Does the ELB also route outbound reply traffic in AWS Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Come Celebrate our 10 Year Anniversary!Advice regarding resilient internet access from within an Amazon VPCWhat's the difference between a private and public subnet?How does an AWS VPC instance route traffic internally and externally over 1 interface?AWS yum does not work from private subnet (does work from public)How can I place a Webserver in a private subnet in AWS and open it to the world on port 80Route public 3306 traffic to private VPC through NAT?AWS: NAT Gateway in public subnet. Why?AWS EC2 Security Group/ACL - Deny outbound to only one /24 subnetaws private instance cannot resolve hostname (VPC with NAT instance)AWS Security group for restricting inbound traffic from private subnet
Why is ArcGIS Pro not symbolizing my entire range of values?
Can I ask an author to send me his ebook?
Is there a way to convert Wolfram Language expression to string?
A German immigrant ancestor has a "Registration Affidavit of Alien Enemy" on file. What does that mean exactly?
Is Bran literally the world's memory?
How is an IPA symbol that lacks a name (e.g. ɲ) called?
“Since the train was delayed for more than an hour, passengers were given a full refund.” – Why is there no article before “passengers”?
Why do people think Winterfell crypts is the safest place for women, children & old people?
Network questions
IC on Digikey is 5x more expensive than board containing same IC on Alibaba: How?
What kind of capacitor is this in the image?
Does using the inspiration rules for character defects tend to encourage players to display MGS?
Are Flameskulls resistant to magical piercing damage?
Putting Ant-Man on house arrest
Compiling and throwing simple dynamic exceptions at runtime for JVM
Is there a verb for listening stealthily?
How to ask rejected full-time candidates to apply to teach individual courses?
How to break 信じようとしていただけかも知れない into separate parts?
Can gravitational waves pass through a black hole?
xkeyval -- read keys from file
Trying to enter the Fox's den
When speaking, how do you change your mind mid-sentence?
reduction from 3-SAT to Subset Sum problem
2 sample t test for sample sizes - 30,000 and 150,000
Does the ELB also route outbound reply traffic in AWS
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)
Come Celebrate our 10 Year Anniversary!Advice regarding resilient internet access from within an Amazon VPCWhat's the difference between a private and public subnet?How does an AWS VPC instance route traffic internally and externally over 1 interface?AWS yum does not work from private subnet (does work from public)How can I place a Webserver in a private subnet in AWS and open it to the world on port 80Route public 3306 traffic to private VPC through NAT?AWS: NAT Gateway in public subnet. Why?AWS EC2 Security Group/ACL - Deny outbound to only one /24 subnetaws private instance cannot resolve hostname (VPC with NAT instance)AWS Security group for restricting inbound traffic from private subnet
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have been trying to understand how routing works in an AWS VPC with public/private subnets.
I have a setup as recommended by amazon with an ELB and NAT in the public subnet and the webserver in the private subnet. I have security groups (SG) configured as per http://blogs.aws.amazon.com/security/blog/tag/NAT and it all works as expected. Great!
What I do not yet understand is how HTTP replies are returned from the webserver instance in the above architecture.
So a web request comes in from the public internet over HTTP,80 hits ELB and ELB takes it to the private IP of the webserver, cool. Now the webserver has to reply. From what I understand the reply will be over a different higher TCP port (1024-65535). The NAT SG only allows outbound traffic over ports 80 & 443. So how does this reply get out back to the public Internet. It cannot go through the NAT. Does this mean the reply goes back out through the ELB. The Amazon diagram does not indicate the ELB traffic direction arrow as bidirectional, nor does the ELB documentation state that the ELB behaves like a stateful NAT. Does it?
amazon-web-services nat amazon-vpc
asked Oct 5 '15 at 10:23
AliAli
19539
add a comment |
I have been trying to understand how routing works in an AWS VPC with public/private subnets.
I have a setup as recommended by amazon with an ELB and NAT in the public subnet and the webserver in the private subnet. I have security groups (SG) configured as per http://blogs.aws.amazon.com/security/blog/tag/NAT and it all works as expected. Great!
What I do not yet understand is how HTTP replies are returned from the webserver instance in the above architecture.
So a web request comes in from the public internet over HTTP,80 hits ELB and ELB takes it to the private IP of the webserver, cool. Now the webserver has to reply. From what I understand the reply will be over a different higher TCP port (1024-65535). The NAT SG only allows outbound traffic over ports 80 & 443. So how does this reply get out back to the public Internet. It cannot go through the NAT. Does this mean the reply goes back out through the ELB. The Amazon diagram does not indicate the ELB traffic direction arrow as bidirectional, nor does the ELB documentation state that the ELB behaves like a stateful NAT. Does it?
amazon-web-services nat amazon-vpc
asked Oct 5 '15 at 10:23
AliAli
19539
add a comment |
I have been trying to understand how routing works in an AWS VPC with public/private subnets.
