Elastic Load Balancing (ELB)

Posted under » AWS on 14 Aug 2023

The Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple targets and virtual appliances.

In simple terms, if you have a server eg. an EC2, you can load balance your EC2 so that you can take more hits. It is like a force multiplier.

Other than en EC2, it also supports other 'targets' like AWS Lambda, AWS Elastic Beanstalk, etc.

Instead of directing traffic to a single IP, the load balancer will have several IPs to take your hits.

A load balancer end point will look like this lmao-8060143.ap-southeast-2.elb.amazonaws.com. When you set up your DNS, because it is not a single IP address you cannot set up an A address. Besides the IP address are not static. You have to set up a CNAME entry instead.

To find out the IPs available for the load balancer, you

$ dig A lmao-8060143.ap-southeast-2.elb.amazonaws.com

Normally you see more than 1 IPs in the answer section.

If you want to install WAF or AWS Web Application Firewall, you need to use ELB first. It makes sense because the client will not actually be hitting your server, it will hit the load balancer and WAF first.

Another issue is the SSL cert. In a IP server, you install Let's Encrypt using your Apache. With the load balancer, you use the AWS cert which is free. However, if you have a digicert SSL, the load balancer makes it easy to get it all set up. How the load balancer do this is it will encrypt your port 80 to SSL or port 443. So you just serve your web in Apache with port 80 and it will convert to 443 for you. You don't have to do a rewrite of port 80 to 443.

in DNS, instead of A record, you create a CNAME record to point to lmao-8060143.ap-southeast-2.elb.amazonaws.com which has several IPs.

You have to enable inbound port 80 and 443 for load balancer by creating a VPC sercurity group.

For your EC2, you don't need to an external IP, you point to the internal IP because these IP doesn't change without the need to have an elastic IP. This is also a safer option because you cannot go in the server unless you are inside the VPC or network.