ASG, ELB & HA Flashcards
Granular Mastery
Global Architecture components
- Global Service Location & Discovery
- Content Delivery (CDN) and optimization
- Global health checks & Failover
Regional Architecture Components
- Regional entry point
- Scaling & Resilience
- Application services and components
WEB Tier
WEB Tier - Entry point into an Architecture. An abstraction of the underlying Infrastructure to the customers. Underlying Infrastructure can fail, change, or scale without impacting on customers eg API Gateway, ELB
ELB Architecture
ELBs, when deployed, are by default, Configured to run in 2+ AZ’s. 1+ Nodes are placed into a subnet in each AZ and scale with load.
Each ELB is configured with a single
(A) record DNS name. This resolves to the IP Address of the ELB AZ Nodes
Internet Facing vs Inward facing Load Balancer
Inward - ELB has only private IP
Internet-facing - ELB has both public and Private IP
It doesnt affect where the ELB is placed within the AZ
Cross Zone Load Balancing
Cross Zone Load Balancing is Default in Application Load Balancer
EC2/ELB integration
EC2 doesn’t need to be public to work with a LB. his is because an Internet facing Load balancer has both private and public IP addresses
Classic Load Balancer issues
- CLBs don’t scale
- HTTPS name requires an individual CLB because SNI isn’t supported
ALB
- ALB is a Layer 7 Load balancer .. listens on HTTP and/or HTTPS
- ALB does not understand any other Layer 7 protocols eg.. (SMTP, SSH, Gaming ….)
- Understands L7 content type, cookies, custom headers, user location and app behaviour
- It is able to inspect a Layer7 Application protocol information and makes decision from its components
SSL/TLS Termination
Security concerns ensure no end-to-end unbroken ssl conection is allowed.
HTTP HTTPS (SSL/TLS) are always terminated on the ALB - no unbroken SSL isallowed to cross this point into our Application. A new set of security credentials are issued as headers for internal App processing, then the Certificate termination is reversed during Application response.
ELB Throughput
ALBs are slower than NLB .. more levels of the network stack to process.
The more levels of networking stacks, the more the complexity, the slower the processing
ELB Health Checks
Only available on ALB
ALB Anatomy (Routing)
- Rules are processed, forwarding decisions and actions are applied.
- Rules direct connections which arrive at a listener
- Rules are Processed in priority order
- Default rule = catchall
-
Rule Conditions:
- Host-header
- Http-header
- Http-request-method
- Path-pattern
- Query-string &
- Source-ip
-
Actions:
- Forward,
- Redirect,
- Fixed-response,
- Authenticate-oidc(Open ID) &
- Authenticate-cognito
NLB and SSL
To use End-to-end unbroken connection (Pass TCP/SSL encrypted connection down to Application Stack, use NLB.
This Forwards TCP to Application … unbroken encryption
NLB
Layer 4 load balancer …
Protocols:
TCP, TLS, UP, TCP_UDP
- No visibility or understanding of HTTP or HTTPS
- No headers, no cookies, no session stickiness
Really Really Really Fast (millions of rps, 25% of ALB latency)
- They don’t deal with computationally heavy upper Layers of the Networking Stack
NLB Use cases
SMTP, SSH, Game Servers, financial apps
NLB Health Checks
Health checks JUST check IMP / TCP Handshake.
NLB is not App Aware, cannot handle detailed health checknn
NLB Static IP
NLB’s can have static IP’s - useful for whitelisting
Use NLB or ALB ??
- Unbroken encryption? … NLB
- Static IP for whitelisting? … NLB
- The fastest performance? … NLB (millions rps)
- Protocols not HTTP or HTTPS? … LB
- Privatelink? … NLB
- Otherwise … ALB
Launch Configuration / Launch Template
LC<
* Allow you to define the configuration of an EC2 instance in advance
* AMI, Instance Type, Storage & Key pair
* Networking and Security Groups
* Userdata & IAM Role
* Both are NOT editable - defined once. LT has versions.
