Does AWS Application Load Balancer scan listening ports on the EC2 web servers?

amazon-web-services amazon-elb

We plan to have an Application Load Balancer (ALB) and a number of EC2 web servers behind it. All web servers listen on port 443 for HTTPS. On top of this, each web server listens on a different port for HTTPS.

For example:

  • Instance 1 listens on 443 & 8001
  • Instance 2 listens on 443 & 8002
  • Instance 3 listens on 443 & 8003.

The number of servers are decided by the auto scaling group, and what port (8001, 8002, 8003, 8004, etc.) each server gets is dynamically allocated after the server boots up, by consulting a third arbitrator.

The desired way of the ALB is:

  • When a client requests "www.mysite.com", the ALB forwards this request to one of the instances randomly or round-robin or using any other standard load-balancing algorithm.
  • When a client requests "www.mysite.com:8001", the request is ALWAYS forwarded to instance 1.
  • When a client requests "www.mysite.com:8002", the request is ALWAYS forwarded to instance 2.
  • When a client requests "www.mysite.com:8003", the request is ALWAYS forwarded to instance 3.

MY QUESTION IS:

Is ALB currently doing this by default, or do we need some kind of special configuration, or do we need a different kind of ALB?

This system is currently hosted in Azure and Azure load balancer readily does that. Now I need to replicate it in AWS.


Solution 1:

You can have many different Target Groups attached to a single ALB.

For example:

  • Listener on ALB port 443 will route to TG443 that includes all the 3 instances and forwards to their port 443
  • Listener on ALB port 8001 will route to TG8001 that only includes instance 1 and will forward to its port 8001
  • ditto for 8002 and 8003

Hope that helps :)

Solution 2:

ALB won't do this by default the moment you create it. You can have a Target Group for all three instances set up for port 443/tcp initially and then you can set additional TG for each individual instance and create forwarding rules for each specific port/instance(TG) pair.

You'll end up having the same ALB endpoint (URL) and for all and you get the exact response for the different ports.

Also, the target groups will do a health check on the selected port.

Related

How to tell squid use Source IP address for sending requests?
ghettoVCB: ERROR: Unable to backup MACHINE-NAME due to error in VMDK backup
Use a datastore on two OSes with esxi 6.7
In IPv6 router gets the Router solicitation message, but not respond with Router advertisement
Unexplicable GlusterFS load and poor performance
Nginx config with try_files and rewrite: precedence?
IPtables locking down website allowing only SSH
Remove Windows Server from Domain While it is Airgapped?
What is the workaround for WMI remote connection failure with Access Denied error when client runs with Local System account?
GPO Rule of thumb for: Disabled vs Enabled vs Not Configured
apache error and access logs are missing, what could be the cause and how can I recreate them?
BTRFS and Luks integration