Auto Scaling Groups (ASG) allow you to have more EC2 Instances during times of high demand and less EC2 Instance (reduced cost) during times of less demand.   ASG scales up and down in real time as demand increases and decreases.  

ASG Characteristics:

    1. Scale out (add EC2 instances) as the workload increases.

    2. Scale in (removes EC2 instances) as the workload decreases.

    3. Can define minimum and maximum number of EC2 instances.

    4. Automatically registers new instances with load balancer.

    5. Starts new EC2 instance if original is unhealthy or terminated.

    6. ASG are free, but you pay when EC2 instances are running.

    7. ASG can terminate EC2 instances if ELB says they are unhealthy

Auto Scaling Group Attributes

    1. Launch Template (formally Launch Configurations) gives initial parameters of ASG

    1. AMI + Instance Type

   2. EC2 User Data

    3. EBS Volumes

    4. Security Groups

    5. SSH Key pair

    6. IAM Roles for EC2 Instances

    7. Network and subnet information

    8. Load Balancer Information

    2. Min Size, Max Size, and Initial Capacity

    3. Scaling Policies

    4. Scale ASG out/in based on CloudWatch alarms

========================================

1.  Logon to AWS as an IAM user at URL:  https://signin.aws.amazon.com/

2.  From the Home Console type EC2 in the search bar, select the star next to EC2, and select EC2

3.  On the left hand menu bar select Auto Scaling Groups.

4.  Click Create Auto Scaling group button.

5.  Enter a name for your ASG and click the Create a Launch template link

6.  Enter a template name and description.

7.  Under Application OS, select Quick Start, Amazon Linux.

8.  Under Instance type select t2.micro and under Key pair select any already existing pair for which you have the pem.

9.  Under Network settings select existing security group.

10.   Leave storage at 8GB and expand advance section and in user data at bottom, place startup instructions and click the Create launch template button.

11.  You will receive confirmation of success.

12.   Back at the ASG Creation page, select the template you just built and press Next button Note: you may have to hit the reset button.

13.   On the next page enter 1 for Maximum values and AZ where you want the new instances. And press Next.

 14,   At the Integrate with other services page, choose Attach to an existing load balancer and choose your load balancer, click Next

 15.  At the next pages accept the defaults and press Next.

16.   At the next pages accept the defaults and press Next.

17.   At the next pages accept the defaults and press Next.

18.   Review the configuration and press Create Auto Scaling group.

Connection Draining (CLB) or Deregistration Delay (ALB and NLB) is the time it takes to complete “in-flight requests” while an instance is de-registering or unhealthy. The load balancer will stop sending new requests to the EC2 instance in a de-registering state. This time EC2 Instance will complete current transaction while in draining state and when complete shutdown.

SSL/TLS allows network traffic to be encrypted during transmission.  SSL stands for Secure Socket Layer, it encrypts all connections between client and server.   TLS stands for Transport Layer Security, it performs the exact same task as SSL but is a newer version.   Today TLS certificates are most commonly used, but most people still refer to them as SSL.  Public SSL certificates are granted by a Certificate Authority and are used to encrypt traffic.

Working of SSL Certificate:

    1. Client —  Load Balance (validate certificate) — EC2 Instance

    2. Load Balancers use an X. certificate for SSL/TLS

    3. Management of certificates are handled by ACM (AWS Certificate Manager)

    4. You have option of uploading your own Certificate

    5. HTTPS listener service requires:

        a. Specification of default certificate

        b. Optional list of certificates to support multiple domains.

        c. Client can use SNI (Service Name Indication) to an instance

SSL – Server Name Indication (SNI) explained.

    1. SNI prevents the problem of loading many certificates onto a single web server.

    2. Its a new protocol so not all web servers use it.

    3. While using SNI, client gives the hostname of server in initial SSL handshake.

    4. The Load Balancer will find correct certificate based on hostname.

    5. Only available on ALB, NLB, CloudFront.

Load Balancer support

    1. CLB

        a. Supports only SSL

        b. Only support one cert, must have multiple CLB to support multiple hostname with different cert.

