Menu
This topic is for HTTP Traffic (on Linux Platform). May be there is a good solution with ELB (with reasonable price for everyone) for the problem below. But so far i can not find any. That's why i need expert advices.
I've been using AWS Elastic Load Balancing (ELB) for years. And suddenly realized there is a huge (and critical to me) drawback of ELB .. which is to block the inbound connections by IP.
Because once you are behind ELB(s), your Server Internal Firewalls (like: iptables) are useless already because all the forwarded traffics from ELB are stamped as ELB IP (not the real Client IP). ELB only forwards the Real Client IP as in X-Forwarded-For http header, which is useless for iptables. (Unless you can suggest there is a Linux Firewall like iptables which can also handle HTTP Traffic with XFF (X-Forwarded-For) header inside.)
I understand this is the normal behaviours of such Reverse Proxies, but i need to put a Firewall! I know on AWS, it is suggested to use VPC and the Network ACL rules to BLOCK the inbound connections by IP. But NACLs have the rule limits! (AWS only allows total of maximum 40 rules in NACLs)
Imagine you are running a high traffic Public website, and then need to block a lot bad IPs detected everyday. How would this 40 rules help?
I'm start thinking of using Nginx as the Load-balancer (on a separate Instance). I've used Nginx before and it is a promising one. And of course, can replace ELB. And then:
iptables on that Nginx Instance! (So, that VM will become LB+Firewall)But before i make a move,
Thanks all for advices.
390
And it's true that in most cases, either ELB or NGINX will work. But there are important differences between them, and the decision you make for handling load balancing will set the tone for other infrastructure decisions going forward. It shapes the architecture of your apps and your deployment patterns.
But in general, the Classic Load Balancer is likely to be the best choice if your routing and load-balancing needs can all be handled based on IP addresses and TCP ports. In contrast, the Application Load Balancer can address more complex load-balancing needs by managing traffic at the application level.
High availability An Elastic Load Balancer is highly available. You can distribute incoming traffic across your Amazon EC2 instances in a single Availability Zone or multiple Availability Zones. An Elastic Load Balancer automatically scales its request handling capacity in response to incoming application traffic.
If you need to load balance HTTP requests, we recommend you use the Application Load Balancer (ALB). For network/transport protocols (layer4 – TCP, UDP) load balancing, and for extreme performance/low latency applications we recommend using Network Load Balancer.
Its been a while since this question was asked, but I thought it might be worth pointing out that both Classic and next generation Application Load Balancers now support Security Groups for limiting access to your load balancer - http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html
180
Using ELBs remains valuable because redundancy is part of the service.
Using Nginx as load-balancer would be a single point of failure unless you also set up a standby server and something like heartbeat to automatically fail over to your spare Nginx server.
Consider a layered approach of using both ELB and Nginx. The ELB can forward traffic to two or more web hosts in different Availability Zones, each running Nginx. With Nginx and fail2ban, you can still block hosts by IP address. The general approach works like this:
You could also exclude fail2ban and manually maintain a list of IPs to block as well.
A detailed explanation of the approach is available at "Nginx + Fail2ban Blocking IP behind AWS Load Balancer".
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
