Configure Amazon Web Services load balancers
- Connect to the Amazon EC2 console
- Configure basic load balancer settings
- Configure security settings
- Configure security group
- Configure routing
- Register targets and create the load balancer
- Register load balancer with DNS service provider
- Enable sticky sessions
Before you begin
- You have a previously configured Access Gateway high availability cluster with at least one worker.
- You have internal IP addresses for all Access Gateway cluster members including admin node.
- VPC(s) being used by the Access Gateway cluster.
- You have the external domain for the load balancer. For example oag-external.com.
- You have credentials for your DNS Service provider to create required A records.
To configure an AWS EC2 Load Balancer
- Open a browser to the AWS EC2 console at https://console.aws.amazon.com/ec2/.
- Sign in to the AWS Console.
- In the left pane scroll to and expand Load Balancing.
- Click Load Balancers.
- Click Create Load Balancer.
- In Application Load Balancer, click Create.
- In Step 1: Configure load Balancer, specify the following:
An appropriate name, such as AccessGatewayLoadBalancer. You can only use alphabets without spaces in the name.
Ensure that internet-facing is selected.
IP address type
Ensure that IPV4 is selected.
Load Balancer Protocol
Select HTTPS. Don't add a second listener. Availability Zones
For each VPC containing Access Gateway nodes, select the check box for each Availability Zone in use. For example, if nodes were in both us-west-1 and us-west-2, select both entries.
- Click Next: Configure Security Settings.
Configuring security settings includes requesting and configuring a certificate for the load balancer.
You can also reuse an existing certificate.
- On the Configure Security Settings page, click Request a new certificate from ACM. A new tab opens and the Request a Certificate wizard starts.
Keep the Configure Security Settings tab open. It's difficult to return to this screen and you may need to create a new load balancer .
- In the Domain Name field, enter the name of the external domain. You can also add additional names and DNS names to the certificate.
- Click Next.
- Select an appropriate DNS validation method, typically DNS Validation and click Next
- Add tags if required, otherwise click Review.
- Review the request, using Previous to correct any errors and click Confirm and request. Validation occurs and a CNAME name/value pair is generated.
- Expand the domain name section for the given domain name and note the name and value field values.
- Connect to your DNS Service provider and add a new CNAME record containing the value and value pair. t
Note The name value provided by AWS includes a trailing suffix representing the domain that the certificate was generated against. The domain name portion, for example
_a15cab. . .8ba8.example.com is not used when defining a cname record.
- Copy and paste the name, without .example.com into hostname field, and copy the value field into target.
- Save the CNAME record. Leave this tab open for later use.
- Return to the AWS Console.
- In the Request a certificate tab, click Continue. AWS will then confirm the certificate.
- Once the certificate completes validation you may close this tab.
Note: Depending on various factors it can take a few minutes for the certificate to be confirmed within AWS.
- Return to the Configure Security Settings tab.
- Using the Refresh icon next to Certificate name drop down, refresh the known certificates list.
- Select the newly created certificate and click Next: Configure Security Groups.
The security group used with Access Gateway cluster is more permissive than the required by the load balancer. In this step we create a security group only allowing HTTPS.
- In the Assign a security group field, select Create a new security group.
- Specify an appropriate name, such as AccessGatewayLB-SecurityGroup.
- A single rule is added by default. Modify this rule to specify HTTP over port 443.
Leave all other fields as their default values.
- Click Next: Configure Routing.
Routing specifies the targets of the load balancer and health check settings.
- In the target group, specify:
Field Value Target Group New target group Name Any appropriate name, such as AccessGatewayLB-TargetGroup Protocol HTTPS Port 443
- Expand the Advanced section.
- Specify Success Code as 400.
We will need to return to the Health Check section to specify a more robust health check.
- Click Next: Register targets.
Targets represent the Access Gateway nodes that the load balancer interacts with.
- In the Instances pane, select each line representing a member of Access Gateway cluster. This can include the admin node and should include all worker nodes.
- Click Add to registered. All selected instances should now show registered.
- Click Review. Examine the settings making any require changes.
- Click Create.
The load balancer is created. This can take a few minutes.
Steps to associate a load balancer with DNS vary depending on the DNS provider.
- In the AWS console, example the load balancer external name. shown in the DNS name column of the load balancers list.
- Connect to your DNS service provider and add a CNAME record mapping the AWS load balancer name to the external name.
For example: CNAME host: www.[your external name], target: aws...com.
- Return to the AWS console.
Load balancers must specify sticky sessions.
- If required, in the navigation pane, go to Load Balancing and click Load Balancers. A list of all defined load balancers displays.
- Select the newly created load balancer.
- On the Description tab, click Edit stickiness. The Edit stickiness page displays.
- Select Enable load balancer generated cookie stickiness.
- In Expiration Period, enter the expiration period in seconds. This field should match the session timeout field for Access Gateway.
- Click Save.
You can test load balancers using a header-based application.
Complete this section if an application doesn't already exist for www.[external domain].com.
- Return to or sign in to the Access Gateway Admin UI console.
- Select the Applications tab.
- Click Add.
- Select Sample Header.
- In the Essentials tab specify the following:
Field Value Name An appropriate name for the application, such as Load Balancer Header Test. Public Domain www.[external domain]. For example, www.oag-external.com. Groups Everyone
- Click Next. The Attributes tab will open.
- Click Next. The Policies tab will open.
- Click Done.
- Open a new browser or an Chrome incognito window.
- Enter the URL associated with the application.
- The Access Gateway sample header app page should display.