0

I have a web service with few EC2 servers behind a AWS ELB. As I understand, there is no way an ELB endpoint can have a static IP, because it is a DNS-based load balancing solution, and that is a design decision made by ELB team.

However, one of the 3rd party partners that we integrated with require IP of our servers due to their internal infrastructure limit (ya, I know).

After some research, I plan to prepare a SSL pass-through reverse proxy behind a static IP and pass requests to our ELB endpoint. This server will only be used by that client. I will probably use HAProxy because proxy server need to resolve IP of ELB dynamically.

Pros :

  • No changes to the infrastructure behind the AWS ELB.
  • No additional SSL certification required.

Cons :

  • Introduce single point of failure, but only affect that client.
  • The client need to assign the IP for our domain name by themselves, or we set up another domain name point to this server.
  • No previous experience set up such reserve proxy.

This is the only way I came up without change our infrastructure, I would like to hear your input, what would you do if you are in this situation ?

Rangi Lin
  • 290
  • 1
  • 3
  • 12
  • Depending on load and balancing you could potentially give them the IP address of one of the EC2 servers and have them only talk to that server. It opens up your security a bit, and could cause problems for load balancing. Your proxy idea seems reasonable, just put it in an autoscaling group with min/max/desired capacity as one so if it fails it gets restarted. – Tim Oct 04 '16 at 06:20
  • I've run ec2 instances with static (elastic) IP addresses which were providing a service via an ELB. Are you quite sure this is not possible? – MadHatter Oct 04 '16 at 07:10
  • @MadHatter : What I need is a static IP for ELB, not EC2, so Elastic IP does not helps. – Rangi Lin Oct 04 '16 at 07:15
  • Ah, I think this may be an issue of nomenclature. You ask how an "*ELB endpoint can have a static IP*" - to me, the endpoint is where the client-server connection terminates, which is the backend instance(s). If what you want to know is how the ELB itself can have a static IP, you should ask that question. My ELBs, by the way, maintained a constant IP address for the year-plus they were running; IME, as long as you don't keep bring the ELB up and down, it will keep the same address. – MadHatter Oct 04 '16 at 07:31
  • I am asking how I can get a static IP endpoint for my service which is behind AWS ELB. There is no way to set static IP for ELB because the nature of its design. – Rangi Lin Oct 04 '16 at 07:38
  • And I'm saying that in my experience you are wrong, and that ELB addresses do not change as long as the ELB is up and running. – MadHatter Oct 04 '16 at 07:40
  • 1
    @MadHatter your experience does not reflect the real behavior of ELB. ELB addresses *tend not to change*, but they can and will change with scaling events based on the traffic load you offer them, as well as due to failure of a node in the balancer, or what I assume to be maintenance work by AWS, during which they will bring up new nodes and eventually release the old ones. On a small balancer, you can easily have public addresses A and B for a long time, then ABCD for a while, then later you'll have C and D only. I have something like 50 ELBs and this is not an unfamiliar occurence. – Michael - sqlbot Oct 04 '16 at 17:05
  • @Michael-sqlbot ok, fair enough - that is useful data, and thank you for it. Do you have any suggestions for the OP? – MadHatter Oct 04 '16 at 18:48
  • HAProxy on t2 instances with Elastic IPs and Route 53 failover, essentially as @gslin suggested, is how I do it. [EC2 instance recovery](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html) is another mechnism to bring additional resilience to the setup. – Michael - sqlbot Oct 04 '16 at 21:49

2 Answers2

2

In the end, I go with the TCP SSL pass-through reverse proxy solution, here is my HAProxy config :

global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

defaults
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    option tcplog
    log-format %ci:%cp\ [%t]\ %ft\ %b/%s/%si\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq
    log global

resolvers dns
    nameserver google 8.8.8.8

# pass 80 port request to AWS ELB
listen http-proxy
    bind *:80
    mode tcp
    server elb my.elb.amazonaws.com:80 check resolvers dns

# pass 443 port request to AWS ELB
listen https-proxy
    bind *:443
    mode tcp
    server elb my.elb.amazonaws.com:443 check resolvers dns

Some explanation :

  • The proxy listen connections from port 80 and 443, then pass to the ELB endpoint.
  • HAProxy will resolve the IP dynamically with DNS I specify
  • Use TCP mode so there is no need to create extra SSL certification for the proxy

I did some tests and it works well.

However I did notice a downside (or just didn't know how to solve it)

  • Unable to put real client IP into HTTP header because it is in TCP mode

This may cause problems if you want to allow some IPs to access certain service.

Rangi Lin
  • 290
  • 1
  • 3
  • 12
  • What happens when the HAProxy server goes down? Does that mean you would have downtime? – vonec Sep 27 '17 at 04:12
1

If cost is not an issue, Client Access Control (CAC) of Akamai offers static IP addresses solutions. It's expensive but it should work well.

If you would like to build yourself, you can build two instances with Elastic IPs (and giving these two IP addresses to 3rd-party partners), then use Route53 to do health checks to avoid SPoF.

Gea-Suan Lin
  • 646
  • 4
  • 6