ELB and Auto-scaling Groups

Question 1

When we have an instance sitting behind an application load balancer what does an instance see in terms of the originating IP for each request?

Answer 1

Because load balancers intercept traffic between clients and servers, your server access logs contain only the IP address of the load balancer.
To see the IP address of the client, use the X-Forwarded-For request header. To see the protocol and port, use the X-Forwarded-Proto and X-Forwarded-Port

Question 2

How would a distributed vs non distributed system be scaled (generally)

Answer 2

Distributed systems would generally be scaled horizontally. Non distributed systems would tend to scale vertically.

Question 3

Which OSI layers do CLBs, ALBs and NLBs operate on?

Answer 3

CLB: 4(transport layer, TCP), 7(Application Layer)
NLB: 4
ALB: 7

Question 4

Why would you use cross zone load balancing?

Answer 4

Cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled Availability Zone, and improves your application’s ability to handle the loss of one or more instances. However, AWS still recommend that you maintain approximately equivalent numbers of instances in each enabled Availability Zone for higher fault tolerance

Question 5

By default, how often does an ELB make a health check?

Answer 5

every 5 seconds.

Question 6

Which 3 protocols can an ALB support?

Answer 6

HTTP, HTTPS, Websockets

Question 7

Is there a cost for traffic across AZ’s when using cross zone load balancing? Is this applicable to all load balancer types?

Answer 7

For ALB and CLB there is no charge

For an NLB there is.

Question 8

For a public facing application or classic load balancer serving traffic from the web, what would the security group look like for:
The ELB public interface
The EC2 instance behind the ELB
?

Answer 8

For ELB Security Group:
Inbound HTTP port 80 source: 0.0.0.0/0
Inbound HTTPS port 443 source: 0.0.0.0/0

For Ec2
Inbound HTTP port 80 source: ELB’s Security Group ID

Question 9

There are 6 components of an HTTP request that can be used in an ALB for routing - what are they?

Answer 9

You can route on:
Host Header
HTTP Header
Path
Query String
Source IP 
Request Method (GET, POST, PUT etc)

Question 10

Which load balancers have Cross AZ balancing enabled or disabled by default? Are there any costs in cross zone balancing?

Answer 10

NLB and CLB’s have cross AZ load balancing DISABLED by default.

ALBs can ONLY have cross AZ balancing enabled. There is no cost for cross AZ balancing for ALB’s and CLBs, but there is for an NLB

Question 11

Generally, 50x and 40x errors refer to which side of an application stack?

Answer 11

50x - Application side

40x - Client Side

Question 12

If your ELB can’t connect to your application instances what is the simplest likely explaination

Answer 12

Misconfigured security group on the application side is the most likely cause. I.e. we have not allowed inbound http traffic from the ELB’s security group.

Question 13

Where does SSL termination occur in the following chain:
Client->ELB->Ec2 Instance (web server)
For each of the legs, is traffic HTTP or HTTPS?

Answer 13

Termination occurs on the ELB. This means traffic between client and ELB is HTTPS and traffic between the ELB and the Webserver is HTTP. The HTTP traffic is routed over the VPC so it is private but not encrypted.

Question 14

How many SSL certificates can each load balancer type support? What is the format standard used to define the certificate?

Answer 14

ALB: Multiple - 25
NLB: Multiple - 25
CLB: One and only one per balancer
x509

Question 15

What does SNI allow?

Answer 15

SNI allows multiple SSL certificates to be installed on a web server which allows multiple websites to be hosted on the same server

Question 16

Which ELB’s support SNI? Are ELB’s the only thing that can support SNI?

Answer 16

NLB and ALB support SNI. As does cloud front.

Question 17

What is cross zone load balancing?

Answer 17

With cross-zone load balancing, each load balancer distributes requests evenly across instances in all enabled Availability Zones. If cross-zone load balancing is disabled, each load balancer distributes requests evenly across the registered instances in its Availability Zone ONLY.

Question 18

What 4 things can an application load balancer use as a target group?

