Balancer

HTTP & HTTPS (VPC) TCP Workloads Previous generation

Content-based routing allows requests to be

Support for microservices and container-based

Improved health checks and additional

Load balancer API deletion protection

Improved performance for real-time and

Improved Elastic Load Balancing API

 Scalability & Integration

 Monitoring : Metrics & Access Logs

EC2 EC2 EC2 IP IP IP ECS ECS ECS

Health Check Health Check Health Check

Target Group #1 Target Group #2 Target Group #3

Use any IP address from the RFC 6598 range

Support multiple domains using a single

Route each path or host name to a

Amazon EC2 instances

Load balancer can auto respond to HTTP requests

You can configure HTTP response codes and

Load balancer linearly increases the number of requests

Allows targets to warm up before receiving their fair

Useful for applications that depend on cache warming

Admin Signed Cert

Preconfigured protection to block common attacks

Set up web ACLs and rules from AWS WAF

Bind multiple certificates to the same secure

ALB will automatically choose the optimal

Support for both the classic RSA algorithm

Native integration with any OIDC

Authenticate with Social Identities

Authenticate with Enterprise IDPs with

Netflix Information Security

Hundreds of applications, growing daily

Languages and Frameworks galore

With Great Freedom comes

Just use Client Libraries to Federate!

Always playing catch-up to new languages

Developer friction around configuration

Ok, then just use Authenticating Proxies!

Additional infrastructure cost to operate

Potential bottlenecks and new failure modes

C. None of the above

Why not Application Load Balancers!?

Auth == Undifferentiated Heavy Lifting!

Let’s talk to Amazon!

Native Spinnaker integration

Fully self-service with only a few clicks

Identical integration experience across all languages

No new infrastructure required

Our recommended integration path for all applications

Enables you to view only the resources

Reduces human errors of making

Create policies either based on resource

Create access control policies for load

Load balancer absorbs impact of DNS caching

Eliminates imbalances in backend instance utilization

No additional bandwidth charge for