Enterprise network requirements with AWS ELB & ALB-

Organizations who adopt cloud are increasingly hosting their workloads behind load balancers for high availability, scalability and load sharing across the resources. Enterprises whose enterprise applications must be accessed via a private secure networks over the internet use solutions such as NetFoundry APPWANs. This blog talks about the configuration steps to be followed to get apps behind the internal LBs in AWS connected via NetFoundry network.

Types of LBs

Application load balancers and Network load balancers (AWS calls it Elastic load balancers) are the two, broad type of load balancers widely used in the networking world.

Network Load Balancer — This works basis the distribution of traffic based on network variables, such as IP address and destination ports. … Each Target can be on different ports.

Application Load Balancer — This works basis the distribution of requests based on multiple variables, from the network layer to the application layer. AWS LBs scale the resources & the LB itself based on the traffic.

IP addressing in load balancers & Role of DNS  – Route 53

Application servers which are operated behind an AWS LB receive traffic from the LB IP through target group configuration. The LB is assigned a DNS name which resolves to a dynamic public IP for external LBs and to a dynamic private IP( RFC 1918) for internal LBs. The assigned IP address at any point of time is returned by the AWS DNS. Users of the enterprise access the application via URL or domain name. In the Route 53 configuration, the administrator configures to point the A-record of the domain to point to the DNS name of the LB. The enterprise may completely host the DNS with AWS route 53 or do a DNS forwarding from their private DNS server to Route 53.

Note – The LB here may be either a ELB or ALB

NetFoundry Components

  • NetFoundry Service (Console)– Web-based orchestrator of the enhanced private network. The administrator has options as to how the network is segmented for access, as well as the ability to programmatically perform all actions through API interaction and automate intelligence for calls to action.
  • NetFoundry Client [/Gateway]– Software on an endpoint Operating System (OS) that securely routes data through the NetFoundry Fabric.
  • NetFoundry Cloud Gateway– Software image available in the AWS marketplace as an Amazon Machine Image (AMI) that routes the data towards an application service in AWS.
  • NetFoundry ServicesServices define resources at a DC or cloud or any location network that you want to make available over your NetFoundry network for the endpoints (clients / gateways)
  • NetFoundry AppWAN– Logical groupings of services (Application IP Hosts or IP Subnets) accessible in the Local Area Network (LAN) of one or more geographically differentiated NetFoundry Cloud Gateways. NetFoundry AppWANs are similar in function to Network Access Control Lists (ACLs) which occur in firewalls except that they are created in the NetFoundry Cloud and enforced at NetFoundry Clients and Gateways.

Steps to route traffic to Apps behind AWS LBs & configure services in console.

The NetFoundry administrator from the enterprise configures their Network and APPWAN using simple steps by logging into the console.

As part of this configuration, the information required for creating the services in the NetFoundry console for routing traffic to apps behind LBs (Network or application load balancer) are listed here:

  1. AWS LBs are assigned IPs from the VPC subnets. If it is an internal LB, the IP addresses are assigned from the VPC private subnets. The IP segment used by the LB is available in the configuration of the LB in AWS console.
  2. Configure the entire subnet as a IP Network service in NF console with required ports allowed.
  3. If users are on the enterprise DNS which has a DNS forward configuration to Route 53, ensure that the DNS server IPs are configured as IP Network service in NF console. If the enterprise uses primary & secondary DNS servers, configure both the DNS server IPs as IP network service in the console.
  4. Ensure that the endpoints, the IP network services (of LB as well as DNS) are part of the same APPWAN.
  5. When the enterprise users who are connected via the NetFoundry platform via clients or gateways access the URL of the app, the URL / Domain resolves to one of the IPs in the subnet used by the LB. The route for this IP is configured in the step 2 via the NetFoundry service section

The user is therefore able to access the application via the NetFoundry platform!.