Configure Amazon Web Services load balancers

Before you begin

Ensure that:

  • You have a previously configured Access Gateway high availability cluster with at least one worker.
  • You have internal IP addresses for all Access Gateway cluster members including the admin node.
  • You know the VPCs that the Access Gateway cluster are using.
  • You have the external domain for the load balancer. For example oag-external.com.
  • You have the necessary credentials with your DNS service provider to create the required records.

To configure an AWS EC2 Load Balancer

Connect to the Amazon EC2 console

  1. Open a browser to the AWS EC2 console (https://console.aws.amazon.com/ec2/).
  2. Sign in to the AWS Console.

Configure basic load balancer settings

  1. Click Load Balancers under Load Balancing.
  2. Click Create Load Balancer.
  3. Create an Application Load Balancer.
  4. In Step 1: Configure load Balancer, specify the following:
    Field

    Section

    Value
    NameBasic ConfigurationA meaningful name for load balancer, such as AccessGatewayLoadBalancer. You can only use alphabetic characters in the name.
    SchemeBasic Configuration

    Select internet-facing.

    IP address typeBasic ConfigurationSelect IPV4.
    Load Balancer ProtocolListenersSelect HTTPS. Don't add a second listener.
    Availability ZonesAvailability Zones

    For each VPC that contains Access Gateway nodes, select the checkboxes of all Availability Zones in use. For example, if you have nodes in us-west-1 and us-west-2, select the checkboxes for both zones.

  5. Click Next: Configure Security Settings.

Configure security settings

Configuring security settings includes requesting and configuring a certificate for the load balancer. Alternatively, you can reuse an existing certificate.
  1. On the Configure Security Settings page, click Request a new certificate from ACM. A new tab opens and the Request a Certificate wizard starts.

    It's useful to keep the Configure Security Settings tab open. You may need to create another load balancer and it can be difficult to return to this page.

  2. Enter the name of the external domain in the Domain Name field. You can add more names and DNS names to the certificate.
  3. Click Next.
  4. Select an appropriate DNS validation method, typically DNS Validation and click Next.
  5. Optional. Add any required tags.
  6. Click Review.
  7. Review the request, using Previous to correct any errors and click Confirm and request. Validation occurs and a CNAME name/value pair is generated.
  8. Expand the domain name section for the given domain name and note the name and value field values. Connect to your DNS Service provider and add a CNAME record that contains the name and value pair. The name value provided by AWS includes a trailing suffix representing the domain that the certificate was generated against. The domain name portion, for example_a15cab. . .8ba8.example.com isn't used when defining a cname record.
  9. Copy and paste the name, without .example.com into hostname field, and copy the value field into target.
  10. Save the CNAME record. Leave this tab open for later use.
  11. Return to the AWS console.
  12. In the Request a certificate tab, click Continue. AWS confirms the certificate.
  13. It may take a few minutes for AWS to validate the certificate, after which you can close this tab.
  14. Return to the Configure Security Settings tab.
  15. Click the Refresh icon to refresh the known certificates list.
  16. Select your certificate and click Next: Configure Security Groups.

Configure security group

The security group used with the Access Gateway cluster has more permissions than those required by the load balancer. The following steps demonstrate how to create a security group that only allows HTTPS:
  1. In the Assign a security group field, select Create a new security group.
  2. Enter a name for the group (for example, AccessGatewayLB-SecurityGroup).
  3. A single rule is added by default. Modify this rule to specify HTTP over port 443. Leave all other fields set to their default values.
  4. Click Next: Configure Routing.

Configure routing

Routing specifies the targets of the load balancer and health check settings.
  1. In the target group, specify:
    FieldValue
    Target GroupNew target group
    NameAny appropriate name, such as AccessGatewayLB-TargetGroup
    ProtocolHTTPS
    Port443
  2. Expand the Advanced section.
  3. Specify Success Code as 400.

    You must return to the Health Check section to specify a more robust health check.

  4. Click Next: Register targets.

Register targets and create the load balancer

Targets represent the Access Gateway nodes that the load balancer interacts with.
  1. In the Instances pane, select each line representing a member of Access Gateway cluster. This can include the admin node and should include all worker nodes.
  2. Click Add to registered. All selected instances should now show registered.
  3. Click Review. Examine the settings making any require changes.
  4. Click Create to create the load balancer. This can take a few minutes to complete.

Register load balancer with DNS service provider

Steps to associate a load balancer with DNS vary depending on the DNS provider.

  1. In the AWS console, example the load balancer external name. shown in the DNS name column of the load balancers list.
  2. Connect to your DNS service provider and add a CNAME record mapping the AWS load balancer name to the external name.

    For example: CNAME host: www.[your external name], target: aws...com.

  3. Return to the AWS console.

Enable sticky sessions

Load balancers must specify sticky sessions.

  1. If required, in the navigation pane, go to Load Balancing and click Load Balancers. A list of all defined load balancers displays.
  2. Select the newly created load balancer.
  3. On the Description tab, click Edit stickiness. The Edit stickiness page displays.
  4. Select Enable load balancer generated cookie stickiness.
  5. In Expiration Period, enter the expiration period in seconds. This field should match the session timeout field for Access Gateway.
  6. Click Save.

Test

You can test load balancers using a header-based application. Complete this section if an application doesn't already exist for www.[external domain].com.

  1. Return to or sign in to the Access Gateway Admin UI console.
  2. Select the Applications tab.
  3. Click Add.
  4. Select Sample Header.
  5. In the Essentials tab specify the following:
    FieldValue
    NameAn appropriate name for the application, such as Load Balancer Header Test.
    Public Domainwww.[external domain]. For example, www.oag-external.com.
    GroupsEveryone
  6. Click Next. The Attributes tab opens.
  7. Click Next. The Policies tab opens.
  8. Click Done.
  9. Open a new browser or a private browsing tab.
  10. Enter the URL associated with the application.
  11. The Access Gateway sample header app page should display.

Related resources

Load balancers

Amazon Web Services deployment tasks

Improve AWS load balancer health monitoring