Configure Zone Apex and Webserver Redirect
Overview
This blog post is the lab steps for the other blog post Zone Apex and Webserver Redirect
We will list steps to configure resources in multiple AWS accounts, including AWS global accelerator, AWS ALB for redirection, AWS NLB and hosting a website in EC2.
At the end, we will cover Azure configuration.
Create ALB and Global Accelerator
We create an AWS Global Accelerator pointing to an Application Load Balancer (can be private or public facing), but ALB associated VPC needs to have IGW.
So we create internal ALB with two subnets with IGW routes.
We also add global accelerator integration to the internal ALB.
ENI is created in each subnet for both ALB and global accelerator, altogether four ENI.
EC2 for a Website
I use free tier t2.micro, AMI is Amazon Linux 2, PIP is not required for running the website behind the internet facing NLB, but in order to be able to install web server and other software, the EC2 needs at least outbound internet connectivity.
Create NLB
Use legacy AWS EC2 console, create target group along with NLB. (09/06/2021 note: new EC2 experience console has issue to list target group in NLB creation page)
NLB ENI does not have security group associate with it, in the target group instance security group, make sure to allow inbound from both NLB’s IP (allow health check port from NLB private IP) and your end user’s IP.
Resiliency for Internet Facing NLB
AWS create ENI for each subnet which you selected for the NLB, both private IP and public IP are assigned to the ENI. NLB DNS name points to list of PIP.
C:\Users\rquan>nslookup nlb2-b80ff39f4fe70726.elb.us-east-2.amazonaws.comNon-authoritative answer:
Name: nlb2-b80ff39f4fe70726.elb.us-east-2.amazonaws.com
Addresses: 18.188.x.x
3.138.x.x
When target instance in one subnet is not available, the corresponding NLB pip is not in the list any more.
C:\Users\rquan>nslookup nlb2-b80ff39f4fe70726.elb.us-east-2.amazonaws.comNon-authoritative answer:
Name: nlb2-b80ff39f4fe70726.elb.us-east-2.amazonaws.com
Address: 3.138.x.x
When none of the target instances are healthy, nslookup returns all NLB pip.
Cheat Sheet
1. Windows flush DNS cache:
ipconfig /flushdns2. nslookup show current type:
C:\Users\rquan>nslookup> set all
Set options:
nodebug
defname
search
recurse
nod2
novc
noignoretc
port=53
type=A+AAAA
class=IN
timeout=2
retry=1
root=A.ROOT-SERVERS.NET.
domain=attlocal.net
MSxfr
IXFRversion=13. nslookup set query type:
set type=A,AAAA,A+AAAA,ANY,CNAME,MX,NS,PTR,SOA,SRV4. nslookup set default server:> server 8.8.8.8
Default Server: dns.google
Address: 8.8.8.8
Azure Configuration
Azure Front Door
Azure front door rule engine configuration and Azure front door routing rules. Rule engine configuration is assessed first, if match, it won’t go to the routing rule.
You may add IF condition as well.
Use front door routing rule itself to redirect.
Azure Application Gateway
Azure application gateway routing rule supports redirect as well, but application gateway is scoped to a region, it’s not cross region load balancer.
References
Attach a security group to my Elastic Load Balancer (amazon.com)
Attach EC2 instances with private IP addresses to an internet-facing ELB load balancer (amazon.com)
Access an internal load balancer using VPC peering (amazon.com)
