如何配置 AWS 网络负载均衡器以使用 Terraform 路由 HTTPS 流量?
How do I configure AWS network load balancers to route HTTPS traffic with Terraform?
我正在尝试使用 API 网关的 VPC 链接将流量路由到 HTTPS 上的内部 API。
但是,VPC 链接迫使我将 API 的负载均衡器从 "application" 更改为 "network"。
我了解网络负载平衡器位于第 4 层,因此不知道 HTTPS。
我习惯使用第 7 层应用程序负载均衡器。因此,我不确定我应该如何配置或使用 terraform 中的网络负载均衡器。
以下是我在 Terraform 中配置网络负载均衡器的尝试。
健康检查失败,我不确定我做错了什么。
resource "aws_ecs_service" “app” {
name = "${var.env}-${var.subenv}-${var.appname}"
cluster = "${aws_ecs_cluster.cluster.id}"
task_definition = "${aws_ecs_task_definition.app.arn}"
desired_count = "${var.desired_app_count}"
deployment_minimum_healthy_percent = 50
deployment_maximum_percent = 200
iam_role = "arn:aws:iam::${var.account}:role/ecsServiceRole"
load_balancer {
target_group_arn = "${aws_lb_target_group.app-lb-tg.arn}"
container_name = "${var.env}-${var.subenv}-${var.appname}"
container_port = 9000
}
depends_on = [
"aws_lb.app-lb"
]
}
resource "aws_lb" “app-lb" {
name = "${var.env}-${var.subenv}-${var.appname}"
internal = false
load_balancer_type = "network"
subnets = "${var.subnet_ids}"
idle_timeout = 600
tags {
Owner = ""
Env = "${var.env}"
}
}
resource "aws_lb_listener" “app-lb-listener" {
load_balancer_arn = "${aws_lb.app-lb.arn}"
port = 443
protocol = "TCP"
default_action {
type = "forward"
target_group_arn = "${aws_lb_target_group.app-lb-tg.arn}"
}
}
resource "aws_lb_target_group" “app-lb-tg" {
name = "${var.env}-${var.subenv}-${var.appname}"
port = 443
stickiness = []
health_check {
path = "/actuator/health"
}
protocol = "TCP"
vpc_id = "${var.vpc_id}"
}
作为参考,这是我之前在尝试切换到网络负载均衡器之前配置我的应用程序负载均衡器的方式:
resource "aws_ecs_service" "app" {
name = "${var.env}-${var.subenv}-${var.appname}"
cluster = "${aws_ecs_cluster.cluster.id}"
task_definition = "${aws_ecs_task_definition.app.arn}"
desired_count = "${var.desired_app_count}"
deployment_minimum_healthy_percent = 50
deployment_maximum_percent = 200
iam_role = "arn:aws:iam::${var.account}:role/ecsServiceRole"
load_balancer {
target_group_arn = "${aws_lb_target_group.app-alb-tg.arn}"
container_name = "${var.env}-${var.subenv}-${var.appname}"
container_port = 9000
}
depends_on = [
"aws_alb.app-alb"]
}
resource "aws_alb" "app-alb" {
name = "${var.env}-${var.subenv}-${var.appname}"
subnets = "${var.subnet_ids}"
security_groups = [
"${var.vpc_default_sg}",
"${aws_security_group.app_internal.id}"]
internal = false
idle_timeout = 600
tags {
Owner = ""
Env = "${var.env}"
}
}
resource "aws_lb_listener" "app-alb-listener" {
load_balancer_arn = "${aws_alb.app-alb.arn}"
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2015-05"
certificate_arn = "${var.certificate_arn}"
default_action {
type = "forward"
target_group_arn = "${aws_lb_target_group.app-alb-tg.arn}"
}
}
resource "aws_lb_target_group" "app-alb-tg" {
name = "${var.env}-${var.subenv}-${var.appname}"
port = 80
health_check {
path = "/actuator/health"
}
protocol = "HTTP"
vpc_id = "${var.vpc_id}"
}
一个网络负载平衡器automatically performs passive health checks on non UDP traffic流经它,如果这足够了,那么您可以删除活动健康检查配置。
如果你想启用主动健康检查,那么你可以使用 TCP 健康检查(默认),它只会检查端口是否打开,或者你可以指定 HTTP/HTTPS 协议并指定路径。理想情况下,当您尝试为健康检查指定路径但未将协议设置为 HTTP 或 HTTPS 时,AWS API 会出错,但显然现在情况并非如此。
使用 Terraform 这看起来像这样:
resource "aws_lb_target_group" "app-alb-tg" {
name = "${var.env}-${var.subenv}-${var.appname}"
port = 443
protocol = "TCP"
vpc_id = "${var.vpc_id}"
health_check {
path = "/actuator/health"
protocol = "HTTPS"
}
}
