Configure Amazon Web Services load balancers


Before you begin

Ensure that:

  • You have a previously configured Access Gateway high availability cluster with at least one worker.
  • You have internal IP addresses for all Access Gateway cluster members including admin node.
  • VPC(s) being used by the Access Gateway cluster.
  • You have the external domain for the load balancer. For example
  • You have credentials for your DNS Service provider to create required A records.

To configure an AWS EC2 Load Balancer

Connect to the Amazon EC2 console

  1. Open a browser to the AWS EC2 console at
  2. Sign in to the AWS Console.

Configure basic load balancer settings

  1. In the left pane scroll to and expand Load Balancing.
  2. Click Load Balancers.
  3. Click Create Load Balancer.
  4. In Application Load Balancer, click Create.
  5. In Step 1: Configure load Balancer, specify the following:



    Basic Configuration

    An appropriate name, such as AccessGatewayLoadBalancer. You can only use alphabets without spaces in the name.


    Basic Configuration

    Ensure that internet-facing is selected.

    IP address type

    Basic Configuration

    Ensure that IPV4 is selected.

    Load Balancer Protocol


    Select HTTPS. Don't add a second listener.
    Availability Zones

    Availability Zones

    For each VPC containing Access Gateway nodes, select the check box for each Availability Zone in use. For example, if nodes were in both us-west-1 and us-west-2, select both entries.
  6. Click Next: Configure Security Settings.

Configure security settings

Configuring security settings includes requesting and configuring a certificate for the load balancer.
You can also reuse an existing certificate.
  1. On the Configure Security Settings page, click Request a new certificate from ACM. A new tab opens and the Request a Certificate wizard starts.

    Keep the Configure Security Settings tab open. It's difficult to return to this screen and you may need to create a new load balancer .

  2. In the Domain Name field, enter the name of the external domain. You can also add additional names and DNS names to the certificate.
  3. Click Next.
  4. Select an appropriate DNS validation method, typically DNS Validation and click Next
  5. Add tags if required, otherwise click Review.
  6. Review the request, using Previous to correct any errors and click Confirm and request. Validation occurs and a CNAME name/value pair is generated.
  7. Expand the domain name section for the given domain name and note the name and value field values.
  8. Connect to your DNS Service provider and add a new CNAME record containing the value and value pair. t
    Note The name value provided by AWS includes a trailing suffix representing the domain that the certificate was generated against. The domain name portion, for example
    _a15cab. . is not used when defining a cname record.
  9. Copy and paste the name, without into hostname field, and copy the value field into target.
  10. Save the CNAME record. Leave this tab open for later use.
  11. Return to the AWS Console.
  12. In the Request a certificate tab, click Continue. AWS will then confirm the certificate.
  13. Once the certificate completes validation you may close this tab.
    Note: Depending on various factors it can take a few minutes for the certificate to be confirmed within AWS.
  14. Return to the Configure Security Settings tab.
  15. Using the Refresh icon next to Certificate name drop down, refresh the known certificates list.
  16. Select the newly created certificate and click Next: Configure Security Groups.

Configure security group

The security group used with Access Gateway cluster is more permissive than the required by the load balancer. In this step we create a security group only allowing HTTPS.
  1. In the Assign a security group field, select Create a new security group.
  2. Specify an appropriate name, such as AccessGatewayLB-SecurityGroup.
  3. A single rule is added by default. Modify this rule to specify HTTP over port 443.
    Leave all other fields as their default values.
  4. Click Next: Configure Routing.

Configure routing

Routing specifies the targets of the load balancer and health check settings.
  1. In the target group, specify:
    Target GroupNew target group
    NameAny appropriate name, such as AccessGatewayLB-TargetGroup
  2. Expand the Advanced section.
  3. Specify Success Code as 400.

    We will need to return to the Health Check section to specify a more robust health check.

  4. Click Next: Register targets.

Register targets and create the load balancer

Targets represent the Access Gateway nodes that the load balancer interacts with.
  1. In the Instances pane, select each line representing a member of Access Gateway cluster. This can include the admin node and should include all worker nodes.
  2. Click Add to registered. All selected instances should now show registered.
  3. Click Review. Examine the settings making any require changes.
  4. Click Create.
    The load balancer is created. This can take a few minutes.

Register load balancer with DNS service provider

Steps to associate a load balancer with DNS vary depending on the DNS provider.
  1. In the AWS console, example the load balancer external name. shown in the DNS name column of the load balancers list.
  2. Connect to your DNS service provider and add a CNAME record mapping the AWS load balancer name to the external name.
    For example: CNAME host: www.[your external name], target:
  3. Return to the AWS console.

Enable sticky sessions

Load balancers must specify sticky sessions.

  1. If required, in the navigation pane, go to Load Balancing and click Load Balancers. A list of all defined load balancers displays.
  2. Select the newly created load balancer.
  3. On the Description tab, click Edit stickiness. The Edit stickiness page displays.
  4. Select Enable load balancer generated cookie stickiness.
  5. In Expiration Period, enter the expiration period in seconds. This field should match the session timeout field for Access Gateway.
  6. Click Save.


You can test load balancers using a header-based application.
Complete this section if an application doesn't already exist for www.[external domain].com.

  1. Return to or sign in to the Access Gateway Admin UI console.
  2. Select the Applications tab.
  3. Click Add.
  4. Select Sample Header.
  5. In the Essentials tab specify the following:
    NameAn appropriate name for the application, such as Load Balancer Header Test.
    Public Domainwww.[external domain]. For example,
  6. Click Next. The Attributes tab will open.
  7. Click Next. The Policies tab will open.
  8. Click Done.
  9. Open a new browser or an Chrome incognito window.
  10. Enter the URL associated with the application.
  11. The Access Gateway sample header app page should display.

Related resources

About load balancers

Amazon Web Services deploy tasks

Improve AWS load balancer health monitoring