ASG, ELB & HA Flashcards
Granular Mastery
Global Architecture components
- Global Service Location & Discovery
- Content Delivery (CDN) and optimization
- Global health checks & Failover
Regional Architecture Components
- Regional entry point
- Scaling & Resilience
- Application services and components
WEB Tier
WEB Tier - Entry point into an Architecture. An abstraction of the underlying Infrastructure to the customers. Underlying Infrastructure can fail, change, or scale without impacting on customers eg API Gateway, ELB
ELB Architecture
ELBs, when deployed, are by default, Configured to run in 2+ AZ’s. 1+ Nodes are placed into a subnet in each AZ and scale with load.
Each ELB is configured with a single
(A) record DNS name. This resolves to the IP Address of the ELB AZ Nodes
Internet Facing vs Inward facing Load Balancer
Inward - ELB has only private IP
Internet-facing - ELB has both public and Private IP
It doesnt affect where the ELB is placed within the AZ
Cross Zone Load Balancing
Cross Zone Load Balancing is Default in Application Load Balancer
EC2/ELB integration
EC2 doesn’t need to be public to work with a LB. his is because an Internet facing Load balancer has both private and public IP addresses
Classic Load Balancer issues
- CLBs don’t scale
- HTTPS name requires an individual CLB because SNI isn’t supported
ALB
- ALB is a Layer 7 Load balancer .. listens on HTTP and/or HTTPS
- ALB does not understand any other Layer 7 protocols eg.. (SMTP, SSH, Gaming ….)
- Understands L7 content type, cookies, custom headers, user location and app behaviour
- It is able to inspect a Layer7 Application protocol information and makes decision from its components
SSL/TLS Termination
Security concerns ensure no end-to-end unbroken ssl conection is allowed.
HTTP HTTPS (SSL/TLS) are always terminated on the ALB - no unbroken SSL isallowed to cross this point into our Application. A new set of security credentials are issued as headers for internal App processing, then the Certificate termination is reversed during Application response.
ELB Throughput
ALBs are slower than NLB .. more levels of the network stack to process.
The more levels of networking stacks, the more the complexity, the slower the processing
ELB Health Checks
Only available on ALB
ALB Anatomy (Routing)
- Rules are processed, forwarding decisions and actions are applied.
- Rules direct connections which arrive at a listener
- Rules are Processed in priority order
- Default rule = catchall
-
Rule Conditions:
- Host-header
- Http-header
- Http-request-method
- Path-pattern
- Query-string &
- Source-ip
-
Actions:
- Forward,
- Redirect,
- Fixed-response,
- Authenticate-oidc(Open ID) &
- Authenticate-cognito
NLB and SSL
To use End-to-end unbroken connection (Pass TCP/SSL encrypted connection down to Application Stack, use NLB.
This Forwards TCP to Application … unbroken encryption
NLB
Layer 4 load balancer …
Protocols:
TCP, TLS, UP, TCP_UDP
- No visibility or understanding of HTTP or HTTPS
- No headers, no cookies, no session stickiness
Really Really Really Fast (millions of rps, 25% of ALB latency)
- They don’t deal with computationally heavy upper Layers of the Networking Stack