AWS LB

-
Comparing ELB and ALB



-Private LB API without public IP -> VPC Endpoint -> Private Link


2) Server Name Indication (SNI)
-extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) website (or any other services over TLS) to be served be the same.

targeting conteiners behing LP with IP address insted of instance ID.
Each conteiner can have its own security group

1. Atach SG (difrebt) to ENI (each)
2. Map conteiner to the IP address of ENO assosiacte with SG of container

LB using IP address allows multiple conteiner use the same port


3) ELB ensure that LB determinates which cipher is used for SSL connection :
Server Order Preference



I. Classic Load Balancer

1. Rola

-EC2 classic network

HTTP, HTTPS
SSL (ecure TCP)
TCP [Ec2-VPC] 1-65535;  1024-65535 [EC2-Classic] 25,80, 443, 465, 587

2.Websockets

-

3. request trancing

 4. migration

 5. layer

6. HTTPS termination

+ (must install SSL certificate)

7. backend server authentication

 8. Server Name Indication (SNI)

+

9. IPv6

+ (IPv4, IPv6, dualstack DNSname)
-VPC (IPv6 not supported in VPC)

10. IP address for addresses outside VPC

 11. EC2 Classic

 a) ID

 b) ClassicLink + private IP

 12. Cross-zone LB

13. Price

1) hour LB runtime
2) badwith

14. VPC Listeners

- (can use proxy to get source IP)
-
-
+ (SSL termination)

15. API

2012-06-01 API



 II. Application Load Balancer

1. Rola

-flexible app managment
-TLS termination

HTTP, HTTPS
HTTP/2 (over TLS)
TCP 1-65535

2.Websockets

+

3. request trancing

+ (default)

4. migration

ALB ≠> CLB
CLB => ALB

5. layer

6. HTTPS termination

+ (must install 1 SSL certification)

 7. backend server authentication

-(only encryption)

8. Server Name Indication (SNI)

+ (automaticaly when > 1 TLS certification z tym samym secure listener on LB)

9. IPv6

+

10. IP address for addresses outside VPC

RFC1918 ranges
*10.0.0.0/8
*172.16.0.0/12
*192.168.0.0/16

RFC 6598

* 100.64.0.0/10

11. EC2 Classic

 a) ID

-

 b) ClassicLink + private IP

+

12. Cross-zone LB

+(default)

13. Price

1) hour LB runtime
2) LCU
-new connection
-active connection
-bandwith
-rule evolution

14. VPC Listeners

 15. API

2015-12-01 API

III. Network Load Balancer

1. Rola

-extrame performance
-static IP
-provides stable IP support
-zonal isolation
-long-running connection (Web Socet app)

TCP

2.Websockets

+ (WebSockets it is layer 7, and NLB is 4 -> no special hendling exist)

3. request trancing

4. migration

CLB => NLB

5. layer

4

6. HTTPS termination

-

7. backend server authentication

 8. Server Name Indication (SNI)

-

9. IPv6

 10. IP address for addresses outside VPC

RFC1918 ranges
*10.0.0.0/8
*172.16.0.0/12
*192.168.0.0/16

RFC 6598

* 100.64.0.0/10


11. EC2 Classic

 a) ID

-

b) ClassicLink + private IP

+

12. Cross-zone LB

+ (enable by checkbox when weating)

13. Price

1) hour LB runtime
2) LCU

14. VPC Listeners

+ (preserve the source IP of client)
+ (automaticly providus a static IP per AZ)
+ (enable assing an Elastic IP to the LB per AZ)
-

 15. API

2015-12-01 API

Komentarze

Prześlij komentarz

Popularne posty z tego bloga

Kubernetes

-
Obraz
I. Introduction 1. Kubernetes Overview - Kubernetes = popular container orchestrator  * it lets you schedule containers on a cluster of machines  * you can run multiple containers on one machine  * you can run long running services (like web applications)  * Kubernetes will manage the state of those containers:    ** Can start the container on specific nodeskubectl create -f pod-demo.yml    ** Will restart a container when it gets killed    ** Can move containers from one dnode to another node - you can run Kubernetes anywhere:   *on-premise (own datacenter)   *public (Google cloud, AWS)   *hybrid: public & private -highly modular -open source -backed by google -Container Orchestration = Make many servers act like one -Released by Google in 2015, maintained by large community -Runs on top of Docker (usually) as a set of APIs in containers -Provides API/CLI to managed containers across server...
Czytaj więcej

Helm

-
 0. Overivew - Packet manager 1. Helm Provenance and Integrity - https://github.com/technosophos/k8s-helm/blob/master/docs/provenance.md - Helm has provenance tools which help chart users verify the integrity and origin of a package. Using industry-standard tools based on PKI, GnuPG, and well-respected package managers, Helm can generate and verify signature files. a) Overview   -  I ntegrity is established by comparing a chart to a provenance record. Provenance records are stored in   provenance files , which are stored alongside a packaged chart. For example, if a chart is named   myapp-1.2.3.tgz , its provenance file will be   myapp-1.2.3.tgz.prov .  -  Provenance files are generated at packaging time ( helm package --sign ... ), and can be checked by multiple commands, notable   helm install --verify . b) The workflow This section describes a potential workflow for using provenance data effectively. Prerequisites: A valid PGP keyp...
Czytaj więcej

Ansible Tower / AWX

-
- Ansible Tower provides a web server interface to ansible.  - System rewuierments are somewhat heavy.  - Tower is only free for minimal use. Working with more than a few system requires a paid lincense.  - The two keys benefots of Ansible Tower are user permissioning and the audit trail (only provided with license.  - Only touched on in EX4077  - How is ansible Tower installed on your system? Ansible Tower is provided in a tarball containing binaries, config files, and an installation script that must be ran.  - To populate an Ansible Tower project with source files can be used:        * file system of the Ansible Tower server        * git        * subversion  - features:        * an interface for running Ansible plays and playbooks against target hosts.       * Separate user accounts permissioned for selective access to Tower-managed ...
Czytaj więcej