I have a setup as recommended by amazon with an ELB and NAT in the public subnet and the webserver in the private subnet. I have security groups (SG) configured as per http://blogs.aws.amazon.com/security/blog/tag/NAT and it all works as expected. Great!
What I do not yet understand is how HTTP replies are returned from the webserver instance in the above architecture.
So a web request comes in from the public internet over HTTP,80 hits ELB and ELB takes it to the private IP of the webserver, cool. Now the webserver has to reply. From what I understand the reply will be over a different higher TCP port (1024-65535). The NAT SG only allows outbound traffic over ports 80 & 443. So how does this reply get out back to the public Internet. It cannot go through the NAT. Does this mean the reply goes back out through the ELB. The Amazon diagram does not indicate the ELB traffic direction arrow as bidirectional, nor does the ELB documentation state that the ELB behaves like a stateful NAT. Does it?
amazon-web-services nat amazon-vpc
asked Oct 5 '15 at 10:23
AliAli
19539
I have been trying to understand how routing works in an AWS VPC with public/private subnets.
I have a setup as recommended by amazon with an ELB and NAT in the public subnet and the webserver in the private subnet. I have security groups (SG) configured as per http://blogs.aws.amazon.com/security/blog/tag/NAT and it all works as expected. Great!
What I do not yet understand is how HTTP replies are returned from the webserver instance in the above architecture.
So a web request comes in from the public internet over HTTP,80 hits ELB and ELB takes it to the private IP of the webserver, cool. Now the webserver has to reply. From what I understand the reply will be over a different higher TCP port (1024-65535). The NAT SG only allows outbound traffic over ports 80 & 443. So how does this reply get out back to the public Internet. It cannot go through the NAT. Does this mean the reply goes back out through the ELB. The Amazon diagram does not indicate the ELB traffic direction arrow as bidirectional, nor does the ELB documentation state that the ELB behaves like a stateful NAT. Does it?
amazon-web-services nat amazon-vpc
amazon-web-services nat amazon-vpc
asked Oct 5 '15 at 10:23
AliAli
19539
asked Oct 5 '15 at 10:23
AliAli
19539
edited Oct 5 '15 at 10:35
Ali
asked Oct 5 '15 at 10:23
AliAli
19539
asked Oct 5 '15 at 10:23
AliAli
19539
asked Oct 5 '15 at 10:23
AliAli
19539
19539
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
The arrows in the diagram only indicate the direction of connection establishment -- not traffic flow.
Yes, return traffic goes back through the ELB.
But, it isn't a stateful NAT -- it's a TCP connection proxy. The ELB machines accept TCP connections on the configured listening ports, terminating the SSL session if so configured, and establish a new TCP connection to the back-end server. If the listener is configured for HTTP, the ELB operates in a payload-aware mode parsing, logging, and forwarding HTTP requests to the back-end, otherwise it's payload-agnostic, establishing a new TCP connection 1:1 to the back-end for each incoming connection, and "tying the pipes together" (with no HTTP-level awareness or modification).
Either way, the source address of the incoming connection to your application is going to be that of the ELB node, not the original client. This is how the response traffic returns to the ELB for return to the client.
In http mode, the ELB adds (or appends to) the X-Forwarded-For header so your application can identify the original client IP, as well as X-Forwarded-Proto: [ http | https ] to indicate whether the client connection uses SSL and X-Forwarded-Port to indicate the front-end port.
Update: the above refers to a type of load balancer that is now known as "ELB Classic" or ELB/1.0 (found in the user agent string it sends with HTTP health checks).
The newer Layer 7 balancer, Application Load Balancer or ELB/2.0 operates similarly, with respect to traffic flow. The Layer 4 ("transparent" TCP) capability is removed from ALB and layer 7 features enhanced significantly.
The newest type of load balancer, the Network Load Balancer, is a Layer 3 balancer. Unlike the other two, it behaves very much like dynamic NAT, handling inbound (outside-originated) connections only, mapping source-addr+port through EIP-addr+port to instance-private-ip:adde+port -- with the EIP bound to the "balancer" -- and unlike the other two types of balancers, the instances need to be on public subnets, and use their own public IPs for this.
