Configure Amazon Web Services load balancers

Topics

Before you begin

Have the following available before configuring an AWS load balancer for Access Gateway.

  • A previously configured Access Gateway High Availability cluster with at least one worker.
  • Internal IP addresses for all Access Gateway cluster members including admin node.
  • VPC(s) being used by the Access Gateway cluster.
  • The external domain for the load balancer. For example oag-external.com.
  • Credentials for your DNS Service provider to create required A records.

To configure an AWS EC2 Load Balancer

Connect to the Amazon EC2 console


  1. Open a browser to the AWS EC2 console at https://console.aws.amazon.com/ec2/.
  2. Sign in to the AWS Console.

Configure Basic Load Balancer Settings


  1. In the left pane scroll to and expand Load Balancing.
  2. Click Load Balancers.
  3. Click Create Load Balancer.
  4. Under Application Load Balancer, click Create.
  5. In Step 1: Configure load Balancer specify the following:
    Field

    Section

    Value
    Name

    Basic Configuration

    An appropriate name Such as AccessGatewayLoadBalancer. Do not include spaces or special characters in the name.

    Scheme

    Basic Configuration

    Confirm internet-facing is selected.

    IP address type

    Basic Configuration

    Confirm IPV4 is selected.

    Load Balancer Protocol

    Listeners

    Select HTTPS. Do not add a second listener.
    Availability Zones

    Availability Zones

    For each VPC containing Access Gateway nodes, select the check box for each Availability Zone in use. For example if nodes were in both us-west-1 and us-west-2 check both entries.
  6. Click Next: Configure Security Settings.

Configure Security Settings


Configuring security settings includes requesting and configuring a certificate for the load balancer. 
If an existing certificate exists it can be reused.
  1. In the Configure Security Settings page, click Request a new certificate from ACM. A new tab will open and the Request a Certificate wizard will start.
    Caution

    Caution

    Do not close the Configure Security Settings tab, it's difficult to return to this screen and you may need to create a new load balancer.

  2. In the Domain Name field enter the name of the external domain. You can also add additional names DNS names to the certificate.
    Click Next when complete.
  3. Select an appropriate DNS Validation method, typically DNS Validation and click Next
  4. Add tags if required, otherwise click Review.
  5. Review the request, using Previous to correct any errors and click Confirm and request. Validation will occur and a CNAME name/value pair will be generated.
  6. Expand the domain name section for the given domain name and note the name and value field values.
  7. Connect to your DNS Service provider and add a new CNAME record containing the value and value pair.
    Note the name value provided by AWS includes a trailing suffix representing the domain that the certificate was generated against. The domain name portion, for example
    _a15cab. . .8ba8.example.com is not used when defining a cname record.
  8. Copy and paste the name, without .example.com into hostname field, and copy the value field into target.
  9. Save the CNAME record. Leave this tab open for later use.
  10. Return to the AWS Console.
  11. In the Request a certificate tab click Continue. AWS will the confirm the certificate.
  12. Once the certificate completes validation you may close this tab.
    Note: Depending on various factors it can take a few minutes for the certificate to be confirmed within AWS.
  13. Return to the Configure Security Settings tab.
  14. Using the Refresh icon next to Certificate name drop down, refresh the known certificates list.
  15. Select the newly created certificate and click Next: Configure Security Groups.

Configure Security Group


The security group used with Access Gateway cluster is more permissive then the required by the load balancer. In this step we create a security group only allowing HTTPS.
  1. In the Assign a security group field, select Create a new security group.
  2. Specify an appropriate name such as AccessGatewayLB-SecurityGroup.
  3. A single rule is added by default. Modify this rule to specify HTTP over port 443.
    Leave all other fields as their default values.
  4. Click Next: Configure Routing.

Configure Routing


Routing specifies the targets of the load balancer and health check settings.
  1. In the Target group specify:
    FieldValue
    Target GroupNew target group
    NameAny appropriate name such as AccessGatewayLB-TargetGroup
    ProtocolHTTPS
    Port443
  2. Expand the Advanced section
  3. Specify a Success Code of 400.
    Note

    Note

    We will need to return to Health Check section to specify a more robust health check.

  4. Click Next: Register targets.

Register Targets and create the load balancer


Targets represent the Access Gateway nodes the load balancer interacts with.
  1. In the Instances pane, select each line representing a member of Access Gateway cluster. This can include the admin node and should include all worker nodes.
  2. Click Add to registered.  All selected instances should now show registered.
  3. Click Review. Examine the settings making any require changes.
  4. Click Create.
    The load balancer will be created. Note that this can take between one to five minutes.

Register load balancer with DNS service provider


Steps to associate a load balancer with DNS will vary by DNS provider.
  1. In the AWS console, example the load balancer external name. shown in the DNS name column of the load balancers list.
  2. Connect to your DNS Service provider and add a CNAME record mapping the AWS load balancer name to
    the external name.
    For example: CNAME host: www.[your external name], target: aws...com.
  3. Return to the AWS console.

Enable Sticky Sessions

Load Balancers must specify sticky sessions.


  1. If required, In the navigation pane, under Load Balancing, click Load Balancers. A list of all defined load balancers will display.
  2. Select the newly created load balancer.
  3. On the Description tab, click Edit stickiness. The Edit stickiness page will display.
  4. Select Enable load balancer generated cookie stickiness.
  5. In Expiration Period, enter the expiration period, in seconds. Note this field should match the session timeout field for Access Gateway.
  6. Choose Save.

Test

Load Balancers can be tested using a header based application.
Complete this section if an application does not already exist for www.[external domain].com.

  1. Return to the or sign in to the Access Gateway admin console.
  2. Select the Applications tab.
  3. Click Add.
  4. Select Sample Header.
  5. In the Essentials tab specify the following:
    FieldValue
    NameAn appropriate name for the application, such as Load Balancer Header Test
    Public Domainwww.[external domain]. For example www.oag-external.com.
    GroupsEveryone
  6. Click Next. The Attributes tab will open.
  7. Click Next. The Policies tab will open.
  8. Click Done.
  9. Open a new browser or an Chrome incognito window.
  10. Enter the URL associated with the application.
  11. The Access Gateway sample header app page should display.

See Also