3

I have a web application with two different sites. Each can be accessed via HTTP. When you access Site #1, it will serve that site directly. When you access site #2, it will actually connect to site #1 behind the scenes via REST API calls. This architecture is shown in the diagram below.

enter image description here

All instances shown (in blue) have ONLY private IP addresses. Both Load Balancers are internet-facing because people from outside the VPC need to access the application. Each autoscale group has an associated security group which is applied to each of its' instances.

How can I configure LoadBalancer #1 to accept HTTP calls from Auto-Scale Group #2 given that those instances don't have public IP addresses? Do I need to have one private-facing Load Balancer and one internet-facing load balancer?

I want all this configuration to be done automatically in my Cloudformation file.

Saqib Ali
  • 11,931
  • 41
  • 133
  • 272
  • "How can I configure LoadBalancer #1 to accept HTTP calls from Auto-Scale Group #2 given that those instances don't have private IP addresses?"... Do you mean "don't have PUBLIC IP addresses"? – John Rotenstein Jun 11 '15 at 23:29
  • Are instances in ASG #2 currently unable to reach Load Balancer #1? Do you have a NAT configured to allow instances to reach the Internet? – John Rotenstein Jun 11 '15 at 23:48
  • 1) Yes they are unable. 2) No I don't have a NAT configured. 3) Can I do this without the use of a NAT by instead making another internal-only LB also pointing to the instances of ASG #1? – Saqib Ali Jun 12 '15 at 15:25

1 Answers1

1

The AWS Elastic Load Balancing service provides a DNS Name for the load balancer. This name should be used when accessing the load balancer.

The DNS name resolves to one of several public IP addresses. Therefore, instances in Auto Scaling Group #2 require access to the Internet.

If all instances are in a Public subnet, then they should be able to access the Internet and, therefore, Load Balancer #1.

If the instances are in a Private subnet, they will require some means of accessing the Internet. This is typically done by launching a NAT instance in a Public subnet and configuring Route Tables on the Private subnet to route Internet traffic to the NAT server.

The traffic won't actually traverse the Internet. Rather, they will traverse AWS's edge of the Internet by popping out of the VPC and then back in again.

There is no configuration required on Load Balancer #1, since it is already accepting incoming traffic.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • 1
    Remembering, of course that traffic from ec2 to ec2, including ELB, is not free, whenever you use a public or elastic IP... so using an external load balancer for internal traffic will incur an additional $0.01 to $0.02/gb data transfer charge because the traffic is traversing the edge. – Michael - sqlbot Jun 12 '15 at 02:42
  • Ok. Instead of setting up a NAT for the instances in AutoScale Group #2, can I instead create another internal-facing load balancer that also points to AutoScale Group #1, and have the instances from AutoScale Group #2 talk to that one? – Saqib Ali Jun 12 '15 at 03:36
  • Oh, that's an interesting concept! Yes, you can configure Auto Scaling to use multiple Load Balancers. That way, the traffic would route internally, within your VPC. Please note that you will be charged for an additional load balancer (~2.5c/hr + traffic). https://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-internal-load-balancers.html – John Rotenstein Jun 13 '15 at 04:58
  • @JohnRotenstein what if Load Balancer #1 accepts traffic from some white listed IPs? Which IP(s) should be specified to allow access of **Load Balancer #1** from instances of **Auto Scale Group #2**? – Nirav Radia Feb 13 '17 at 13:34
  • @NiravRadia This is an old Question. Please create a new Question if you would like an Answer. – John Rotenstein Feb 14 '17 at 00:28
  • @JohnRotenstein I realized that later. I have asked a new question and linked [it](http://stackoverflow.com/questions/42206565/aws-security-group-to-allow-access-internet-facing-load-balancer-to-be-accessed?noredirect=1&lq=1). Thanks – Nirav Radia Feb 14 '17 at 06:18