Configuring the Load Balancer in your Elastic Beanstalk Environment
If you've enabled load balancing, your environment is equipped with an Elastic Load Balancing load balancer to distribute traffic among the the instances in your environment.
By default, your load balancer is configured to listen for HTTP traffic on port 80 and forward it to instances on the same port. To support secure connections, you can configure your load balancer with a listener on port 443 and a TLS certificate.
Elastic Load Balancing uses a health check to determine whether the EC2 instances running your application are healthy. The health check determines an instance's health status by making a request to a specified URL at a set interval; if the URL returns an error message, or fails to return within a specified timeout period, the health check fails.
If your application performs better by serving multiple requests from the same client on a single server, you can configure your load balancer to use sticky sessions. With sticky sessions, the load balancer adds a cookie to HTTP responses that identifies the EC2 instance that served the request. When a subsequent request is received from the same client, the load balancer uses the cookie to send the request to the same instance.
When an instance is removed from the load balancer because it has become unhealthy or the environment is scaling down, connection draining gives the instance time to complete requests prior to closing the connection between the instance and the load balancer. You can change the amount of time given to instances to send a response, or disable connection draining completely.
Connection draining is enabled by default when you create an environment with the console or EB CLI. For other clients, you must enable it with configuration options.
Advanced load balancer settings are available through configuration options that you can set with configuration files in your source code or directly on an environment by using the Elastic Beanstalk API. You can use these options to configure listeners on arbitrary ports, modify additional sticky session settings, and configure the load balancer to connect to EC2 instances securely. You can also configure a load balancer to upload access logs to Amazon S3.
Configuring Your Environment's Load Balancer in the AWS Management Console
Ports and Cross-Zone Load Balancing
The basic settings for your load balancer let you configure the standard listener on port 80, a secure listener on port 443 or port 8443, cross-zone load balancing.
You can change the listener protocol from HTTP
to TCP if you want the load balancer to forward requests as-is. This
prevents the load balancer from rewriting headers (including
X-Forwarded-For) and does not work with sticky sessions.
For HTTPS, you can add a secure listener with the secure listener port and protocol options. You must also select a certificate to use to decrypt the connections. You can also disable the standard listener if you only want to accept secure connections.
To turn on the secure listener port
Create and upload a certificate and key to AWS Identity and Access Management (IAM).
For more information about creating and uploading certificates, see the Managing Server Certificates section of Using AWS Identity and Access Management.
Open the Elastic Beanstalk console.
Navigate to the management page for your environment.
Specify the secure listener port by selecting a port from the Secure Listener Port list.
For SSL Certificate ID, choose the ARN of your SSL certificate. For example,
(Optional) Set Listener port to OFF to disable the standard listener.
For more detail on configuring HTTPS and working with certificates, see Configuring HTTPS for your Elastic Beanstalk Environment.
Use these settings to turn connection draining on or off and set the Draining
timeout to anything up to
Use these settings to enable session sticking and configure the length of a session up
to a maximum of
Specify an Application health check URL to configure the load
balancer to make an HTTP GET request to a specific route. For example, type
/ to send requests to the application root, or
/health to send requests to a resource at
/health. If you don't configure a health check URL, the load balancer
attempts to establish a TCP connection with the instance.
Configuring a health check URL does not affect the health check behavior of an environment's Auto Scaling group. Instances that fail an Elastic Load Balancing health check will not automatically be replaced by Auto Scaling unless you configure Auto Scaling to do so manually. See Auto Scaling Health Check Setting for details.
The remaining options let you customize the number of seconds between each health check (Health check interval), the number of seconds to wait for the health check to return (Health check timeout), and the number of health checks that must pass (Healthy check count threshold) or fail (Unhealthy check count threshold) before Elastic Load Balancing marks an instance as healthy or unhealthy.
For more information on health checks and how they influence your environment's overall health, see Basic Health Reporting.
Load Balancer Configuration Namespaces
Elastic Beanstalk provides additional configuration options in the following namespaces that allow you to further customize the load balancer in your environment:
aws:elb:healthcheck– Configure the thresholds, check interval and timeout for ELB health checks.
aws:elasticbeanstalk:application– Configure the health check URL.
aws:elb:loadbalancer– Enable cross-zone load balancing. Assign security groups to the load balancer and override the default security group that Elastic Beanstalk creates. This namespace also includes deprecated options for configuring the standard and secure listeners that have been replaced by options in the the
aws:elb:listener– Configure the default listener on port 80, a secure listener on 443, or additional listeners for any protocol on any port.
aws:elb:policies– Configure additional settings for your load balancer. You can use options in this namespace to configure listeners on arbitrary ports, modify additional sticky session settings, and configure the load balancer to connect to EC2 instances securely.
You can use
aws:elb:listener namespaces to configure additional
listeners on your load balancer. If you specify
aws:elb:listener as the
namespace, settings apply to the default listener on port 80. If you specify a port (for
aws:elb:listener:443), a listener is configured on that
The following example configuration file creates an HTTPS listener on port 443, assigns a certificate that the load balancer uses to terminate the secure connection, and disables the default listener on port 80. The load balancer forwards the decrypted requests to the EC2 instances in your environment on HTTP:80.
option_settings: aws:elb:listener:443: ListenerProtocol: HTTPS SSLCertificateId:
arn:aws:iam::123456789012:server-certificate/elastic-beanstalk-x509InstancePort: 80 InstanceProtocol: HTTP aws:elb:listener:80: ListenerEnabled: false
The EB CLI and Elastic Beanstalk console apply recommended values for the preceding options. These settings must be removed if you want to use configuration files to configure the same. See Recommended Values for details.
Configuring Access Logs
You can use configuration files to configure your environment's load balancer to upload access logs to an Amazon S3 bucket. See the following example configuration files on GitHub for instructions: