Configure Amazon Web Services load balancers
- Connect to the Amazon EC2 console
- Configure basic load balancer settings
- Configure security settings
- Configure security group
- Configure routing
- Register targets and create the load balancer
- Register load balancer with DNS service provider
- Enable sticky sessions
Before you begin
- You have a previously configured Access Gateway high availability cluster with at least one worker.
- You have internal IP addresses for all Access Gateway cluster members including admin node.
- VPC(s) being used by the Access Gateway cluster.
- You have the external domain for the load balancer. For example oag-external.com.
- You have credentials for your DNS Service provider to create required A records.
To configure an AWS EC2 Load Balancer
- Open a browser to the AWS EC2 console (https://console.aws.amazon.com/ec2/).
- Sign in to the AWS Console.
- Click Load Balancers under Load Balancing.
- Click Create Load Balancer.
- Create an Application Load Balancer.
- In Step 1: Configure load Balancer, specify the following:
Value Name Basic Configuration A meaningful name for load balancer, such as AccessGatewayLoadBalancer. You can only use alphabetic characters in the name. Scheme Basic Configuration
IP address type Basic Configuration Select IPV4. Load Balancer Protocol Listeners Select HTTPS. Don't add a second listener. Availability Zones Availability Zones
For each VPC that contains Access Gateway nodes, select the checkboxes of all Availability Zones in use. For example, if you have nodes in us-west-1 and us-west-2, select the checkboxes for both zones.
- Click Next: Configure Security Settings.
Configuring security settings includes requesting and configuring a certificate for the load balancer. Alternatively, you can reuse an existing certificate.
- On the Configure Security Settings page, click Request a new certificate from ACM. A new tab opens and the Request a Certificate wizard starts.
It's useful to keep the Configure Security Settings tab open. You may need to create another load balancer and it can be difficult to return to this page.
- Enter the name of the external domain in the Domain Name field. You can add additional names and DNS names to the certificate.
- Click Next.
- Select an appropriate DNS validation method, typically DNS Validation and click Next.
- Optional. Add any required tags.
- Click Review.
- Review the request, using Previous to correct any errors and click Confirm and request. Validation occurs and a CNAME name/value pair is generated.
- Expand the domain name section for the given domain name and note the name and value field values. Connect to your DNS Service provider and add a CNAME record that contains the name and value pair. The name value provided by AWS includes a trailing suffix representing the domain that the certificate was generated against. The domain name portion, for example_a15cab. . .8ba8.example.com isn't used when defining a cname record.
- Copy and paste the name, without .example.com into hostname field, and copy the value field into target.
- Save the CNAME record. Leave this tab open for later use.
- Return to the AWS console.
- In the Request a certificate tab, click Continue. AWS will then confirm the certificate.
- It may take a few minutes for AWS to validate the certificate, after which you can close this tab.
- Return to the Configure Security Settings tab.
- Click the Refresh icon to refresh the known certificates list.
- Select your certificate and click Next: Configure Security Groups.
The security group used with the Access Gateway cluster has more permissions than those required by the load balancer. The following steps demonstrate how to create a security group that only allows HTTPS:
- In the Assign a security group field, select Create a new security group.
- Enter a name for the group (for example, AccessGatewayLB-SecurityGroup).
- A single rule is added by default. Modify this rule to specify HTTP over port 443.
Leave all other fields as their default values.
- Click Next: Configure Routing.
Routing specifies the targets of the load balancer and health check settings.
- In the target group, specify:
Field Value Target Group New target group Name Any appropriate name, such as AccessGatewayLB-TargetGroup Protocol HTTPS Port 443
- Expand the Advanced section.
- Specify Success Code as 400.
We will need to return to the Health Check section to specify a more robust health check.
- Click Next: Register targets.
Targets represent the Access Gateway nodes that the load balancer interacts with.
- In the Instances pane, select each line representing a member of Access Gateway cluster. This can include the admin node and should include all worker nodes.
- Click Add to registered. All selected instances should now show registered.
- Click Review. Examine the settings making any require changes.
- Click Create to create the load balancer. This can take a few minutes to complete.
Steps to associate a load balancer with DNS vary depending on the DNS provider.
- In the AWS console, example the load balancer external name. shown in the DNS name column of the load balancers list.
- Connect to your DNS service provider and add a CNAME record mapping the AWS load balancer name to the external name.
For example: CNAME host: www.[your external name], target: aws...com.
- Return to the AWS console.
Load balancers must specify sticky sessions.
- If required, in the navigation pane, go to Load Balancing and click Load Balancers. A list of all defined load balancers displays.
- Select the newly created load balancer.
- On the Description tab, click Edit stickiness. The Edit stickiness page displays.
- Select Enable load balancer generated cookie stickiness.
- In Expiration Period, enter the expiration period in seconds. This field should match the session timeout field for Access Gateway.
- Click Save.
You can test load balancers using a header-based application. Complete this section if an application doesn't already exist for www.[external domain].com.
- Return to or sign in to the Access Gateway Admin UI console.
- Select the Applications tab.
- Click Add.
- Select Sample Header.
- In the Essentials tab specify the following:
Field Value Name An appropriate name for the application, such as Load Balancer Header Test. Public Domain www.[external domain]. For example, www.oag-external.com. Groups Everyone
- Click Next. The Attributes tab opens.
- Click Next. The Policies tab opens.
- Click Done.
- Open a new browser or a private browsing tab.
- Enter the URL associated with the application.
- The Access Gateway sample header app page should display.