AWS Elastic Load Balancer (ELB) Tutorial How-To

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi I'm Madame Culp and you're at beach cast today we're gonna share an AWS load balancer tutorial with web a CL so stick around and we'll get right on that [Music] welcome back if you want to grow as a developer and make better web applications start now by subscribing to Beach casts and make sure to click the bell so you won't miss anything and if you found this video helpful or have a question please leave a comment about it and please make sure to like the video by clicking the thumbs up button thank you as with all the videos here on beach cast I'll make sure to put index down in the description so you can click to certain parts of the video all right so let's go ahead and get started let me switch over here to my desktop view and and in here first we'll take a look at the the routes now again I've moved the domain name over to route 53 on AWS because AWS supports aliasing and our load balancer is rather than using the IP address of the load balancer we're gonna be putting in the alias of the load balancer not all DNS providers provide for aliasing and AWS does regardless of the IP address of the load balancer the name will resolve so that's why we need to be able to do on alias so right now we have this a record which is pointing to to an IP address we're gonna come in in a little bit once we get the load balancer configured and we're gonna be updating it here at route 53 in the DNS once it's updated in the DNS then the load balancer will start getting all the traffic and not the server directly one of the one of the first things we need to do is we need to set up a new a new security group to be used on our ec2 instance so that's what I'm gonna do now I'm gonna go ahead and create a security group and we're gonna call this I like starting on with SG so that way when I see the beginning of my of my custom names I know exactly what it is this one is obviously a security group starting with SG I'll call it beach casts and we'll put the lb on the end so I know it's for the load balancer make that a lowercase B and I'm gonna go ahead and put in the description of our beach cast load balancer and now the last thing needed to do is I need to set up my inbound rules and I'm gonna set up two rules for right now I'm going to set up HTTP and also HTTPS now I'm gonna leave them open at the moment we're gonna come back here later and in the source column we're gonna actually be putting in the the alias or our load balancer but for right now I'm gonna go ahead and just leave this actually we're not going to be putting into the alias of the load bus so we're going to be putting in the alias of another security group but but I'm going to leave them blank for right now so we're just gonna create it so now I've got that the new rules here I'm gonna go ahead and update this right here so that way I've got a good name for it as well as a group thing okay so now I've got my that new that new security group that will be it'll be used by our ec2 instance the next thing I want to do then is we need to add certificates now I've done this ahead of time this web server is going to serve up web pages over SSL it's going to use HTTPS not but not port 80 so in order to do that we need a certificate so in the Amazon certificate manager we can add our custom certificates or you can request certificates from Amazon or you can buy certificates from Amazon and of course where you would find that if you click on the services go here to security identity and compliance there is certificate manager right there and that's what I click to get to this page so now on this page again I you would go through the wizard for requesting or importing a certificate I imported you can see here I've got the beach guests certificate here it's issued it's not currently in use but and it's an eligible for renewal now I'm using let's encrypt for this certificate so I am importing I have imported a less encrypt cert so that way I can use it on my ec2 instance at some point I'd like to find a way to automate this if you know a way to automate this let me know because automating I did some quick searching and to find a way to automate the import of certificates to AWS and a lot of people say it's problematic I didn't find anybody that got it working yet I'm sure somebody has but you know we'll go we'll go with that for now so for right now every two to three every three months I need to import my my let's encrypt cert to AWS okay so I've got my security there my certificate now that I've got this certificate I'm ready to add an application load balancer so let's go ahead and click over to my main tab here go to load balancers okay so now we're here at our load balancer load balancer page and and again these are all within the ec2 menu so we got instances we've got security groups and deepen further down we have load balancers and target groups as well which we're going to be using so I want to create a load balancer so I'm going to go ahead and click on create load balancer I'm going to select the first one application load balancer and now I want to give it a name so this is gonna I'm gonna give it the LD at the beginning to let me know that it's a load balancer whenever I see the name and so this is a load balancer and we'll call it beach guess to have look balancer beach cast this is internet-facing because again this this load balancer is internet-facing and then we want to of course add HTTP an HTTP listener we want to add an HTTP listener well and and then down here for the network's we're gonna open it up to will open it up to the US East one B and one D you have to select two even if you have just one server all by itself Amazon does require you to specify two availability zones so it would be kind of nice if they only let you choose one for for smaller instances but that being said they do require you to choose two so I've selected two here I'm going to go ahead and go to next which is gonna allow me to create there you do my security certificates so what I want to do is I'm gonna choose a security certificate and I can choose the beach cast one that I