Assigning Static IP Address to AWS Load Balancer

amazon-web-services amazon-ec2 amazon-elb amazon-vpc

76,552

Solution 1

AWS' Elastic Load Balancer is actually elastic on two levels as described here: http://shlomoswidler.com/2009/07/elastic-in-elastic-load-balancing-elb.html

The first level is the load balancer itself. In order to make sure that ELB can scale to whatever volume you have and burst to whatever volume you suddenly encounter, AWS assigns a 'static' DNS hostname (e.g. MyDomainELB-918273645.us-east-1.elb.amazonaws.com). That hostname points to multiple IP addresses. You can see that (from a command line) by running

$ host MyDomainELB-918273645.us-east-1.elb.amazonaws.com
MyDomainELB-918273645.us-east-1.elb.amazonaws.com 172.31.7.2
MyDomainELB-918273645.us-east-1.elb.amazonaws.com 172.31.11.33

The second form of elasticity within the ELB is obviously then ELB directing the query to one of your EC2 instances in the pool.

So, you can see that trying to assign a static IP address to the load balancer would be self-defeating.

Using an EC2 instance as a reverse proxy would also seem self-defeating as you would then create a bottleneck before even getting to the ELB. Might as well just create your own load balancer.

The recommended solution (which you've pointed out) is to create a CNAME that points to the ELB hostname (which won't change).

i.e. my-app.mycompany.com -> MyDomainELB-918273645.us-east-1.elb.amazonaws.com

This would allow you to integrate your scalable application, behind the ELB within your domain.

I'm not sure I fully understand why you cannot create a CNAME in your DNS or what that has to do with directing email traffic, can you explain?

Solution 2

A new feature in AWS (I believe it was announced at Re:Invent 2017) allows for static IPs with Network Load Balancers (NLB). NLB can only handle layer 4 (TCP) and not HTTP specifics (layer 7).

You can assign one Elastic IP address per availability zone.

For details see the AWS blog post or the NLB documentation.

The "Classic Load Balancer" and "Application Load Balancer" do not support static IPs. If you need a feature only provided by those, you have to fall back to the CNAME solution described above.

Solution 3

A blog was recently published by AWS support on this topic leveraging NLB to provide static IP to Classic and Application load balancer - https://aws.amazon.com/blogs/networking-and-content-delivery/using-static-ip-addresses-for-application-load-balancers/

Summary of solution as described by the post

We end up with a TCP listener on a NLB that accepts traffic and forwards it to an internal ALB. The ALB terminates TLS, examines HTTP headers, and routes requests based on your configured rules to target groups with your instances, servers, or containers. The AWS Lambda function keeps everything in sync by watching the ALB for IP address changes and updating the NLB target group. In the end we’ll have a few static IP addresses that are easy for whitelisting, and we won’t lose any of the benefits of ALB. Note that we will be sending all of the traffic through two load balancers

Solution 4

I found setting up AWS Global Accelerator very straight forward and simple. It created 2 static IP Addresses and a static DNS pointing to my Application load balancer.

Configuring Global Accelerator

Set listeners as TCP port 80, 443
Select your load balancer endpoint (AWS Global Accelerator Configuration)
Add cname record for your dns pointing to the static dns it created (mywebsite.com > globalacceleratorDNS.com). If any client needs to whitelist, give them the 2 static IP it created

Pricing is $18 per month + a few pennies per GB of data transfer. I'm pretty sure its cheaper than the NLB, Nat Gateway, Elastic IP setup.

https://docs.aws.amazon.com/global-accelerator/latest/dg/about-accelerators.html

Solution 5

For little traffic, it might be a solution to set up an EC2 Instance running Nginx as a forwarding proxy.

So you can use the EC2's static IP Address to forward your traffic resolving the ALB's DNS name.

However, it's a kind of a hack, but using a Global Accelerator or an NLB seems to me also like a hack :-)

View more solutions

76,552

Author by

Narayan Prusty

I am a software developer mainly focusing on JavaScript, Blockchain, DevOps and Serverless. Currently working on making everything decentralized.

Updated on July 09, 2022

Comments

Narayan Prusty almost 2 years

How can I assign a static IP address to a ELB. Seems like I cannot.

Some articles online asks to create a Route 53 record but this requires changing CNAME of domain which also redirect email traffic. I just want to change A record not CNAME.

Some articles also mention that I can use a EC2 instance as a reverse proxy. But will a single proxy be able to handle a lot of traffic?