* LT provide newer features - including T2/T3 Unlimited, Placement Groups, Capacity Reservations, Elastic Graphics
Launch Configuration
Is used for deploying ASG.
- they are not Editable, Have no versioning capability.
- Launch Templates can have versions
Launch Template
- Launch templates can be used to save time when provisioning EC2 instances from the console UI/CLI.
- Can also be used to Launch an ASG
ASG Launch Template
Launch templates can be used to save time when provisioning EC2 instances from the console UI/CLI
ASG - Scaling Policies
- Manual Scaling - Manually adjust the desired capacity [Default]
- Scheduled Scaling - Time based adjustment - e.g. Sales..
- Dynamic Scaling
- Simple - “CPU above 50% +1”, “CPU Below 50 - 1”
- Stepped Scaling - Bigger +/- based on difference
- Target Tracking - Desired Aggregate CPU = 40% ..ASG handle it
Simple Scaling Metrics Types
Simple scale Metrics are not only limited to EC2 CPU it includes metrices from any possible AWS services such as
* EC2 Disk usage
* Network
* SQS Queue length
* Disk I/O
* Application custom metrics eg, response time
This is made possible by installing Cloudwatch agent
Target tracking Supported Metrics
Average CPU Utilization
Average Network In
Average Network Out
Request Count per target (Relevant to ALB)
Cool down Period
use to minimize Autoscaling actions due to rapid spikes in traffic, it helps to avoid costs associated with constantly adding and removing instances(some Instances have minimum charges)
AWS
*As a best practice, we recommend that you do not use simple scaling policies and scaling cooldowns.
In most cases, a target tracking scaling policy or a step scaling policy is better for scaling performance. For a scaling policy that changes the size of your Auto Scaling group proportionally as the value of the scaling metric decreases or increases, we recommend target tracking over either simple scaling or step scaling.*
ASG Self-Healing
Using EC2 Status checks to replace unhealthy instances(by termination and Provisioning.
This helps in fixing most Isolated issues on specific instances.
EC2 Instance Recovery Hack
AKA Single Instance HA
Steps
1. Deploy a single instance per subnet
2. Configure ASG to 1:1:1
3. ASG will replace any failed instance i.e Instance Recovery
ASG Key Points
- use more, smaller instances instead of fewer larger instances - granularity
- Autoscaling Groups are free
- Only the resources created are billed …
- Use cool downs to avoid rapid scaling
- Use with ALB’s for elasticity - abstraction
- ASG defines WHEN and WHERE, LT defines WHAT
ASG Life Cycle Hooks
Lifecycle hooks enable you to perform custom actions by pausing instances as an Auto Scaling group Launches or Terminates them.
When an instance is paused, it remains in a wait state either until you complete the lifecycle action using the complete-lifecycle-action command or the CompleteLifecycleAction operation, or until the timeout period ends (one hour by default).
- LCH can be integrated with EventBridge or SNS Notifications, allowing for the system to perform event driven processes based on a Launch or Termination off EC2 instance within an ASG.
**Lifecycle Hook Default time: **
State changes when timeout
(3600s default) expires or
CompleteLifecycleAction
ASG Health Check Types
- EC2 (Default)
- ELB (Can be enabled)
- Custom
EC2 Health checks:
* Stopping,
* Stopped,
* Terminated,
* Shutting Down or
* Impaired (not passing the 2/2 status) = UNHEALTHY
ELB Health checks
HEALTHY = Running & passing ELB health check
- Since ALB is Application-aware, this can be configured flexibly for features such as
1. Text Pattern Matching,
2. Path Based
Custom Health Check
Instances marked healthy & unhealthy by an external system/tool.
Health Check grace period
ASG will consider a booting instance Unhealthy and start deploying anotherin order to. deliver it’s predefined desired state
Configurable value which needs to expire before health check action kicks in.
Delay before starting checks.
useful for system launch, bootstrapping and application start
Default 300s
