| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Deploy Elastic Load Balancing in Amazon VPC
Topics
Amazon Virtual Private Cloud ( Amazon VPC) lets you define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud.
Within this virtual private cloud, you can launch Amazon EC2 instances that have private (RFC 1918) IP addresses in the classless inter-domain routing (CIDR) range of your choice (for example, 10.0.0.0/16). You can use a load balancer to monitor and route traffic to your EC2 instances launched within a VPC.
You can create a VPC that spans multiple Availability Zones then add one or more subnets in each Availability Zone. A subnet in Amazon VPC is a subdivision within an Availability Zone defined by a segment of the IP address range of the VPC. Using subnets you can group your instances based on your security and operational needs. A subnet resides entirely within the Availability Zone it was created in.
To enable communication between the Internet and the instances in your subnets, you must create and attach an Internet gateway (IGW) to your VPC. An IGW connects the instances within your subnets to the Internet. The subnets that interact directly with the Internet must contain public instances (instances with public IP addresses).
For more information on Amazon VPC, see What is Amazon VPC in the Amazon Virtual Private Cloud User Guide. For information on Amazon VPC subnets, see Your VPC and Subnets.
To load balance your EC2 instances in a VPC, when you register load balancers in multiple Availability Zones, specify one subnet in each Availability Zone to which you want to attach the load balancer. Because a subnet is created for an Availability Zone, specifying the subnet ensures that the load balancer is configured to listen to requests in the corresponding Availability Zone.
When you attach your load balancer to a subnet, this defines the subnet that traffic must enter to forward the request to registered instances. The registered instances do not need to be in the same subnet that you attach to the load balancer. To ensure that your load balancer can scale properly, specify that the CIDR block of the subnet to which you attach the load balancer has at least a /27 bitmask (e.g., 10.0.0.0/27 ). You should also have at least 20 free IP addresses in the subnet where you attach the load balancer.
Elastic Load Balancing on Amazon VPC works essentially the same way as it does on Amazon EC2 and supports the same set of features. There is, however, a significant difference between the way the security groups function on Amazon VPC and Amazon EC2. In Amazon EC2, Elastic Load Balancing provides a special Amazon EC2 source security group that you can use to ensure that a back-end Amazon EC2 instance receives traffic only from Elastic Load Balancing. You cannot modify the source security group. Within Amazon VPC, you have control over the security groups assigned to your load balancer. Having control over your load balancer's security groups allows you to choose the ports and protocols to accept. For example, in Amazon VPC you can open Internet Control Message Protocol (ICMP) connections for the load balancer to respond to ping requests. (However, ping requests will not be forwarded to any registered instances.)
Note
IPv6 support is not currently available for load balancers in Amazon VPC.
Dedicated tenancy VPCs are not currently supported by Elastic Load Balancing.
Default VPC
If your AWS account comes with a default virtual private cloud (default VPC), your instances are launched within the default VPC, by default, unless you specify a subnet from a nondefault VPC. For more information, see Detecting Your Supported Platforms and Whether You Have a Default VPC.
A default VPC combines the benefits of the advanced networking features provided by Amazon VPC platform (EC2-VPC) with the ease of use of the Amazon Elastic Compute Cloud platform (EC2-Classic).
Your default VPC automatically comes with a default subnet in each Availability Zone, an Internet Gateway connected to your default VPC, and a default security group associated with your default VPC, among other default configurations. For more information on default VPC and Subnets, see Your Default VPC and Subnets.
When you launch your EC2 instances within default VPC without specifying a subnet, it is automatically launched into a default subnet in your default VPC. By default, we select an Availability Zone for you and launch the instance into the corresponding subnet for that Availability Zone. Alternatively, you can select the Availability Zone for your instance by selecting its corresponding default subnet.
To load balance your EC2 instances launched in default VPC, you have to create your load balancers within your default VPC. When you create a load balancer within default VPC, Elastic Load Balancing automatically creates a security group by defining the ports specified for the load balancer to be opened.
If you are using the AWS Management Console to create your load balancer with default VPC, you can choose the default VPC security group associated with your default VPC, choose any other pre-existing security group associated with your AWS account, or modify the existing security group to create a new one. If you choose a non-default pre-existing security group, ensure that it allows ingress to the ports that you configured the load balancer to use. If you choose to create a security group, the console will define these ports to be open for you.
The security group you create using the AWS Management Console is associated with your load balancer. You cannot delete the security group as long as it is associated with a load balancer.
