Menu
I am trying to pass incoming traffic from amazon's Network Load Balancer to Application Load Balancer, I am using NLB since it has an Elastic IP attachment and I want it to serve as a proxy for the ALB. is that even possible?
322
Things to knowTLS listeners on Network Load Balancers cannot forward to ALB-type target groups. If you have a use case to terminate TLS, we recommend using HTTPS listeners on your ALB. You are only able to configure a single ALB in an ALB-type target group for NLB.
With this launch, you can register ALB as a target of NLB to forward traffic from NLB to ALB without needing to actively manage ALB IP address changes, allowing you to combine the benefits of NLB, including PrivateLink and zonal static IP addresses, with the advanced request-based routing of ALB to load balance traffic ...
All the NLB cares about is forwarding the incoming TCP or UDP connection to a target. The NLB does not inspect an incoming HTTP request, for example. Therefore, the NLB has much less work to do than an ALB. As a result, the NLB needs significantly less time to forward an incoming request.
A load balancer accepts incoming traffic from clients and routes requests to its registered targets (such as EC2 instances) in one or more Availability Zones. The load balancer also monitors the health of its registered targets and ensures that it routes traffic only to healthy targets.
September 2021 Update: AWS has announced the native availability of ALB Target Groups for NLBs. This not only reduces the complexity of needing a Lambda-based workaround but also removes the limitation concerning client IP preservation. ALBs targeted in this fashion will provide the X-Forwarded-For header containing the external IP address originally invoking the NLB.
It is possible, but it's slightly messy.
The problem is that Application Load Balancers can scale up, out, in, and/or down, and in each case the internal IP addresses of the balancers can change... but NLB requires static addresses for its targets.
So, at a low level, this means the NLB target group must be modified every time the IPs of the ALB change.
AWS has published an official solution for accomplishing this, using a Lambda function on a schedule to capture the addresses of the ALB and update the NLB configuration whenever the results change.
https://aws.amazon.com/blogs/networking-and-content-delivery/using-static-ip-addresses-for-application-load-balancers/
One notable limitation, here, is that this solution does not allow you to identify the client IP address. It is lost when the traffic goes through the NLB, because NLBs only preserve the source IP when the target is an instance (not an IP address) or when the target understands the Proxy protocol on the client side and the feature is enabled on the NLB, but ALB doesn't support such a configuration. With the setup shown at the link, above, the rightmost address in X-Forwarded-For will be set by the ALB to the internal address of the NLB.
105
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