Conceptually speaking, the Network Load Balancer seems to actually modify the behavior of the Internet Gateway -- which is, itself, a logical object that cannot be disabled, replaced, or experience a failure in any meaningful sense. This is in contrast to ELB and ALB, which actually operate on "hidden" EC2 instances. NLB operates on the network infrastructure, itself, by all appearances.
answered Oct 5 '15 at 14:02
Michael - sqlbotMichael - sqlbot
16.2k3462
Thanks. Could you elaborate on the payload-aware, payload-agnostic modes? Also can the webserver know if the original connection was over SSL?
– Ali
Oct 5 '15 at 16:18
I've added some additional info to the answer to address these points.
– Michael - sqlbot
Oct 5 '15 at 16:52
and unlike the other two types of balancers, the instances need to be on public subnets, and use their own public IPs for this.I'm very glad to read this. Can you provide a reference to this information?
– Felipe Alvarez
Mar 4 '18 at 9:33
1
@FelipeAlvarez as it turns out, the complete picture is substantially more complex. While this is the most intuitive configuration, Network Load Balancer is integrated with the actual network infrastructure in such a way that it captures the TCP streams (presumably via the network state tables) from the target instances and can rewrite them and work as expected even if the instances aren't configured this way. Target instances need a default route declared in VPC -- it is disregarded for the return packets, but must still be present. The absence of a default route creates a blackhole.
– Michael - sqlbot
Mar 4 '18 at 14:02
add a comment |
According to AWS documentation for NLB, it is layer 4 not layer 3. Also the backend or target servers are not required to be on a public subnet. As a matter of fact the IP address ranges of the target groups must be one of the following:
The following are the possible target types:
instance
The targets are specified by instance ID.
ip
The targets are specified by IP address.
When the target type is ip, you can specify IP addresses from one of the following CIDR blocks:
The subnets of the VPC for the target group
10.0.0.0/8 (RFC 1918)
100.64.0.0/10 (RFC 6598)
172.16.0.0/12 (RFC 1918)
192.168.0.0/16 (RFC 1918)
Important
You can't specify publicly routable IP addresses.
I hope this helps.
answered Apr 16 at 11:35
RBPRBP
111
New contributor
RBP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f726752%2fdoes-the-elb-also-route-outbound-reply-traffic-in-aws%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The arrows in the diagram only indicate the direction of connection establishment -- not traffic flow.
Yes, return traffic goes back through the ELB.
But, it isn't a stateful NAT -- it's a TCP connection proxy. The ELB machines accept TCP connections on the configured listening ports, terminating the SSL session if so configured, and establish a new TCP connection to the back-end server. If the listener is configured for HTTP, the ELB operates in a payload-aware mode parsing, logging, and forwarding HTTP requests to the back-end, otherwise it's payload-agnostic, establishing a new TCP connection 1:1 to the back-end for each incoming connection, and "tying the pipes together" (with no HTTP-level awareness or modification).
Either way, the source address of the incoming connection to your application is going to be that of the ELB node, not the original client. This is how the response traffic returns to the ELB for return to the client.
In http mode, the ELB adds (or appends to) the X-Forwarded-For header so your application can identify the original client IP, as well as X-Forwarded-Proto: [ http | https ] to indicate whether the client connection uses SSL and X-Forwarded-Port to indicate the front-end port.
Update: the above refers to a type of load balancer that is now known as "ELB Classic" or ELB/1.0 (found in the user agent string it sends with HTTP health checks).
The newer Layer 7 balancer, Application Load Balancer or ELB/2.0 operates similarly, with respect to traffic flow. The Layer 4 ("transparent" TCP) capability is removed from ALB and layer 7 features enhanced significantly.
The newest type of load balancer, the Network Load Balancer, is a Layer 3 balancer. Unlike the other two, it behaves very much like dynamic NAT, handling inbound (outside-originated) connections only, mapping source-addr+port through EIP-addr+port to instance-private-ip:adde+port -- with the EIP bound to the "balancer" -- and unlike the other two types of balancers, the instances need to be on public subnets, and use their own public IPs for this.
Conceptually speaking, the Network Load Balancer seems to actually modify the behavior of the Internet Gateway -- which is, itself, a logical object that cannot be disabled, replaced, or experience a failure in any meaningful sense. This is in contrast to ELB and ALB, which actually operate on "hidden" EC2 instances. NLB operates on the network infrastructure, itself, by all appearances.
answered Oct 5 '15 at 14:02
Michael - sqlbotMichael - sqlbot
16.2k3462
Thanks. Could you elaborate on the payload-aware, payload-agnostic modes? Also can the webserver know if the original connection was over SSL?