    2. ALB and NLB

        a. Support multiple listener with multiple certs.

        b. Uses Server Name Indication (SNI)

=================================================

1.  Logon to AWS as an IAM user at URL:  https://signin.aws.amazon.com/

2.  From the Home Console type EC2 in the search bar, select the star next to EC2, and select EC2

3.  On the left hand menu bar select Load Balancers.

4.  Select the load balancer you would like to add SSL certificate to scroll down and select Add Listener button

5.  Add the Protocol HTTPS, Port 443, and select a Forward to target group and select target group.

6.  Click on Request new ACM certificate

7.  Click Request a certificate

8.  Check Request a public certificate and Next button.

 9.  Enter your domain name and select the certificate and press Add button back on the Add Listener page.

Balancing work load in multiple Availability Zones can be performed in two separate ways: Using Cross Zone or without Cross Zone balancing.  Cross Zone Load Balancing will divide up the traffic by the number of instances targets, regardless of the zone they are located in. Without cross zone load balancing each zone receives the same amount of requests.

Cross-Zone load balancing characteristics:

        1.  Application Load Balancing

                a.  Enabled by default.

                b.  No charges for inter AZ data transfer.

        2.  Network and Gateway Load Balancing

                a.  Disabled by default.

                b.  You are charge for inter AZ data transfer.

        3.  Classic Load Balancer

                a.  Disabled by default.

                b.  No charges for inter AZ data transfer.

==========================================

1.  Logon to AWS as an IAM user at URL:  https://signin.aws.amazon.com/

2.  From the Home Console type EC2 in the search bar, select the star next to EC2, and select EC2

3.  On the left hand menu bar select Load Balancer

4.  At the load balancer page, select your load balancer ? Actions ? Edit load balancer attributes.

5.  Under Availability Zone routing is the option to enable and disable.

Sticky Sessions allows a users session to always be sent to the same exact Instance through a load balancer.  This option is available on the Classic Load Balancer, Application Load Balancer, and Network Load balancer.   This functionality is implemented through the use of a cookie with customizable expiration date that is passed to the requesting client machine.   The reason for implementation of Sticky Sessions is to ensure the client does not loss his session data.  Enabling Sticky Session can introduce an imbalance on applications.

Sticky Sessions Cookie Names and types:

1.  Application-based Cookies  

        a.  Custom cookie

                I.    Generated by the target

                ii.   Can include custom attributed required by application

                iii.  Names must be specified for each target group

                iv.  Cannot name AWSALB, AWSALBAPP, or AWSALBTG this are reserved

        b.  Application cookie

                i.  Generated by the load balancer

                ii. Named AWSALBAPP       

2.  Duration-based Cookied

        a.  Cookie generated by the load balancer

        b.  Cookie name is AWSALB for ALB and AWSELB for CLB

1.  Logon to AWS as an IAM user at URL:  https://signin.aws.amazon.com/

2.  From the Home Console type EC2 in the search bar, select the star next to EC2, and select EC2

3.  On the left hand menu bar select Target Groups

4.  At the target group page, select your target group and

5.  Select Actions ? Edit traget group attributes

6.  Scroll down the page place a check mark on Turn on Stickiness, than you can either choose Load Balancer or Application-based ( Under application-based you have to name the cookie), Set the duration of the cookie. Finally select the Save changes button.

7.  Now after your first connection you will get the same application server for the duration of your cookie.

AWS offers multiple balancers to address the needs of a client AWS environment and produce the necessary resources to accomplish their IT solution with minimal latency.   This include:  Elastic, Application, Network, and Gateway load balancers.  In this article we will address the user and application of Gateway Load Balancing in an AWS environment.

A load balancer’s main purpose is spread the workload of a given task among many different resources, thus avoiding queue waits for process.   In the IT realm, this is normally a server which forwards request to other servers in an attempt to spread the work evenly among them.

Characteristics of Gateway Load Balancer:

         1. Used to Deploy, Scale, and Manage fleet of 3rd party network virtual appliances.

         2. Examples of use: Firewalls, Intrusion Detection/Prevention, and Deep packet inspection.

         3. Operates at Layer 3 (Network Layer) IP Packets.

         4. Operation is transparent to Application being accessed.

         5. Functions

             1. Transparent Network Gateway – Single entry/exit for all traffic.

             2. Load Balancer – Spreads work across virtual appliances.

         6. Uses GENEVE protocol on port 6081

         7. Target groups for GLB can be EC2 Instance or IP Addresses (Private IPs only)

Flow of Gateway Load Balancer Traffic

End User —->

Gateway Load Balancer —->

Target Groups for Analysis of Traffic (Here either dropped or forwards back to Gateway Load Balancer)  —->

Gateway Load Balancer – Application (destination)

AWS offers multiple balancers to address the needs of a client AWS environment and produce the necessary resources to accomplish their IT solution with minimal latency.   This include:  Elastic, Application, Network, and Gateway load balancers.  In this article we will address the user and application of Network Load Balancing in an AWS environment.

