Configure Amazon Web Services load balancers
- Connect to the Amazon EC2 console
- Configure Basic Load Balancer Settings
- Configure Security Settings
- Configure Security Group
- Configure Routing
- Register Targets and create the load balancer
- Register load balancer with DNS service provider
- Enable Sticky Sessions
Before you begin
Have the following available before configuring an AWS load balancer for Access Gateway.
- A previously configured Access Gateway High Availability cluster with at least one worker.
- Internal IP addresses for all Access Gateway cluster members including admin node.
- VPC(s) being used by the Access Gateway cluster.
- The external domain for the load balancer. For example oag-external.com.
- Credentials for your DNS Service provider to create required A records.
To configure an AWS EC2 Load Balancer
- Open a browser to the AWS EC2 console at https://console.aws.amazon.com/ec2/.
- Sign in to the AWS Console.
- In the left pane scroll to and expand Load Balancing.
- Click Load Balancers.
- Click Create Load Balancer.
- Under Application Load Balancer, click Create.
- In Step 1: Configure load Balancer specify the following:
An appropriate name Such as AccessGatewayLoadBalancer. Do not include spaces or special characters in the name.
Confirm internet-facing is selected.
IP address type
Confirm IPV4 is selected.
Load Balancer Protocol
Select HTTPS. Do not add a second listener. Availability Zones
For each VPC containing Access Gateway nodes, select the check box for each Availability Zone in use. For example if nodes were in both us-west-1 and us-west-2 check both entries.
- Click Next: Configure Security Settings.
Configuring security settings includes requesting and configuring a certificate for the load balancer.
If an existing certificate exists it can be reused.
- In the Configure Security Settings page, click Request a new certificate from ACM. A new tab will open and the Request a Certificate wizard will start.
Do not close the Configure Security Settings tab, it's difficult to return to this screen and you may need to create a new load balancer.
- In the Domain Name field enter the name of the external domain. You can also add additional names DNS names to the certificate.
Click Next when complete.
- Select an appropriate DNS Validation method, typically DNS Validation and click Next
- Add tags if required, otherwise click Review.
- Review the request, using Previous to correct any errors and click Confirm and request. Validation will occur and a CNAME name/value pair will be generated.
- Expand the domain name section for the given domain name and note the name and value field values.
- Connect to your DNS Service provider and add a new CNAME record containing the value and value pair.
Note the name value provided by AWS includes a trailing suffix representing the domain that the certificate was generated against. The domain name portion, for example
_a15cab. . .8ba8.example.com is not used when defining a cname record.
- Copy and paste the name, without .example.com into hostname field, and copy the value field into target.
- Save the CNAME record. Leave this tab open for later use.
- Return to the AWS Console.
- In the Request a certificate tab click Continue. AWS will the confirm the certificate.
- Once the certificate completes validation you may close this tab.
Note: Depending on various factors it can take a few minutes for the certificate to be confirmed within AWS.
- Return to the Configure Security Settings tab.
- Using the Refresh icon next to Certificate name drop down, refresh the known certificates list.
- Select the newly created certificate and click Next: Configure Security Groups.
The security group used with Access Gateway cluster is more permissive then the required by the load balancer. In this step we create a security group only allowing HTTPS.
- In the Assign a security group field, select Create a new security group.
- Specify an appropriate name such as AccessGatewayLB-SecurityGroup.
- A single rule is added by default. Modify this rule to specify HTTP over port 443.
Leave all other fields as their default values.
- Click Next: Configure Routing.
Routing specifies the targets of the load balancer and health check settings.
- In the Target group specify:
Field Value Target Group New target group Name Any appropriate name such as AccessGatewayLB-TargetGroup Protocol HTTPS Port 443
- Expand the Advanced section
- Specify a Success Code of 400.
We will need to return to Health Check section to specify a more robust health check.
- Click Next: Register targets.
Targets represent the Access Gateway nodes the load balancer interacts with.
- In the Instances pane, select each line representing a member of Access Gateway cluster. This can include the admin node and should include all worker nodes.
- Click Add to registered. All selected instances should now show registered.
- Click Review. Examine the settings making any require changes.
- Click Create.
The load balancer will be created. Note that this can take between one to five minutes.
Steps to associate a load balancer with DNS will vary by DNS provider.
- In the AWS console, example the load balancer external name. shown in the DNS name column of the load balancers list.
- Connect to your DNS Service provider and add a CNAME record mapping the AWS load balancer name to
the external name.
For example: CNAME host: www.[your external name], target: aws...com.
- Return to the AWS console.
Load Balancers must specify sticky sessions.
- If required, In the navigation pane, under Load Balancing, click Load Balancers. A list of all defined load balancers will display.
- Select the newly created load balancer.
- On the Description tab, click Edit stickiness. The Edit stickiness page will display.
- Select Enable load balancer generated cookie stickiness.
- In Expiration Period, enter the expiration period, in seconds. Note this field should match the session timeout field for Access Gateway.
- Choose Save.
Load Balancers can be tested using a header based application.
Complete this section if an application does not already exist for www.[external domain].com.
- Return to the or sign in to the Access Gateway admin console.
- Select the Applications tab.
- Click Add.
- Select Sample Header.
- In the Essentials tab specify the following:
Field Value Name An appropriate name for the application, such as Load Balancer Header Test Public Domain www.[external domain]. For example www.oag-external.com. Groups Everyone
- Click Next. The Attributes tab will open.
- Click Next. The Policies tab will open.
- Click Done.
- Open a new browser or an Chrome incognito window.
- Enter the URL associated with the application.
- The Access Gateway sample header app page should display.