共计 1932 个字符,预计需要花费 5 分钟才能阅读完成。
- EC2 Instances should only allow traffic coming directly from the load balancer.
- Therefore, the source of security group rule of your EC2 instances is not an IP range, it’s a security group.
- So we’re going to link the security group of the EC2 instances to the security group of the load balancer, which is an enhanced security mechanism.
1. Classic Load Balancer (CLB)
Step 1: Create an Instance
Add the script below into User Data:
#!/bin/bash
# Use this for your user data (script from top to bottom)
# install httpd (Linux 2 version)
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>Hello World from $(hostname -f)</h1>" > /var/www/html/index.html
Create / select an existing security group
Now we have lauched a new instance
Step 2: Create a Classic Load Balancer
Leave “Create an internal load balancer” unticked, because we want to access it from computer, so we don’t keep it private.
IPv6 is not supported by CLB
The path for health check is /index.html
First, we perform a health check at /
Copy the public IP in URL and get the response:
Which also works well at index.html:
So this is the configuration:
Add EC2 Instances:
Then a new CLB is created successfully
Open the URL of DNS name of our CLB, the response is the same as if we had used the public facing IP, which means the CLB is working:
Note that one of the reasons why the CLB is out of service is that the rules of security group are not correct, for example, there’s no port 80 available on the security group.
Change the inbound rule to tighten the security:
First, delete the existing HTTP rule;
Second, create a new rule with the source being the CLB security group.
In that way, we’re allowing any traffic from the security of CLB into the security group of EC2 instances. We want the ELB to access the instances, and we don’t want users to directly access the instances.
Now if we try to access the public IP of the instances, we get an endless running cycle, but accessing from DNS name of the ELB is still working well.
So now, we can access the EC2 instances only through the ELB. We have enhanced the security. That is a very common pattern in AWS.
Add two more instances:
Add the new created intances into it:
Refresh the page, get a new EC2 instance replying, which means the load balancer is indeed load balancing the requests.
