ASG, ELB & HA Flashcards
Granular Mastery
Global Architecture components
- Global Service Location & Discovery
- Content Delivery (CDN) and optimization
- Global health checks & Failover
Regional Architecture Components
- Regional entry point
- Scaling & Resilience
- Application services and components
WEB Tier
WEB Tier - Entry point into an Architecture. An abstraction of the underlying Infrastructure to the customers. Underlying Infrastructure can fail, change, or scale without impacting on customers eg API Gateway, ELB
ELB Architecture
ELBs, when deployed, are by default, Configured to run in 2+ AZ’s. 1+ Nodes are placed into a subnet in each AZ and scale with load.
Each ELB is configured with a single
(A) record DNS name. This resolves to the IP Address of the ELB AZ Nodes
Internet Facing vs Inward facing Load Balancer
Inward - ELB has only private IP
Internet-facing - ELB has both public and Private IP
It doesnt affect where the ELB is placed within the AZ
Cross Zone Load Balancing
Cross Zone Load Balancing is Default in Application Load Balancer
EC2/ELB integration
EC2 doesn’t need to be public to work with a LB. his is because an Internet facing Load balancer has both private and public IP addresses
Classic Load Balancer issues
- CLBs don’t scale
- HTTPS name requires an individual CLB because SNI isn’t supported
ALB
- ALB is a Layer 7 Load balancer .. listens on HTTP and/or HTTPS
- ALB does not understand any other Layer 7 protocols eg.. (SMTP, SSH, Gaming ….)
- Understands L7 content type, cookies, custom headers, user location and app behaviour
- It is able to inspect a Layer7 Application protocol information and makes decision from its components
SSL/TLS Termination
Security concerns ensure no end-to-end unbroken ssl conection is allowed.
HTTP HTTPS (SSL/TLS) are always terminated on the ALB - no unbroken SSL isallowed to cross this point into our Application. A new set of security credentials are issued as headers for internal App processing, then the Certificate termination is reversed during Application response.
ELB Throughput
ALBs are slower than NLB .. more levels of the network stack to process.
The more levels of networking stacks, the more the complexity, the slower the processing
ELB Health Checks
Only available on ALB
ALB Anatomy (Routing)
- Rules are processed, forwarding decisions and actions are applied.
- Rules direct connections which arrive at a listener
- Rules are Processed in priority order
- Default rule = catchall
-
Rule Conditions:
- Host-header
- Http-header
- Http-request-method
- Path-pattern
- Query-string &
- Source-ip
-
Actions:
- Forward,
- Redirect,
- Fixed-response,
- Authenticate-oidc(Open ID) &
- Authenticate-cognito
NLB and SSL
To use End-to-end unbroken connection (Pass TCP/SSL encrypted connection down to Application Stack, use NLB.
This Forwards TCP to Application … unbroken encryption
NLB
Layer 4 load balancer …
Protocols:
TCP, TLS, UP, TCP_UDP
- No visibility or understanding of HTTP or HTTPS
- No headers, no cookies, no session stickiness
Really Really Really Fast (millions of rps, 25% of ALB latency)
- They don’t deal with computationally heavy upper Layers of the Networking Stack
NLB Use cases
SMTP, SSH, Game Servers, financial apps
NLB Health Checks
Health checks JUST check IMP / TCP Handshake.
NLB is not App Aware, cannot handle detailed health checknn
NLB Static IP
NLB’s can have static IP’s - useful for whitelisting
Use NLB or ALB ??
- Unbroken encryption? … NLB
- Static IP for whitelisting? … NLB
- The fastest performance? … NLB (millions rps)
- Protocols not HTTP or HTTPS? … LB
- Privatelink? … NLB
- Otherwise … ALB
Launch Configuration / Launch Template
LC<
* Allow you to define the configuration of an EC2 instance in advance
* AMI, Instance Type, Storage & Key pair
* Networking and Security Groups
* Userdata & IAM Role
* Both are NOT editable - defined once. LT has versions.
* LT provide newer features - including T2/T3 Unlimited, Placement Groups, Capacity Reservations, Elastic Graphics
Launch Configuration
Is used for deploying ASG.
- they are not Editable, Have no versioning capability.
- Launch Templates can have versions
Launch Template
- Launch templates can be used to save time when provisioning EC2 instances from the console UI/CLI.
- Can also be used to Launch an ASG
ASG Launch Template
Launch templates can be used to save time when provisioning EC2 instances from the console UI/CLI
ASG - Scaling Policies
- Manual Scaling - Manually adjust the desired capacity [Default]
- Scheduled Scaling - Time based adjustment - e.g. Sales..
- Dynamic Scaling
- Simple - “CPU above 50% +1”, “CPU Below 50 - 1”
- Stepped Scaling - Bigger +/- based on difference
- Target Tracking - Desired Aggregate CPU = 40% ..ASG handle it