Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Drawback of using ELB. Is Nginx the best solution? (ELB vs Nginx)

Disclaimer:

This topic is for HTTP Traffic (on Linux Platform). May be there is a good solution with ELB (with reasonable price for everyone) for the problem below. But so far i can not find any. That's why i need expert advices.

Problem:

I've been using AWS Elastic Load Balancing (ELB) for years. And suddenly realized there is a huge (and critical to me) drawback of ELB .. which is to block the inbound connections by IP.

Because once you are behind ELB(s), your Server Internal Firewalls (like: iptables) are useless already because all the forwarded traffics from ELB are stamped as ELB IP (not the real Client IP). ELB only forwards the Real Client IP as in X-Forwarded-For http header, which is useless for iptables. (Unless you can suggest there is a Linux Firewall like iptables which can also handle HTTP Traffic with XFF (X-Forwarded-For) header inside.)

I understand this is the normal behaviours of such Reverse Proxies, but i need to put a Firewall! I know on AWS, it is suggested to use VPC and the Network ACL rules to BLOCK the inbound connections by IP. But NACLs have the rule limits! (AWS only allows total of maximum 40 rules in NACLs)

Imagine you are running a high traffic Public website, and then need to block a lot bad IPs detected everyday. How would this 40 rules help?

Need Advice:

I'm start thinking of using Nginx as the Load-balancer (on a separate Instance). I've used Nginx before and it is a promising one. And of course, can replace ELB. And then:

  • use the iptables on that Nginx Instance! (So, that VM will become LB+Firewall)

But before i make a move,

  • Are there any better, expert advices?
  • What will be the big difference (impact) of not using ELB here?

Thanks all for advices.

like image 390
夏期劇場 Avatar asked Jan 20 '16 02:01

夏期劇場


People also ask

Can ELB replace nginx?

And it's true that in most cases, either ELB or NGINX will work. But there are important differences between them, and the decision you make for handling load balancing will set the tone for other infrastructure decisions going forward. It shapes the architecture of your apps and your deployment patterns.

Which type of ELB is good for application load?

But in general, the Classic Load Balancer is likely to be the best choice if your routing and load-balancing needs can all be handled based on IP addresses and TCP ports. In contrast, the Application Load Balancer can address more complex load-balancing needs by managing traffic at the application level.

Which is the best load balancer in AWS?

High availability An Elastic Load Balancer is highly available. You can distribute incoming traffic across your Amazon EC2 instances in a single Availability Zone or multiple Availability Zones. An Elastic Load Balancer automatically scales its request handling capacity in response to incoming application traffic.

Which is best load balancer when you need performance?

If you need to load balance HTTP requests, we recommend you use the Application Load Balancer (ALB). For network/transport protocols (layer4 – TCP, UDP) load balancing, and for extreme performance/low latency applications we recommend using Network Load Balancer.


2 Answers

Its been a while since this question was asked, but I thought it might be worth pointing out that both Classic and next generation Application Load Balancers now support Security Groups for limiting access to your load balancer - http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html

like image 180
Jeff Avatar answered Sep 19 '22 12:09

Jeff


Using ELBs remains valuable because redundancy is part of the service.

Using Nginx as load-balancer would be a single point of failure unless you also set up a standby server and something like heartbeat to automatically fail over to your spare Nginx server.

Consider a layered approach of using both ELB and Nginx. The ELB can forward traffic to two or more web hosts in different Availability Zones, each running Nginx. With Nginx and fail2ban, you can still block hosts by IP address. The general approach works like this:

  • Configure Nginx to log the real IP in the log files, not the ELB IP.
  • Configure fail2ban to watch the Nginx access logs and look for IPs to block.
  • When fail2ban detects an IP that it should block, it updates an Nginx include file and reloads Nginx for the rule to take affect. fail2ban expires bans the same way.

You could also exclude fail2ban and manually maintain a list of IPs to block as well.

A detailed explanation of the approach is available at "Nginx + Fail2ban Blocking IP behind AWS Load Balancer".

like image 24
Mark Stosberg Avatar answered Sep 19 '22 12:09

Mark Stosberg