Configuring an AWS Load Balancer with SSL in front of Aviatrix Controller
Overview
The Aviatrix Controller supports adding an SSL certificate. However, sometimes you may prefer to put an ALB in front of the Controller. This gives you the ability to associate it with a WAF, for example.
Step-by-Step Deployment Guide
Follow the steps below to put the Aviatrix Controller behind an AWS ALB:
Login to the AWS console
Go to Load Balancers for EC2 service in the region where your Aviatrix Controller is running
Create a new load balancer
Note
See this guide for more information on AWS load balancing.
Select Application Load Balancer and click Create
Configure the load balancer. Be sure to select internet-facing Scheme and HTTPS for the Load Balancer Protocol of the only listener.
Configure the Security Settings by selecting your SSL certificate and security policy.
Select the appropriate security group. This security group should allow traffic on port 443 from your desired source network(s).
Configure the routing with a new target group. The Target group should be configured with HTTPS protocol on port 443 and a Target type of instance. The Health check should use HTTPS Protocol and / Path.
Note
You may adjust the Interval to be larger than 30 seconds to lower the burden on your Controller.
Find the Aviatrix Controller instance to register in the target group.
After Add to registered is clicked you will see this:
Review and Create the load balancer
Collect the DNS name from the load balancer
Create a DNS CNAME record pointing your desired name to the load balancer’s DNS name
Note
The DNS CNAME record must match the name used in the SSL cert or you will receive a warning in the browser.
The Controller’s security groups should have inbound allow policy for port 443 for the VPC CIDR, so that the ELB can talk to the Controller
Note
If you have enabled controller HA, you can point your Auto Scaling Group to Target Group of your ELB for auto registration in the event of a failover. However, please note that Max value should be always 1. Having more than 1 active controller for any given set of services is not supported as documented here, if it is deployed behind an ELB