Answer 18

EC2
ECS
Lambda
Private IP’s

Question 19

We have a load balanced application talking to 3 instances. Currently we are using an ALB, so the inbound security group for each instance allows traffic into that instance based on the security group of the ALB (ALB_WEB_SG1) on port 80. Our integration is meant to integrate with a clients environment, so its been identified that we need a static IP to whitelist the application from the clients network. What load balancer would we need to use and what other changes will we need to make?

Answer 19

We would need a Network load balancer as this is the only one one with static IP (both ALB and CLB have a fixed host name). The issue is, our inbound security group for the instances limits traffic from the ALB_WEB_SG1 group. The NLB doesn’t have a security group AND as far as the instances are concerned the will see the ORIGIN IP. This means we need to change the instance security group to accept TCP inbound on port 80 from 0.0.0.0/0.

Question 20

When accessing your site via an ELB, you receive an HTTP 503. What is the potential issue (two)?

Answer 20

Either the ELB is at capacity, or there are no registered targets.

Question 21

Which 3 protocols can an NLB support?

Answer 21

TCP, TLS, UDP

Question 22

What is the sequence for an SNI call at a high level?

Answer 22

During the handshake between the client and the server, the client provides the hostname as part of the negotiation. The ALB or NLB take the host name and determines the correct certificate to use for encryption between it and the client (or returns the default)

Question 23

We’ve build a containerized application and we need to load balance across containers - what load balancer is the correct type?

Answer 23

Application load balancer via dynamic port mapping

Question 24

Which 3 protocols can a CLB support?

Answer 24

HTTP, HTTPS, TCP

Question 25

What is the role of a health check with respect to a Load balancer?

Answer 25

They ensure that the instance traffic is being routed to is healthy. HTTP requests return a 200 if healthy.

Question 26

When enabling sticky sessions via a cookie on a classic or an application load balancer, which level would this be configured ?

Answer 26

On a classic load balancer, stickiness is configured at the load balancer level. For an application load balancer, stickiness is configured at the target group level.

Question 27

Can you have a private load balancer?

Answer 27

Yes, each load balancer has 2 kinds of implementation. Private is an internal load balancer which cannot be accessed via the web. A public ELB can be accessed via the web (i.e. for websites)

Question 28

I have an application with 6 instances spread across 3 AZ’s. in ap-southeast-2a and ap-southeast-2b I have 2 EC2 Instances. In ap-southeast-2c I have one instance. How do I ensure load balanced evenly across all instances?

Answer 28

Cross Zone Load Balancing will ensure traffic is directed evenly across instances in all zones, even if the number of instances per zone differs.

Question 29

You have a host for which you need to support multiple SSL certificates. You only have a CLB’s available.

Answer 29

You would need to instantiate one CLB per SSL certificate

Question 30

If a NLB is being used in an application architecture, what would an instance sitting behind that balancer see as the originating IP?

Answer 30

The origin of the request. NLBs preserve the the originating IP, port and protocol. Be careful with is as the AWS recommendation is that an instance security group needs to allow TCP traffic in from 0.0.0.0/0.

Question 31

If an instance in an ASG becomes unhealthy - by default does the ASG wait for the cooldown period to complete before replacing the unhealthy instance?

Answer 31

No

Question 32

An ALB can redirect to different targets based on which of the following (2):

Host Name
Request Path
Client IP

Answer 32

Host Name

Request Path

Question 33

You have an architecture consisting of an ASG and an ALB. Health checks are enabled on the ALB. If the ALB reports a failed health check, what action will the ASG take?

Answer 33

The ASG will terminate the instance and create a new one.

Question 34

With an ELB, can you load balance across AZ’s and across regions? If so, how is load distributed?

Answer 34

An elb can balance load across AZ’s not across regions. Load will be distributed evenly across AZ’s so if you have less instances in 1 AZ they will service more load. If you need load distributed evenly across instances use cross zone balancing.

Question 35

Can an ASG contain instances from across AZ’s and/or regions?

Answer 35

An ASG can contain instances from multiple AZ’s but not regions. For an ASG to scale across zones, the zone must be added to your ELB

Question 36

Can I assign a publicly routable IP address as a target in an ALB?

Answer 36

No. You can only route to IP’s based on CIDR blocks - 10.0.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/10