请记住,主动健康检查将从网络负载平衡器的角度(不仅仅是源流量)检查目标端口是否打开。这意味着您的目标将需要允许来自您的 NLB 所在的子网以及您的源流量源自的安全组或 CIDR 范围等的流量。
我正在尝试使用 API 网关的 VPC 链接将流量路由到 HTTPS 上的内部 API。 但是,VPC 链接迫使我将 API 的负载均衡器从 "application" 更改为 "network"。
我了解网络负载平衡器位于第 4 层,因此不知道 HTTPS。
我习惯使用第 7 层应用程序负载均衡器。因此,我不确定我应该如何配置或使用 terraform 中的网络负载均衡器。
以下是我在 Terraform 中配置网络负载均衡器的尝试。 健康检查失败,我不确定我做错了什么。
resource "aws_ecs_service" “app” {
name = "${var.env}-${var.subenv}-${var.appname}"
cluster = "${aws_ecs_cluster.cluster.id}"
task_definition = "${aws_ecs_task_definition.app.arn}"
desired_count = "${var.desired_app_count}"
deployment_minimum_healthy_percent = 50
deployment_maximum_percent = 200
iam_role = "arn:aws:iam::${var.account}:role/ecsServiceRole"
load_balancer {
target_group_arn = "${aws_lb_target_group.app-lb-tg.arn}"
container_name = "${var.env}-${var.subenv}-${var.appname}"
container_port = 9000
}
depends_on = [
"aws_lb.app-lb"
]
}
resource "aws_lb" “app-lb" {
name = "${var.env}-${var.subenv}-${var.appname}"
internal = false
load_balancer_type = "network"
subnets = "${var.subnet_ids}"
idle_timeout = 600
tags {
Owner = ""
Env = "${var.env}"
}
}
resource "aws_lb_listener" “app-lb-listener" {
load_balancer_arn = "${aws_lb.app-lb.arn}"
port = 443
protocol = "TCP"
default_action {
type = "forward"
target_group_arn = "${aws_lb_target_group.app-lb-tg.arn}"
}
}
resource "aws_lb_target_group" “app-lb-tg" {
name = "${var.env}-${var.subenv}-${var.appname}"
port = 443
stickiness = []
health_check {
path = "/actuator/health"
}
protocol = "TCP"
vpc_id = "${var.vpc_id}"
}
作为参考,这是我之前在尝试切换到网络负载均衡器之前配置我的应用程序负载均衡器的方式:
resource "aws_ecs_service" "app" {
name = "${var.env}-${var.subenv}-${var.appname}"
cluster = "${aws_ecs_cluster.cluster.id}"
task_definition = "${aws_ecs_task_definition.app.arn}"
desired_count = "${var.desired_app_count}"
deployment_minimum_healthy_percent = 50
deployment_maximum_percent = 200
iam_role = "arn:aws:iam::${var.account}:role/ecsServiceRole"
load_balancer {
target_group_arn = "${aws_lb_target_group.app-alb-tg.arn}"
container_name = "${var.env}-${var.subenv}-${var.appname}"
container_port = 9000
}
depends_on = [
"aws_alb.app-alb"]
}
resource "aws_alb" "app-alb" {
name = "${var.env}-${var.subenv}-${var.appname}"
subnets = "${var.subnet_ids}"
security_groups = [
"${var.vpc_default_sg}",
"${aws_security_group.app_internal.id}"]
internal = false
idle_timeout = 600
tags {
Owner = ""
Env = "${var.env}"
}
}
resource "aws_lb_listener" "app-alb-listener" {
load_balancer_arn = "${aws_alb.app-alb.arn}"
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2015-05"
certificate_arn = "${var.certificate_arn}"
default_action {
type = "forward"
target_group_arn = "${aws_lb_target_group.app-alb-tg.arn}"
}
}
resource "aws_lb_target_group" "app-alb-tg" {
name = "${var.env}-${var.subenv}-${var.appname}"
port = 80
health_check {
path = "/actuator/health"
}
protocol = "HTTP"
vpc_id = "${var.vpc_id}"
}
一个网络负载平衡器automatically performs passive health checks on non UDP traffic流经它,如果这足够了,那么您可以删除活动健康检查配置。
如果你想启用主动健康检查,那么你可以使用 TCP 健康检查(默认),它只会检查端口是否打开,或者你可以指定 HTTP/HTTPS 协议并指定路径。理想情况下,当您尝试为健康检查指定路径但未将协议设置为 HTTP 或 HTTPS 时,AWS API 会出错,但显然现在情况并非如此。
使用 Terraform 这看起来像这样:
resource "aws_lb_target_group" "app-alb-tg" {
name = "${var.env}-${var.subenv}-${var.appname}"
port = 443
protocol = "TCP"
vpc_id = "${var.vpc_id}"
health_check {
path = "/actuator/health"
protocol = "HTTPS"
}
}
请记住,主动健康检查将从网络负载平衡器的角度(不仅仅是源流量)检查目标端口是否打开。这意味着您的目标将需要允许来自您的 NLB 所在的子网以及您的源流量源自的安全组或 CIDR 范围等的流量。