If you are using the Elastic Load Balancing command line interface (CLI) or the Query API
to create your load balancer within your default VPC, a default security group;
default_elb_special number will be created for
0.0.0.0/0 with the ports specified for the load balancer. Currently, Elastic Load
Balancing does not support the option to choose a security group to associate with
your load balancer when you use either the CLI or the Query API.
A security group created for your load balancer within default VPC using either the CLI or the Query API is associated with your AWS account. Only one security group will be created per AWS account. Subsequent calls to create new load balancers will re-use the same security group. If you add listeners to an existing load balancer, you will need to review the security groups that are applied to the load balancer; otherwise, traffic may not reach the load balancer. If you create a load balancer that uses this default security group and the new load balancer has a different listener configuration, you will need to review and update the security groups that are applied to the load balancer.
If you are using the CLI to create a load balancer for your EC2 instances in default VPC, you can see the security group associated with
your load balancer by using the -show-long option with elb-describe-lbs command. The load balancer security group
is listed as SOURCE_SECURITY_GROUP in the CLI output and the query response. This security group can be used to limit ingress to your instance from only
the selected security group.
Whether you are using the console, CLI, or the Query API, if you update the listeners of your load balancer within default VPC, the security groups associated with the load balancer will not change. If you delete your load balancer, the security group will not be deleted automatically.
For information on creating a basic load balancer for your EC2 instances within default VPC, see Create a Basic Load Balancer in Default VPC.
Internet-facing and Internal Load Balancers
You can make your load balancer internal (private) or Internet-facing (public) when creating it within a VPC. When you make your load balancer internal, a DNS name will be created, and it will contain the private IP address of the load balancer. Internal load balancer is not exposed to the internet. When you make your load balancer Internet-facing, a DNS name will be created with the public IP address. The DNS records are publicly resolvable in both cases.
By combining both internal and internet-facing load balancers, you can balance requests between multiple tiers of your application. For example, let us say you have web servers at your front-end that takes requests from the internet and passes it on to your back-end application instances. You can create an internal load balancer in your VPC and then place your back-end application instances behind the internal load balancer. You can create an internet-facing load balancer with the DNS name and public IP address and place it in front of your web server. Your web server will take requests coming from the internet-facing load balancer and will make requests to the internal load balancer, using private IP addresses that are resolved from the internal load balancer’s DNS name. The internal load balancer will route requests to the back-end application instances, which are also using private IP addresses and only accept requests from the internal load balancer. With this multi-tier architecture, all your infrastructure can use private IP addresses and security groups so that the only part of your architecture that has public IP address is the internet-facing load balancer.
For a load balancer to be Internet-facing, the load balancer must reside in a public subnet (with public IP addresses). The application instances behind the load balancer do not need to be in the public subnets.
The following diagram shows Elastic Load Balancing within Amazon VPC combining both Internet-facing and internal load balancers.
Create Amazon VPC for Elastic Load Balancing
To create and use Elastic Load Balancing load balancers within Amazon VPC, you have to first configure your VPC environment. This section provides you with steps you can use to configure your VPC. If you are using default VPC, your VPC environment is automatically configured for you. You can skip this step.
Create your Amazon VPC with an Internet gateway and create subnets in each Availability Zone in which you want to load balance your instances. For information on creating an Amazon VPC and subnets, see Get Started with Amazon VPC.
If you are creating an Internet-facing load balancer, be sure to create a VPC with public subnet. Your Internet-facing load balancer must be in a public subnet to establish connections with the Internet.
Launch the Amazon EC2 instances that you want to register with your load balancer in your Amazon VPC. For more information about launching Amazon EC2 instances within Amazon VPC, see Launch an Instance.
The examples in this guide assume that your Amazon VPCs are in the US East (Northern Virginia) Region. You can set up your VPCs in other AWS regions. For example, if you want to launch your instances in a VPC in a region in Europe, you can specify the
EU (Ireland)Region by using the--region eu-west-1parameter from the command line interface or by setting theAWS_ELB_URLenvironment variable.For more information on using the region parameter with your Elastic Load Balancing commands, go to the Elastic Load Balancing Quick Reference Card. For information on setting your environment variable, see Installing the Command Line Interface. For information about this product's regions and endpoints, go to Regions and Endpoints in the Amazon Web Services General Reference.
You've now completed creating your VPC environment for your load balancers. Next, click any one of the following sections to create and manage your load balancer within your Amazon VPC.