– Ali
Oct 5 '15 at 16:18
I've added some additional info to the answer to address these points.
– Michael - sqlbot
Oct 5 '15 at 16:52
and unlike the other two types of balancers, the instances need to be on public subnets, and use their own public IPs for this.I'm very glad to read this. Can you provide a reference to this information?
– Felipe Alvarez
Mar 4 '18 at 9:33
1
@FelipeAlvarez as it turns out, the complete picture is substantially more complex. While this is the most intuitive configuration, Network Load Balancer is integrated with the actual network infrastructure in such a way that it captures the TCP streams (presumably via the network state tables) from the target instances and can rewrite them and work as expected even if the instances aren't configured this way. Target instances need a default route declared in VPC -- it is disregarded for the return packets, but must still be present. The absence of a default route creates a blackhole.
– Michael - sqlbot
Mar 4 '18 at 14:02
add a comment |
The arrows in the diagram only indicate the direction of connection establishment -- not traffic flow.
Yes, return traffic goes back through the ELB.
But, it isn't a stateful NAT -- it's a TCP connection proxy. The ELB machines accept TCP connections on the configured listening ports, terminating the SSL session if so configured, and establish a new TCP connection to the back-end server. If the listener is configured for HTTP, the ELB operates in a payload-aware mode parsing, logging, and forwarding HTTP requests to the back-end, otherwise it's payload-agnostic, establishing a new TCP connection 1:1 to the back-end for each incoming connection, and "tying the pipes together" (with no HTTP-level awareness or modification).
Either way, the source address of the incoming connection to your application is going to be that of the ELB node, not the original client. This is how the response traffic returns to the ELB for return to the client.
In http mode, the ELB adds (or appends to) the X-Forwarded-For header so your application can identify the original client IP, as well as X-Forwarded-Proto: [ http | https ] to indicate whether the client connection uses SSL and X-Forwarded-Port to indicate the front-end port.
Update: the above refers to a type of load balancer that is now known as "ELB Classic" or ELB/1.0 (found in the user agent string it sends with HTTP health checks).
The newer Layer 7 balancer, Application Load Balancer or ELB/2.0 operates similarly, with respect to traffic flow. The Layer 4 ("transparent" TCP) capability is removed from ALB and layer 7 features enhanced significantly.
The newest type of load balancer, the Network Load Balancer, is a Layer 3 balancer. Unlike the other two, it behaves very much like dynamic NAT, handling inbound (outside-originated) connections only, mapping source-addr+port through EIP-addr+port to instance-private-ip:adde+port -- with the EIP bound to the "balancer" -- and unlike the other two types of balancers, the instances need to be on public subnets, and use their own public IPs for this.
Conceptually speaking, the Network Load Balancer seems to actually modify the behavior of the Internet Gateway -- which is, itself, a logical object that cannot be disabled, replaced, or experience a failure in any meaningful sense. This is in contrast to ELB and ALB, which actually operate on "hidden" EC2 instances. NLB operates on the network infrastructure, itself, by all appearances.
answered Oct 5 '15 at 14:02
Michael - sqlbotMichael - sqlbot
16.2k3462
Thanks. Could you elaborate on the payload-aware, payload-agnostic modes? Also can the webserver know if the original connection was over SSL?
– Ali
Oct 5 '15 at 16:18
I've added some additional info to the answer to address these points.
– Michael - sqlbot
Oct 5 '15 at 16:52
and unlike the other two types of balancers, the instances need to be on public subnets, and use their own public IPs for this.I'm very glad to read this. Can you provide a reference to this information?
– Felipe Alvarez
Mar 4 '18 at 9:33
1
@FelipeAlvarez as it turns out, the complete picture is substantially more complex. While this is the most intuitive configuration, Network Load Balancer is integrated with the actual network infrastructure in such a way that it captures the TCP streams (presumably via the network state tables) from the target instances and can rewrite them and work as expected even if the instances aren't configured this way. Target instances need a default route declared in VPC -- it is disregarded for the return packets, but must still be present. The absence of a default route creates a blackhole.
– Michael - sqlbot
Mar 4 '18 at 14:02
add a comment |
The arrows in the diagram only indicate the direction of connection establishment -- not traffic flow.
Yes, return traffic goes back through the ELB.
