how to add google compute instances behind aws elb - amazon-ec2

I deployed web instances over google compute engine. managing load balancing with nginx load balancer now. but i want it to be handled with amazon's elb .
can somebody tell me how we could do it.
thanks

This is not possible.
AWS ELB only works for load-balancing traffic among ec2 instances.
Please refer to the follow aws documentation for more details
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elastic-load-balancing.html
Also I am not clear why you would not use google cloud load balancing capability for your google compute engines. You should avoid the additional hops between networks for routing traffic from one netwrok to the other.
Please refer to the following docs for more information:
https://cloud.google.com/compute/docs/load-balancing-and-autoscaling#policies

Related

Facing issue while configuring EC2 WAF ACL

I am having a free tier AWS account, I am adding WAF with my LB(load balancer) having one instance on EC2. Currently, the security group has only HTTP 80 port.
My instance is located on the Asia Pacific (Mumbai) region and when I am creating RULE OR Condition for ACL, I am not getting this region there.
So I have tried to make ACL with the different region and without any rule just configure with the load balancer, After creating ACL when I go for Associate the load balancer with ACL, So there is no load balancer shown in the drop down like below:
please help me, Where can be mistake done by me ?
AWS WAF is not supported yet in the Mumbia region, so if your instance and load balancer is in Mumbai you won't be able to use WAF directly:
https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/
You also can't put your WAF in a different region and connect it to your ALB, that won't work either as you have seen.
The only other option is for you to make use of a Cloudfront distribution in front of your load balancer, and your WAF is then linked to your Cloudfront distribution.

Does Mesos-dns provides load balancing?

I was looking at Mesos + Marathon to manage Docker containers.
What we're trying to achieve is a way of getting an external DNS entry (test.example.com) to point to a specific set of docker containers.
The DNS entry for test.example.com points to a load balancer which translate and send the connection to one of our backend servers app.
To do this I looked into Mesos-dns. With mesos-dns I can get DNS name for each container and can resolve DNS with container IP but couldn't find out way to load balance between set of servers.
Can someone confirm if Mesos-dns provides load balancing? If yes, how can I achieve load balancing with it?
Do I need to use some other solutions like HAProxy or Bamboo to achieve this?
Thanks!!
Sumit
Yes with Mesos-DNS you can do load balancing, see for example the respective HTTP API endpoints, but it's really not recommended in the context of DC/OS: see the internal (Minuteman) and external (Marathon-lb, HAProxy-based) load balancing and service discover options in the docs.

Do I need to have HAProxy TCP/HTTP Load Balancer when I already have AWS ELB?

Let's say I have 20 servers at Amazon AWS and I also have AWS ELB setup for these servers. I heard that HAProxy is reliable and fast TCP/HTTP Load Balancer, so question is:
do I need to have HAProxy installed in each EC2 instances while I have AWS ELB?
What is the benefit of having both ELB and Haproxy at the same time?
Thanks
There are a few scenarios where people chose their own load balancing solution like HAProxy than ELB:
Financial transactions: ELB is an opaque service. Logs are not provided. So if you are missing transactions, you won't know if ELB dropped them or not.
Doesn't work well with traffic spikes: ELBs scaling takes at least 5 minutes. If your application traffic is doubling every 5-10 minutes, it will do well. But if it is at a constant rate and you will get a spike all of a sudden, then you will have problems with ELB.
ELBs can be slower than running your own Loadbalancing: In my environment, I got 15% performance boost by using HAProxy/Nginx (for SSL termination) instead. It was roughly 30ms per call, but keep in mind I was using SSL so I use CPU power.
ELBs only do round-robin load balancing and HAProxy has a lot more.
HAProxy also has ton more configurations that ELB does not support. It depends if one needs them for their application.
In one suite of applications, I have both running. ELB->haproxy->A suite of apps. In my case the following occurs:
ELB translates HTTPS to http
HAproxy targets to the app servers based on path
The app servers run in plain old http
The upside to this is that I can move around the apps without changing their URLs
The downside is that ELB isn't a fixed IP address so if you need to point to it from an IP adress instead of a cname you can't do it.
Short answer: No you don't need HAProxy. Go with an ELB.
tldr;
Yes HAProxy is powerful and tested.
First of all, you would need to have a separate EC2 HAProxy instance (as opposed to having HAProxy installed on every EC2 instance you need to balance). In essence an ELB is equivalent to an EC2 instance loaded with some kind of load balancing software.
Second, having both ELBs and HAProxy balancing instances in your environment is a rare use case. You might come to a point that you need more fine grained access and the ability to configure more on your load balancers. It purely depends on what you're doing and what problems an ELB might be giving you. Google to read through possible use cases.
I'm using an ELB and Haproxy behind.
When a customer uses my webservices from a unique IP, ELB redirects all his requests to the same hosts. It doesn't scale. (I supposed it's a hash from the src ip or something like that).
The haproxy has another balancer algorithm.
I keep the ELB for HA (1 haproxy / availability zone). And each haproxy instance redispatchs to region zone backend servers

Amazon Load balancer not working?

I have an aws Elastic Load Balancer. Sometimes Elastic Load Balancer works sometimse not. Soemetimes I am able to hit the app sometimes it gives me the blank page .
Why its happening so
You should check ping path and ping port on ELB, whether you get response. It seems that ELB brings the instances down as failed healthcheck.
AWS Application Load Balancers are notoriously susceptible to DDoS attacks, a simple SYN flood will bring down a load balancer, and what's worse is that you won't know that it's down, because the AWS Dashboard doesn't expose anything about the load balancer other than some basic HTTP level metrics.

How can I defend against DoS attacks using Amazon EC2 Load Balancer?

We usually blacklist IPs address with iptables. But in Amazon EC2, if a connection goes through the Elastic Load Balancer, the remote address will be replaced by the load balancer's address, rendering iptables useless. In the case for HTTP, apparently the only way to find out the real remote address is to look at the HTTP header HTTP_X_FORWARDED_FOR. To me, blocking IPs at the web application level is not an effective way.
What is the best practice to defend against DoS attack in this scenario?
In this article, someone suggested that we can replace Elastic Load Balancer with HAProxy. However, there are certain disadvantages in doing this, and I'm trying to see if there is any better alternatives.
I think you have described all the current options. You may want to chime in on some of the AWS forum threads to vote for a solution - the Amazon engineers and management are open to suggestions for ELB improvements.
If you deploy your ELB and instances using VPC instead of EC2-classic, you can use Security Groups and Network ACLs to restrict access to the ELB.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/USVPC_ApplySG.html
It's common to run an application server behind a reverse proxy. Your reverse proxy is layer you can use to add DoS protection before traffic gets to your application server. For Nginx, you can look at the rate limiting module as something that could help.
You could set up an EC2 host and run haproxy there by yourself (that's what Amazon is using anyways!). Then you can apply your iptables-filters on that system.
Here's a tool I made for those looking to use Fail2Ban on aws with apache, ELB, and ACL: https://github.com/anthonymartin/aws-acl-fail2ban

Resources