0

I just start to learning AWS for a few days. I'm confusing about the way ELB distribute the traffic which from the internet. For example, if I have four ec2, two in the public subnet and others in the private subnet, and I use the classic load balancing to connect the public subnet to the external internet.

Question: how does the classic load balancing connect to the ec2 that I deployed in the private subnet? Should i set up a internal load balancing between the public and private subnet to achieve that?

Tim
  • 31,888
  • 7
  • 52
  • 78
Kitakado
  • 53
  • 1
  • 4
  • Why do you have 2 instances in the public subnets snd 2 in the private subnets? What do these instances do? As a general rule, all the instances connected to a balancer would be in the same type of subnet, typically private... so your scenario seems unclear. – Michael - sqlbot Sep 24 '19 at 02:57

1 Answers1

0

If you want to load balance between your front web tier and a back end tier you would need a load balancer between the public and private subnets. The public ELB does not connect to the private subnet.

A feature of having a private subnet is that it isn't accessible from the internet, regardless of any load balancer - note that as per Michael's comment below that isn't a precise definition, it's a simplification. Any pattern where you can access a private subnet from the internet via a load balancer means that subnet is open to the internet, and is essentially public. Someone with extensive IT knowledge and experience might choose to design a network that way in some special circumstances, but it's not standard.

If the desire is to limit the number of load balancers, then a load balancer in a public subnet, targeting instances in a private subnet is a viable option. Those instances should not have public IP addresses. If the web servers pass traffic to other instances, such as application or database servers, those other instances should a security group that only accepts traffic from the web server tier security groups.

There's a useful article on AWS VPCs and public / private subnets here.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • But why sometimes we can send the traffic from internet-facing ELB to the private subnet through a blank public subnet? like this one : http://thebluenode.com/exposing-private-ec2-instances-behind-public-elastic-load-balancer-elb-aws – Kitakado Sep 24 '19 at 00:50
  • Answer updated. You don't want to do what you suggested in your comment. I suggest you need to learn network design and then AWS if you're going to do anything that requires security. – Tim Sep 24 '19 at 01:29
  • That's very helpful, thank you very much. – Kitakado Sep 24 '19 at 02:05
  • @Tim I have to object to the assertion that *"The point of having a private subnet is that it isn't accessible from the internet, regardless of any load balancer."* It is in fact *best practice* to place the load balancer in public subnets and the web servers behind it in private subnets, with a NAT Gateway to allow the web servers to make external requests. A "private subnet" is simply a subnet that doesn't support assigning public/elastic IPs to the instances on the subnet (you can technically assign them, but they are unusable) because it lacks a route to the IGW. – Michael - sqlbot Sep 24 '19 at 02:10
  • Official docs: [How do I connect a public-facing load balancer to EC2 instances that have private IP addresses?](https://aws.amazon.com/premiumsupport/knowledge-center/public-load-balancer-private-ec2/) – Michael - sqlbot Sep 24 '19 at 02:11
  • Maybe my language wasn't sufficiently precise @Michael-sqlbot. I was going for simple, given the nature of the question. The general idea was that if you had public and private subnets, with web servers in the public and app / DB servers in the private, a load balancer in front of the public subnet, you wouldn't provide the facility for a load balancer to skip the web tier direct to the app / DB tier. – Tim Sep 24 '19 at 02:14
  • @Tim Sorry I have to ask you again. Just like Michael - sqlbot had posted, if I place the load balancer in public subnets and the web servers behind it in private subnets, I only have to use one ELB to make my private subnets get connected. On the other hand, if I use a 2-tier architecture which web servers in the public and app / DB servers in the private, I have to make a internet-facing ELB and a internal ELB, right? – Kitakado Sep 24 '19 at 02:40
  • Yes, but it depends on the details. I've updated my answer with a bit more information. Just a note, I'm happy to help, but Server Fault helps with problems, it's not set up to teach people networking and there's a chance your question is closed because of that. – Tim Sep 24 '19 at 03:36