A load balancer’s main purpose is spread the workload of a given task among many different resources, thus avoiding queue waits for process.   In the IT realm, this is normally a server which forwards request to other servers in an attempt to spread the work evenly among them.

Characteristics of Network Load Balancer

         1. NLB is a layer 4 load balancer.

         2. Forwards TCP and UDP traffic to instances.

         3. Very high performance and ultra-low latency, millions of requests per second.

         4. NLB have one static IP per AZ and supports Elastic IP assignment.

         5. NLB not included in AWS free tier offerings.

         6. NLB can forward to EC2 Instances or Private IP on AWS.

         7. NLB can forward to ALB, giving you fixed IP and rules around access.

         8. NLB health checks are TCP, HTTP and HTTPS protocols

===================================================

1.  Logon to AWS as an IAM user at URL:  https://signin.aws.amazon.com/

2.  From the Home Console type EC2 in the search bar, select the star next to EC2, and select EC2

3.  On the left hand menu bar select Instances.

4.  On the instance page you will see two instance we will be using web1 and web2,  retrieve the public IP address and open two web browser or tables to verify that they resolve.

5.  Web1 display.

6.  Web2 display.

7.  Scroll down the left hand side menu bar and select Load Balancers.

8.  Select Create load balancer on the right hand side of the screen.

 9.  Select the create button at the bottom of Network Load Balancer.

10.  Name the load balancer, select Internet-facing, and IP address type IPv4.

11.  Under Network mapping, select all Availability Zones presented.

12.  Under the Security groups section, click create a new security group.

13.  Name the security group, add description and click the Add rules button under Inbound rules.

14.  Add TCP inbound from any source and select create security group button.

15.  Back on the Load Balancer create screen, select your new load balancer security group.

16.  Under Listeners and routing, select Create target group.  NOTE:  You will choose TCP as the Listener not HTTP.

 17.  Ensure Instances is select under Basic configuration.

18.  Enter a name for your target group, ensure the protocol is HTTP, and IPv4 is selected, protocol version is HTTP1, and health check is HTTP. Present the Next button at the bottom.

19.  Select the target for the load balancer.  Click the Include as pending below button. Click the Create target group button at the bottom.

20.  Back on the load balancer page, select the target group you just created.  You may have to refresh the list of target groups.

21.  Next click the Create load balancer button.

22.  Page will present with successful creation of your load balancer.

23.  Copy the DNS given in the bottom of load balancer page. Open a separate browser tab and enter the DNS.

24.  Keep refreshing you webpage until it switches to Webserver One.  And you can see the load balancer is working.

AWS offers multiple balancers to address the needs of a client AWS environment and produce the necessary resources to accomplish their IT solution with minimal latency.   This include:  Classic, Application, Network, and Gateway load balancers.  In this article we will address the user and application of Application Load Balancing in an AWS environment.

A load balancer’s main purpose is spread the workload of a given task among many different resources, thus avoiding queue waits for process.   In the IT realm, this is normally a server which forwards request to other servers in an attempt to spread the work evenly among them.

The Characteristics of AWS Application Load Balancer (ALB) are:

            1. Network Layer 7 HTTP

            2. Can use Target Grouping(set of instance) for multiple HTTP application.

            3. Can use Containers (single instance) for multiple HTTP application.

            4. Support HTTP/2 and WebSocket.

            5. Support redirect (HTTP to HTTPS)

            6. Routing tables can be used to different target groups

                  1. Based on URL

                  2. Based on host name in URL

                  3. Based on Query string in header.

            7. ALB load balancing is great for micro services and container based application.

            8. ALB can use port mapping to redirect to dynamic ports on ECS

            9. ALB can replace multiple Classic Load Balancers per application

=============================================

1.  Logon to AWS as an IAM user at URL:  https://signin.aws.amazon.com/

2.  From the Home Console type EC2 in the search bar, select the star next to EC2, and select EC2

3.  On the left hand menu bar select Instances.

4.  On the instance page you will see two instance we will be using web1 and web2,  retrieve the public IP address and open two web browser or tables to verify that they resolve.

