Sunday, February 26, 2017

amazon elb - What's the options if you must provide a static IP endpoint for your service behind AWS ELB?



I have a web service with few EC2 servers behind a AWS ELB. As I understand, there is no way an ELB endpoint can have a static IP, because it is a DNS-based load balancing solution, and that is a design decision made by ELB team.



However, one of the 3rd party partners that we integrated with require IP of our servers due to their internal infrastructure limit (ya, I know).



After some research, I plan to prepare a SSL pass-through reverse proxy behind a static IP and pass requests to our ELB endpoint. This server will only be used by that client. I will probably use HAProxy because proxy server need to resolve IP of ELB dynamically.



Pros :





  • No changes to the infrastructure behind the AWS ELB.

  • No additional SSL certification required.



Cons :




  • Introduce single point of failure, but only affect that client.


  • The client need to assign the IP for our domain name by themselves, or we set up another domain name point to this server.

  • No previous experience set up such reserve proxy.



This is the only way I came up without change our infrastructure, I would like to hear your input, what would you do if you are in this situation ?


Answer



In the end, I go with the TCP SSL pass-through reverse proxy solution, here is my HAProxy config :



global
    log /dev/log local0

    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

defaults
    timeout connect         10s

    timeout client          1m
    timeout server          1m
    option tcplog
    log-format %ci:%cp\ [%t]\ %ft\ %b/%s/%si\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq
    log global

resolvers dns
    nameserver google 8.8.8.8

# pass 80 port request to AWS ELB

listen http-proxy
    bind *:80
    mode tcp
    server elb my.elb.amazonaws.com:80 check resolvers dns

# pass 443 port request to AWS ELB
listen https-proxy
    bind *:443
    mode tcp
    server elb my.elb.amazonaws.com:443 check resolvers dns



Some explanation :




  • The proxy listen connections from port 80 and 443, then pass to the ELB endpoint.

  • HAProxy will resolve the IP dynamically with DNS I specify

  • Use TCP mode so there is no need to create extra SSL certification for the proxy




I did some tests and it works well.



However I did notice a downside (or just didn't know how to solve it)




  • Unable to put real client IP into HTTP header because it is in TCP mode



This may cause problems if you want to allow some IPs to access certain service.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...