0

In AWS, we deployed a backend service - API in the internal ALB. For frontend(Web UI), it call the API and also needs to be accessed from internal enterprise network. It should be bind to Route53.

We are using VPN in our enterprise. We use DirectConnect to connect AWS VPC. So we can use private IP to access internal ALB resource in AWS.

Now we want to bind the original internal ALB's DNS name to Route 53 with a domain. Is it possible to do if use the use the internal ALB only?

Maybe the current internal ALB can't realize the purpose. So we will add a second ALB - internet facing. Use it to bind the Route53.

If set both 2 kinds of ALB for it, deploy with ECS, how to do the blue/green deployment for 2 kinds of different target security groups?

freetimetime
  • 15
  • 3
  • Your question is quite confusing. Can you please edit your question to include a diagram, and ideally edit your question to be a bit more precise. Can your enterprise network access the system using public facing ALB? Do you have VPN / DirectConnect in place. We will need more information to help you – Tim Feb 11 '22 at 07:25
  • @Tim Thank you. I added a diagram link to the question. My enterprise network can access the system under public ALB. We are using DirectConnect between on-premise and AWS. Also, we have VPN, so we want to access the system under VPN. The green items are what I want to add this time. Do I need them? That's why I asked the best design. – freetimetime Feb 11 '22 at 11:49
  • You are stating what you think you need to do. A better way to write a question is to say current state in words, with a diagram, and your target state. You haven't done that, you've given a design without clearly explaining current / target states. I think Currently you have a system that you access over DirectConnect with a VPN, where you hit an ALB using private IPs. I think you want another set of servers behind another ALB that is public facing. Why would you want another target group? That would make this independent of the original solution. Please revise your question for clarity. – Tim Feb 11 '22 at 17:54
  • @Tim Thank you for your comment again. I edited the question above. In a short word, now we are using internal ALB, we want to bind to Route53, do we need to create a internet facing ALB to do? If necessary, we will use both 2. If the 2 ALBs can use the same target groups will be great. – freetimetime Feb 12 '22 at 01:12
  • The easiest option is probably a second ALB using the same target group. I suspect there's probably a way to use the same ALB for both public and private but I haven't tried to do that, maybe associating the ALB with both public and private subnets. I'd have to experiment a bit to work that out. How you do blue / green could be tricky with two ALBs. – Tim Feb 12 '22 at 03:48
  • @Tim Yes, I agree with you. That's why I want to confirm the solution for this purpose. If one ALB can associate with both public and private subnets, its feature is great. But the blue/green deployment is indeed difficult. However, the goal of this question is, for designing, can I use public ALB only? Then I can remove the current private one and create a new one. – freetimetime Feb 12 '22 at 04:11
  • I'm pretty sure you can create a new public facing ALB, route enterprise traffic over DirectConnect (double check that), and use standard processes. If you have DirectConnect you should have an AWS account manager / technical architect who can answer these questions for you, if not get yourself onto invoiced billing and get one allocated. – Tim Feb 12 '22 at 08:06
  • @Tim Okay. Thank you very much for your help and advice. – freetimetime Feb 12 '22 at 10:29

1 Answers1

0

My initial suggestion is to:

  • Create a new public facing ALB
  • Route enterprise traffic over DirectConnect using a public VIF to the ALB
  • Use the existing target group
  • Use standard green / blue techniques

There may be better ways to do this, I'd have to give it a bit of thought. Others might have better ideas.

Tim
  • 31,888
  • 7
  • 52
  • 78