5.  Web1 display.

6.  Web2 display.

7.  Scroll down the left hand side menu bar and select Load Balancers.

8.  Select Create load balancer on the right hand side of the screen.

 9.  Select the create button at the bottom of Application Load Balancer.

10.  Name the load balancer, select Internet-facing, and IP address type IPv4.

11.  Under Network mapping, select all Availability Zones presented.

12.  Under the Security groups section, click create a new security group.

13.  Name the security group, add description and click the Add rules button under Inbound rules.

14.  Add HTTP inbound from any source and select create security group button.

15.  Back on the Load Balancer create screen, select your new load balancer security group.

16.  Under Listeners and routing, select Create target group.

 17.  Ensure Instances is select under Basic configuration.

18.  Enter a name for your target group, ensure the protocol is HTTP, and IPv4 is selected, protocol version is HTTP1, and health check is HTTP. Present the Next button at the bottom.

19.  Select the target for the load balancer.  Click the Include as pending below button. Click the Create target group button at the bottom.

20.  Back on the load balancer page, select the target group you just created.  You may have to refresh the list of target groups.

21.  Next click the Create load balancer button.

22.  Page will present with successful creation of your load balancer.

23.  Copy the DNS given in the bottom of load balancer page. Open a separate browser tab and enter the DNS.

24.  Keep refreshing you webpage until it switches to Webserver One.  And you can see the load balancer is working.

A load balancer’s main purpose is spread the workload of a given task among many different resources, thus avoiding queue waits for process.   In the IT realm, this is normally a server which forwards request to other servers in an attempt to spread the work evenly among them.  An Elastic Load Balancer is an AWS service that provides a classical example of a load balancer.  NOTE:  It is not required to user any load balancing service from AWS and you can implement your own load balancing service.

Benefits of Load Balancing:

            1. Spreads work load across multiple downstream instances.

            2. Provides single point of access to server resources.

            3. Handles loss of downstream instances by not sending work to them.

            4. Performs regular health checks on downstream instances.

            5. Provides SSL end point for webservers using HTTPS

            6. Enforces stickness of cookies

            7. Provides High availability

            8. Can separate public traffic from private traffic.

Characteristics of Elastic Load Balancer

            1. ELB are managed load balancers by AWS which guarantees them working, takes care of all upgrade, maintenance, high availability, and provides a few custom configuration options.

            2. It is cheaper to create your own load balancers but cause considerable more resources.

            3. ELB is integrated into EC2, Scaling groups, ECS, ACM, CloudWatch, Route 53, WAF, and Global Accelerator.

            4. Four Types of Elastic Load Balancers:

                        1. Classic – CLB Deprecated – Version 1, HTTP, HTTPS, TCP, SSL

                        2. Application – ALB – Version 2, HTTP, HTTPS, WebSocket

                        3. Network – NLB – Version 2, TCP, TLS, UDP

                        4. Gateway – GLB – Operates at Network layer 3 IP Protocal.

IAM Roles are used to grant permissions to a user EC2 Roles are used to grant permissions to EC2 Instance.

1.  The following is required before you create IAM user for your AWS Free Tier Account

–  An Active AWS Account with admin level permissions.

  –  An Instance which support Instance Connect.

2.  Logon to AWS as an IAM user at URL:  https://signin.aws.amazon.com/

3.  From the Home Console type EC2 in the search bar, select the star next to EC2, and select EC2

4.  On the right hand menu bar select Instance.

5.  We currently have one EC2 Instances built out, select your instance with a check mark and press the Connect button.

6.  By default you are already in the EC2 Instance Connect tab, it defaults uses the default ec2-user session.  Select Connect.

7.  The Instance Connect terminal will startup.

8.  The first thing we will attempt to do is list the IAM users with command:    aws iam list-users

9.   NOTE:  Currently we are connected inside of the EC2 Instance but we have no permissions to do anything.    To resolve this issue we will add roles to the EC2 instance directly.

10.   Open the IAM console and scroll down the left hand side menu bar to roles.  NOTE:  We already have a role EC2_ReadOnly_IAM.

11.   Go back to your EC2 Instance and click on the Instance ID ? Actions ? Security ? Modify IAM role.

 12.   Select the EC2_ReadOnly_IAM role from the drop down box and press Update IAM role.

 13.   Now relaunch Instance connect and attempt your command.  Now you have the appropriate permissions to view the IAM.