-2

I'm quite new to networking, but I have been working on this problem for quite some time with no success.

I have an AWS EC2 instance (Windows Server) hosting a video management web portal. The user should be able to access the web portal through their browser and view video footage (traffic is both HTTP and TCP). The issue is that I am trying to route DNS requests for the web portal through an Amazon application load balancer, forwarded to my EC2, so that I can make use of amazon's certificate manager, as I would like the webpage to be encrypted.

If I access the EC2 directly (with it's IP or DNS), everything works correctly. However, when the traffic routes through the ALB, the video never loads, and I assume this is because the ALB does not pass the TCP traffic through, just the HTTP/HTTPS traffic. If I use a network load balancer to route the traffic then I am able to see the video just fine, the issue here is that there is no way to add my certificate to the NLB and encrypt the traffic. I'm stuck, but I know for someone with more experience than me, this is likely a very simple problem.

Any advice you have would be greatly appreciated. Thank you

DForesi
  • 1
  • 1
  • Is your video streaming going over port 80/443? Or a different port? I assume if you have both HTTP and TCP traffic those are going over different ports aren't they? If so, create a TLS listener on port 443 of the network load balancer, and attach the ACM certificate to that, and a TCP listener for whatever port your TCP video traffic goes through. – Mark B Aug 27 '22 at 13:35
  • As far as I can tell all information is sent over 443. The web interface is sent over HTTP/HTTPS and when the video streams engage I begin to see TCP traffic on the same port. – DForesi Aug 28 '22 at 12:02

3 Answers3

1

It's true that ALB's talk HTTP and HTTPS. If you need other protocols, NLB is your best bet.

I'm wondering why you say you can't use certificates on an NLB. As discussed in this blog, TLS termination is possible on NLB. It integrates with aws certificate manager to encrypt your traffic, so you create a TLS listener and forward TCP to your instance.

LRutten
  • 1,634
  • 7
  • 17
  • Thank you for the advice. I created NLB w/ TLS listener on 443, then created a TLS target to TCP 8081. The issue I am having now is that no matter what I do, I cannot seem to get the health check to pass. I have tried performing an HTTP health check on port 80 (windows IIS) and port 8081, my video server. Both fail, even though both are accessible. I have also tried performing TCP health checks on these ports, they also fail. I went into the windows firewall and made an inbound rule to accept all connections from TCP 8083 and tried to health check on that port. Failed as well. – DForesi Aug 28 '22 at 11:55
0

Things to check:

  • is the ALB security group allowing traffic on ports being used (http/https )
  • are the alb targets healthy?, if not go the targets and try accessing health checks locally.

HTH

soopertube
  • 1
  • 1
  • To answer both of your questions. Yes - All traffic of all protocols is currently being allowed in my test environment, and I simply white list my IP. Yes - The targets are healthy. I am able to access the web server and navigate the site. But the video does not load. – DForesi Sep 01 '22 at 17:23
0

Further development. It appears to be some issue with the encryption.

When I use a listener on port 80 with HTTP, there is no problem with the video. If I use an HTTPS listener on 443, the video does not come through.

I believe the video uses websockets. Is it possible this has something to do with the issue?

DForesi
  • 1
  • 1