created earlier because it's already there that's why I created the certificate first is because in this step you're gonna need it and then I'm gonna just leave the default default security policy and then we want to select the security group so I'm gonna go ahead and choose this one which is Adam miscellaneous and what that is is it will it opens up port 80 port 443 and then a couple other ports that I use typically now this doesn't have any permissions with it it is just a security group and again this is what is going to give access for the public sites into the into the load balancer and we want that to be open right I'm gonna go ahead and click Next to configure routing so for target groups I don't have any target groups yet we're gonna have to create those and then we'll come back and edit them I probably could have created those ahead of time but so for the name of this we're gonna call it beach cast beach cast 80 and we're just gonna leave that as port 80 we're going to leave it as an instance and I'm gonna put in for the path is for my health check so I'm going to put slash index dot PHP now the reason you want to put a specific script here is because you want to make sure it's hitting it if you put slash and if there's redirection and things like that it it doesn't read correctly it doesn't do the health check correctly all the time so that's why I make sure to include some sort of file you might want to create a dummy file instead of making it your index just create a dummy file for it just to do these health checks wigs with and then you want to register the targets now in this case this kind of got me a couple times so I need to first off select this server that I want it to be and then I have to click this blue button for Edie to registered and I'm doing it under port 80 and so now I've got that registered and and I'm ready to go so keep in mind this is just for the port 80 target so I'm gonna go ahead and click Next to review and and we can review the information once that's done we can click create and now it's creating that going through and now the load balancer is configured now it's not completed yet because if we look here in listeners we've got port 80 and 443 and right now they're both listening on beach cast 80 so we do have to make some changes because of course 443 is not going to be a proper listener so I know I need to go now you need to also add in another target so if I go to targets and in targets we see there is beach cast 80 I need to create another one another target which is going to be beach casts 443 and we want to specify for HTTP and we're gonna do the same thing with that one we're gonna put index dot PHP click create and now it's created that target as well so now we've got both of them now if we go to here and look what happens is under the target tab when you select that you can see that you've got your instance there you're registered target and initially it's going to show initial right because it hasn't completed yet and and if you refresh a couple times eventually we'll complete but it's still checking on things but while port 80 is trying to do that port 443 I haven't specified my target yet so I'm gonna go into the four four three group and I'm gonna specify the same target but notice that it's put in four four three there is the port and and I clicked Edie Edie to registered and I'm gonna save and now that one also has a target and it's saying unused because I haven't actually assigned it yet now if I go back to my load balancer and if I look in my listeners we see that they're both listening here on beach cast eighty I need to edit that so I'm gonna click on view edit roles what I want to do is I want to edit this one so I click the pencil up here in the top and I'm clicking the pencil on the row as well and then what I need to do is delete that because I don't want I don't want to check beach cast 80 instead I want to forward - and I want to do the 443 and now once I've done that I apply it and then I click update and now that rule is correctly saying what I wanted it to say so now I've got the two of them checking 80 and 443 we've got our certificate we've added our load balancer we've added the targets and next we want to update the ec2 security group they only accept traffic from the load balancer so let's go back to the security groups we need to update the load balancers security group to actually address the address the open one we want it to carry this group ID we're gonna add the group ID to our security group load balancer and the import input or inbound area and I'll click Edit and instead of leaving this open to the internet we're gonna use a security group for that yeah that's been done so now the load balancer has you know coming in from outside just like that and now we also want to update our security group for our see two instances instance to use that load balancer so we need to go to our instances and then we need to update [Music] change the security group on that instance and we want it to use the new beach cast load balancer okay so now that we've got all this stuff specified the one thing that we have not done yet is update our DNS so that all the traffic will then be forwarded to load bouncer right now the traffic is still being directed directly to the ec2 instance and of course we don't want that okay so route 53 now we need to update our main record the a record for beach cast comm because we don't want it to go to that IP address anymore instead we want to check the box and make it an alias and then we want to tell it the target and we're going to tell it the load balancer for beach cast in this case I'm gonna click Save so now it's updated the a record to be an alias to the new load balancer and so now all traffic will be going to the load balancer now once and then once it's at the load balancer then the load balancer redirects things to the web server so the web server shouldn't get direct access on the IP address any any longer okay so now that we've got the load balancer up and working it's it's correctly redirecting anything that is port 443 or port 80 is also being redirected to 443 with a 301 redirect and that's why the that's