Configuring an AWS Load Balancer with SSL in front of Aviatrix Controller

Overview

The Aviatrix Controller supports adding an SSL certificate. However, sometimes you may prefer to put an ALB in front of the Controller. This gives you the ability to associate it with a WAF, for example.

imageArchitecture

Step-by-Step Deployment Guide

Follow the steps below to put the Aviatrix Controller behind an AWS ALB:

  1. Login to the AWS console

  2. Go to Load Balancers for EC2 service in the region where your Aviatrix Controller is running

  3. Create a new load balancer

    Note

    See this guide for more information on AWS load balancing.

  4. Select Application Load Balancer and click Create

  5. Configure the load balancer. Be sure to select internet-facing Scheme and HTTPS for the Load Balancer Protocol of the only listener.

    imageConfigureStep1

  6. Configure the Security Settings by selecting your SSL certificate and security policy.

    imageConfigureStep2

  7. Select the appropriate security group. This security group should allow traffic on port 443 from your desired source network(s).

  8. Configure the routing with a new target group. The Target group should be configured with HTTPS protocol on port 443 and a Target type of instance. The Health check should use HTTPS Protocol and / Path.

    imageConfigureRouting

    Note

    You may adjust the Interval to be larger than 30 seconds to lower the burden on your Controller.

  9. Find the Aviatrix Controller instance to register in the target group.

    imageConfigureRegisterTarget1

    After Add to registered is clicked you will see this:

    imageConfigureRegisterTarget2

  10. Review and Create the load balancer

    imageConfigureReview

  11. Collect the DNS name from the load balancer

    imageLBDNSName

  12. Create a DNS CNAME record pointing your desired name to the load balancer’s DNS name

    Note

    The DNS CNAME record must match the name used in the SSL cert or you will receive a warning in the browser.

    Tip

    Here is an example setting up the entry in Route53:

    imageRoute53Example

  13. The Controller’s security groups should have inbound allow policy for port 443 for the VPC CIDR, so that the ELB can talk to the Controller

Note

If you have enabled controller HA, you can point your Auto Scaling Group to Target Group of your ELB for auto registration in the event of a failover. However, please note that Max value should be always 1. Having more than 1 active controller for any given set of services is not supported as documented here, if it is deployed behind an ELB