The Application Load Balancer distributes incoming HTTP and HTTPS traffic across multiple targets such as Amazon EC2 instances, microservices, and containers, based on request attributes. When the load balancer receives a connection request, it evaluates the listener rules in priority order to determine which rule to apply, and if applicable, it selects a target from the target group for the rule action.
Inner working of ALB
AWS ALB (Application load balancer ) which is a layer 7 load balancer.
Clients make requests to your application.
We have HTTP, HTTPS, or (Both) listeners.
The listeners in your load balancer receive requests matching the protocol and port that you configure.
Rules inside each listener (at least one which would be the default action for that listener)
The receiving listener evaluates the incoming request against the rules you specify, and if applicable, routes the request to the appropriate target group. You can use an HTTPS listener to offload the work of TLS encryption and decryption to your load balancer.
Target Group (Destination ) should be one of the categories from Lamda, IP, or EC2 instances
let's jump into the creation of ALB
How to create an AWS Application Load Balancer
Click on create target group
it will open a new tab
Creating a Target Group
Target type
The description is from the AWS console
Instances
Supports load balancing to instances within a specific VPC.
Facilitates the use of Amazon EC2 Auto Scaling to manage and scale your EC2 capacity.
IP addresses
Supports load balancing to VPC and on-premises resources.
Facilitates routing to multiple IP addresses and network interfaces on the same instance.
Offers flexibility with microservice-based architectures, simplifying inter-application communication.
Supports IPv6 targets, enabling end-to-end IPv6 communication, and IPv4-to-IPv6 NAT.
Lambda function
Facilitates routing to a single Lambda function.
Accessible to Application Load Balancers only.
Right now we don't have any instances running just create a target group we will see how to add it later
go back to the load balancer page refresh and select the target group you created
Request to Response in ALB
When a client (e.g., a web browser) makes a request to your ALB, it resolves the DNS name myfirstloadbalancer-4167611.us-east-1.elb.amazonaws.com
to the associated public IP address using DNS resolution. and it is sending traffic to the target group of ec2 instances,
When we create the ALB the default SG does not allow any traffic (HTTP, HTTPS) from outside into the AWS ALB
Security Groups in AWS ALB
we need to create an SG and attach it to the ALB which will allow traffic from outside (internet)
from the side panel of the EC2 dashboard create an SG
Give the security group a name
Allow HTTP and HTTPS from everywhere
move back to the ALB page and from security TAB and this security group to AWS ALB
Let again access from the DNS record, this time we would be able to get a response from the load balancer, of 503 Service Temporarily Unavailable
, because at this time our load balancer is unable to get any response from the Target group as we don't have any EC2 attached to that
503 Service Temporarily Unavailable Error in AWS ALB
I have one EC2 running in the same VPS and a simple node js application is serving Hellow world
at Port 3000
let's see how we can get a response from port 3000 running at EC2 machine
move to your load balancer and click on target group
now access your application from the load balancer this time you will get a different error, and that is the expected result
502 Bad Gateway Error in AWS ALB
This time there is service running but it is not able to communicate because we need to do one more additional configuration to allow the load balancer to communicate with our EC2 instance on port 3000
, as you can see the health of the target group is unhealthy still
Health Status AWS Target Group
go to the instance security group and allow inbound rule on port 3000 from the load balancer
allow port 3000 from the default security group of the load balancer
Finally, we can see the Hello world
Custom Domain to AWS Application Load Balancer
Navigate to your Domain provider and add a record
adjust the domain name and value according to values, when adding your main domain or subdomain
we have also learned how to add a custom domain to AWS ALB, but we have got one problem, the site is not encrypted with SSL,
SSL in AWS Application Load Balancer
Add HTTP's Listener
Add Certificate to AWS ALB
Search for AWS ACM
Verifying domain for AWS ACM
wait for a few minutes to status to issued
if you are having difficulty verifying the domain you can Edit the record with less TTL option and also verify from https://dnschecker.org/ that the value has been propagated to the DNS
now go back to the listener tab refresh and select the certification
Now we have two listeners HTTP and HTTPS
Rules Inside the Listener
Adding Rules
Rules are evaluated in priority order, from the lowest value to the highest value. The default rule is evaluated last. You can change the priority of a nondefault rule at any time. You cannot change the priority of the default rule.
Add a rule
Select the load balancer to view its details. On the Listeners and Rules tab, do the following
On the Rules tab, choose Add rule.
Some Rules examples
Rule Name | Use case | Example |
Path-Based Routing | Routing requests with a path pattern. | Forward all requests matching the path "/different/" to a specific server. |
Host-Based Routing | Routing requests based on the host address | Divert traffic from the host |
HTTP Request Method-Based Routing | Routing requests based on the HTTP request method | Divert GET requests to one Target group and POST requests to another. |
HTTP Header-Based Routing | Routing requests based on HTTP Headers. | Route requests with a specific HTTP header |
Query String-Based Routing | Routing requests based on query strings | Route requests containing a query string with key "test" and value "secure" to a target group. |
Source IP-Based Routing | Routing requests based on the source IP address. | route traffic coming from a particular IP address to a specific target group |