why the target group will not properly measure the health is because port 80 is will not come back as a 200 ok it's only gonna it's always gonna come back as a 301 and the target groups are expecting it to be a 200 okay in order for it to come back as a healthy check but needless to say we do we are going to go ahead and continue forwarding port 80 so that way the server can prop redirect people to 443 the health check just will always be unhealthy but we know we know why so now that I've got that all configured though there are some other things that you may want to put in place now AWS also provides denial of service attack protection it also has firewall and some other things built in with its load balancers so that is really a big help however there are some other things that you might need to mitigate maybe maybe you want certain URLs to not be served up so let's go ahead and take a look at doing some of that I'm going to go ahead and click in services if I go to the security I identity area and click on WAF and shield now we want to go ahead and select the AWS WAF because we want to set up a web a CL to protect our assets a little bit more than just having a load balancer the first thing you'll notice is that there's there's web ACL right there's also rules and then down below that you have some conditions you can set up some conditions for cross-site scripting for geo matching for IP addresses for size constraints you can set up SQL injection protection you can also set up string in regex so I'm going to go ahead and click on string and regex because I have a I have a URL that I want to make sure that people aren't able to hit and once that comes up we see we're presented with our with our areas right with our different regions so I'm going to go ahead and select US east and in US east you'll notice I have one role already created and that is I named it XML RPC a common attack vector for for people trying our instrument denial of services and trying to hack into WordPress instances is to hit the XML dot our XML RPC dot PHP so what I've done is I've set up this rule if I click into that we can see the specifics of it it's just looking for where to make you see if the URI contains XML RPC dot PHP and that's all that rule does so are they the the matching does so the matching is just saying if that is matched then it's going to return true right so now if we go to our rules now that I've got that matching set up then I also have to specify the rule and I have created a rule here called XML RPC block if I click into that then I can see that it's saying that when anything is matched in this filter and and then and it gives the contents of it and it so that is going to promote or prompt something right so when something is matched now now that I've got the rule configured now keep in mind you have to set the string first set the string matching first then you have to create the rule now I can create the web ACL to utilize that rule so it's multiple steps here and this kind of this gives people some times so if I if I go to I'm gonna create a new web ACL and I'm gonna call this way base web ACL I'm gonna call it a CO beach cast I'm gonna tell it I want to associate it with an application load balancer and then I'm going to select the beach cast right L load balancer for beach casts and then I'm gonna click Next so now this role is mccann create additional rules and everything here if you wanted to I could create new conditions now there is already a condition here XML RPC but I'm gonna go ahead and just run with that I'm not going to create anything new just gonna go ahead and click Next mmm so I'm gonna say I'm gonna select this role XML RPC block I'm gonna add that to my ACL and you'll see that now it shows up in this section and it says the block right so if that role is triggered it's going to block anything that brings up that trigger and in my default action I'm going to set that to allow all requests that do not match that any of the rules right and in this case XML RPC is my owner rule so I'm gonna review and create now that I've got that it brings up my confirmation screen says say this is what you're doing you're adding this XML RPC block the default action is allow if that block if it's not blocked by that rule and it's put against the load balancer that we specified earlier so I'm going to go ahead and confirm and create and once that's created then that rule is now applied to our load balancer so now nobody typing in slash XML dot or XML RPC dot PHP will be allowed to get through the load balancer to the server so no requests to that will be allowed to get through so now that our web ACL has successfully been created it is now functional so if I go into requests if if any requests are made to beach cast and they're blocked they'll show up here in this chart right now there's nothing because we just finished click creating this so there's no traffic here but but anyway so that is setting up a web ACL so I hope you've enjoyed this video this was an AWS load balancer tutorial and also included using the web ACL to further protect an ec2 instance from the web and denial of service attacks so if you find this helpful please leave a comment let me know if you have requests for additional videos or other topics please let me know that as well leave a comment down there also remember to subscribe to the channel and and if you enjoyed this video please like it and tell your friends thank you
Info
Channel: Beachcasts Programming Videos
Views: 36,091
Rating: undefined out of 5
Keywords: aws load balancer tutorial, aws elastic load balancer elb tutorial, aws load balancer, aws web acl, aws elb, web acl aws, aws load balancer target groups, aws tutorial for beginners, aws load balancer setup, aws best practices security, amazon web services load balancing, aws wordpress setup, web load balancer how it works, aws ddos mitigation, how to set up aws load balancer, elastic load balancing, aws devops tutorial for beginners, aws devops, beachcasts, adam culp, adamculp
Id: Sr2Mq9Gegew
Channel Id: undefined
Length: 21min 35sec (1295 seconds)
Published: Tue Aug 13 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.