Any solution for this?
- Volkan Paksoy over 8 years
  
  Possible duplicate of AWS Load Balancer with a static IP address
- Patrick over 6 years
  
  AWS has announced a Network Load Balancer that supports assigning static IPs (EIPs). It operates at the TCP level so you won't be able to use layer 7 features like ELB stickiness or ssl termination
- eco over 5 years
  
  Please see response below. The problem is you need to change Paradigms. AWS is not a Data Center and it shouldn't be treated like so, you have to change the way you look at it in order to know its limitations and WHY they're there. They usually bend to customer's will, and have with the NLB but the idea of the cloud is to be as flexible and decoupled as you can.
Narayan Prusty over 8 years

If I change CNAME then my email traffic also directs to AWS. I don't want that. My domain name is registered in 1and1. If I change CNAME then my 1and1 mail is not working. Please help
Brooks over 8 years

You can't simply ADD a CNAME? You only get 1 CNAME? That's not why it's called 1and1, is it?
Narayan Prusty over 8 years

CNAME is only for subdomains. What about the main domain? How can I point example.com to a load balancer?
Brooks over 8 years

Well, I am not a DNS guru, but if I am not mistaken, the 'www' from www.example.com is a CNAME, so you could simply point 'www' to the ELB. If 1and1 allows a small webhosting package, you could then write a simple html page to forward visitors to from example.com to example.com, thus sending them to your ELB.
Brooks over 8 years

Also, if I'm not mistaken, MX records are for email routing. Can't you use your MX records to direct email completely independent of where your domain points? For example, I have my domain parked, so the root domain doesn't actually bring you anywhere, but I have multiple CNAME's and my MX records which then point to a completely separate, 3rd party email hosting provider (Zoho). Again, I'm not a DNS expert, but I feel like this is an easily solved problem...
sigi over 6 years

Just to be clear: It does make sense to have elasti ip adresses onto a Load Balancer. It also can make sense to only have on static ip adress onto a LoadBalancer. AWS doesn't support it but they could, in theory, add a feature where you would add a group of ip addresses onto your load balancer.
Brooks over 6 years

Perhaps, but for what purpose? What value (other than converting a static host name into a static ip) would it serve to point an EIP to an ELB?
nelsonenzo about 6 years

You can also use a A record with type "Alias" to point to an elb. This works for example.com and subdomain.example.com. For those curious, a static IP on an NLB is possible. It's useful for service which do not do a dns lookup on each query, but only do the dns lookup once at startup or first usage, or for something like nginx proxy, which once a connection is lost, it never re-examines the ip.
eco over 5 years

This is what happens when people think the Cloud is nothing but an externally managed data center with direct to metal hardware....Using the right tool for the right job is where's at.
squiddle over 5 years

the downside of this solution is, that you loose direct access to the client ip address
Franck about 5 years

@squiddle : NLB can be configured to use Proxy Protocol that send client ip address to the target ([doc])(docs.aws.amazon.com/elasticloadbalancing/latest/netw‌ork/…). But the destination need to be able to read it like Apache mod_remoteip. Not sure that AWS ALB can read it. Another news is that NLB can now do TLS termination but let the destination receive client ip ([blog])(aws.amazon.com/blogs/aws/…).
dz902 about 5 years

NLB does allow static IP address, so static IP is not connected to ELB elasticity (i.e. "first level"). Right?
Hieu Le over 3 years

@Brooks I have a question here. Whenever we stop/start a load balancer, it will create a new hostname, so if we point CNAME to load balancer's hostname, we have to keep updating it all time?
Brooks over 3 years

@HieuLe Its been a while since I’ve worked with ELB, so I can’t say for sure but I doubt it. You point the CNAME to the load balancer itself, not the host and.
Tarun Gupta over 3 years

Does it carry the client IP to the application ?
C Rudolph over 3 years

I honestly do not know my apologies, we do not use IP data in our application
Aurvoir over 3 years

Yes, it does. docs.aws.amazon.com/global-accelerator/latest/dg/…
CᴴᴀZ over 3 years

@CRudolph In step #3, you are adding CNAME record to point to GlobalAccelerator's DNS. Why not point CNAME record directly to ELB DNS?
C Rudolph over 3 years

Chaz, if you do that any requests to mywebsite.com will bypass global accelerator. That means that the IP for mywebsite.com would not be the static IP