AWS Pass traffic from NLB to an ALB?

amazon-web-services load-balancing nlb
15,786

Solution 1

As of 27th September 2021, AWS launched Application Load Balancer(ALB)-type target groups for Network Load Balancer (NLB). With this launch, you can register ALB as a target of NLB to forward traffic from NLB to ALB without needing to actively manage ALB IP address changes through Lambda.

Solution 2

September 2021 Update: AWS has announced the native availability of ALB Target Groups for NLBs. This not only reduces the complexity of needing a Lambda-based workaround but also removes the limitation concerning client IP preservation. ALBs targeted in this fashion will provide the X-Forwarded-For header containing the external IP address originally invoking the NLB.

It is possible, but it's slightly messy.

The problem is that Application Load Balancers can scale up, out, in, and/or down, and in each case the internal IP addresses of the balancers can change... but NLB requires static addresses for its targets.

So, at a low level, this means the NLB target group must be modified every time the IPs of the ALB change.

AWS has published an official solution for accomplishing this, using a Lambda function on a schedule to capture the addresses of the ALB and update the NLB configuration whenever the results change.

https://aws.amazon.com/blogs/networking-and-content-delivery/using-static-ip-addresses-for-application-load-balancers/

One notable limitation, here, is that this solution does not allow you to identify the client IP address. It is lost when the traffic goes through the NLB, because NLBs only preserve the source IP when the target is an instance (not an IP address) or when the target understands the Proxy protocol on the client side and the feature is enabled on the NLB, but ALB doesn't support such a configuration. With the setup shown at the link, above, the rightmost address in X-Forwarded-For will be set by the ALB to the internal address of the NLB.

Solution 3

This is correct. Your app server behind the ALB (or the ALB itself) will always see the source IP as that of the NLB.

As a workaround that works for some use cases you can enforce HTTPS and configure access logs on the NLB. Then the access logs will have the original source IP.

In case this was not clear, what I mean is:

  • make sure to enable access logs on your NLB
  • make sure to configure your NLB listener to use TLS

There are some additional complications if you want to accept plain HTTP and issue redirects to HTTPS. In that case you would have 2 listeners and 2 target groups, so you need to either spin up 2 copies of the Lambda to monitor (and eventually update) both target groups or you need to modify the Lambda code (which is what I did).

In addition IMO the code in that example is far from production ready (especially for scale - if you have many instances of this setup), so I had to practically rewrite it.

Relevant excerpts from CloudFormation template are below:

  NLB:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      IpAddressType: ipv4
      Scheme: internet-facing
      Type: network
      LoadBalancerAttributes:
        - Key: load_balancing.cross_zone.enabled
          Value: 'true'
        - Key: access_logs.s3.enabled
          Value: 'true'
        # make sure the bucket policy grants access -  https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html
        - Key: access_logs.s3.bucket
          Value: !Ref S3BucketForNLBAccessLogs
        - Key: access_logs.s3.prefix
          Value: !Sub 'raw/${AppInstance}'

  nlbHTTPSListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      Certificates:
        - CertificateArn: !Ref FrontEndSSLCertificateArn
      LoadBalancerArn: !Ref NLB
      Port: 443
      Protocol: TLS
      DefaultActions:
        - Type: 'forward'
          TargetGroupArn: !Ref nlbHTTPSTargetGroup
Share:
15,786
Broshi
Author by

Broshi

Updated on June 21, 2022

Comments

  • Broshi
    Broshi almost 2 years

    I am trying to pass incoming traffic from amazon's Network Load Balancer to Application Load Balancer, I am using NLB since it has an Elastic IP attachment and I want it to serve as a proxy for the ALB. is that even possible?

  • user1020455
    user1020455 over 4 years
    Makes sure to change target type of NLB target group as ip, default one is instance.
  • Jason Floyd
    Jason Floyd over 3 years
    Is there a solution that provides the static IPs of the NLB in the amazon solution, but still allows x-forwarded-for to contain the actual client IP?
  • Michael - sqlbot
    Michael - sqlbot over 3 years
    @JasonFloyd a much better way to get a static IP on an ALB is to use Global Accelerator. serverfault.com/a/947656/153161
  • Jason Floyd
    Jason Floyd over 3 years
    Thanks, that's exactly what AWS Support had me do.
  • TrieuNomad
    TrieuNomad over 2 years
    Can you show us how we can register an ALB-type target group for NLB? I tried creating a new ALB, but it's unclear how to forward the NLB to the ALB on the AWS console. The links provided don't show us how to do it either.
  • Xesina
    Xesina over 2 years

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

aws load balancer with no health check? or make it work with non-200 response?
AWS Elastic Load Balancer and target group health check fail for no apparent reason
RapidSSL: domain name does not match the certificate common name or SAN
Scaling Multiple SSL Domains on Multiple EC2 instances in AWS ELB
Is it possible to run HAProxy load balancer on Windows Server 2012 R2 Base for production?
EC2 Failing Load Balancer Health Check
NLB RPC server is unavailable on the specified computer
Reverse Proxy Server Cloud Architecture (AWS + nginx)
AWS ELB - select at least two Subnets in different Availability Zones - doesn't seem to be required
AWS ALB/NLB HTTPS Target with Self-Signed Cert