But, it isn't a stateful NAT -- it's a TCP connection proxy. The ELB machines accept TCP connections on the configured listening ports, terminating the SSL session if so configured, and establish a new TCP connection to the back-end server. If the listener is configured for HTTP, the ELB operates in a payload-aware mode parsing, logging, and forwarding HTTP requests to the back-end, otherwise it's payload-agnostic, establishing a new TCP connection 1:1 to the back-end for each incoming connection, and "tying the pipes together" (with no HTTP-level awareness or modification).
Either way, the source address of the incoming connection to your application is going to be that of the ELB node, not the original client. This is how the response traffic returns to the ELB for return to the client.
In http mode, the ELB adds (or appends to) the X-Forwarded-For header so your application can identify the original client IP, as well as X-Forwarded-Proto: [ http | https ] to indicate whether the client connection uses SSL and X-Forwarded-Port to indicate the front-end port.
Update: the above refers to a type of load balancer that is now known as "ELB Classic" or ELB/1.0 (found in the user agent string it sends with HTTP health checks).
The newer Layer 7 balancer, Application Load Balancer or ELB/2.0 operates similarly, with respect to traffic flow. The Layer 4 ("transparent" TCP) capability is removed from ALB and layer 7 features enhanced significantly.
The newest type of load balancer, the Network Load Balancer, is a Layer 3 balancer. Unlike the other two, it behaves very much like dynamic NAT, handling inbound (outside-originated) connections only, mapping source-addr+port through EIP-addr+port to instance-private-ip:adde+port -- with the EIP bound to the "balancer" -- and unlike the other two types of balancers, the instances need to be on public subnets, and use their own public IPs for this.
Conceptually speaking, the Network Load Balancer seems to actually modify the behavior of the Internet Gateway -- which is, itself, a logical object that cannot be disabled, replaced, or experience a failure in any meaningful sense. This is in contrast to ELB and ALB, which actually operate on "hidden" EC2 instances. NLB operates on the network infrastructure, itself, by all appearances.
answered Oct 5 '15 at 14:02
Michael - sqlbotMichael - sqlbot
16.2k3462
The arrows in the diagram only indicate the direction of connection establishment -- not traffic flow.
Yes, return traffic goes back through the ELB.
But, it isn't a stateful NAT -- it's a TCP connection proxy. The ELB machines accept TCP connections on the configured listening ports, terminating the SSL session if so configured, and establish a new TCP connection to the back-end server. If the listener is configured for HTTP, the ELB operates in a payload-aware mode parsing, logging, and forwarding HTTP requests to the back-end, otherwise it's payload-agnostic, establishing a new TCP connection 1:1 to the back-end for each incoming connection, and "tying the pipes together" (with no HTTP-level awareness or modification).
Either way, the source address of the incoming connection to your application is going to be that of the ELB node, not the original client. This is how the response traffic returns to the ELB for return to the client.
In http mode, the ELB adds (or appends to) the X-Forwarded-For header so your application can identify the original client IP, as well as X-Forwarded-Proto: [ http | https ] to indicate whether the client connection uses SSL and X-Forwarded-Port to indicate the front-end port.
Update: the above refers to a type of load balancer that is now known as "ELB Classic" or ELB/1.0 (found in the user agent string it sends with HTTP health checks).
The newer Layer 7 balancer, Application Load Balancer or ELB/2.0 operates similarly, with respect to traffic flow. The Layer 4 ("transparent" TCP) capability is removed from ALB and layer 7 features enhanced significantly.
The newest type of load balancer, the Network Load Balancer, is a Layer 3 balancer. Unlike the other two, it behaves very much like dynamic NAT, handling inbound (outside-originated) connections only, mapping source-addr+port through EIP-addr+port to instance-private-ip:adde+port -- with the EIP bound to the "balancer" -- and unlike the other two types of balancers, the instances need to be on public subnets, and use their own public IPs for this.
Conceptually speaking, the Network Load Balancer seems to actually modify the behavior of the Internet Gateway -- which is, itself, a logical object that cannot be disabled, replaced, or experience a failure in any meaningful sense. This is in contrast to ELB and ALB, which actually operate on "hidden" EC2 instances. NLB operates on the network infrastructure, itself, by all appearances.
answered Oct 5 '15 at 14:02
Michael - sqlbotMichael - sqlbot
16.2k3462
edited Oct 20 '17 at 2:00
answered Oct 5 '15 at 14:02
Michael - sqlbotMichael - sqlbot
16.2k3462
answered Oct 5 '15 at 14:02
Michael - sqlbotMichael - sqlbot
16.2k3462
answered Oct 5 '15 at 14:02
Michael - sqlbotMichael - sqlbot
16.2k3462
16.2k3462
Thanks. Could you elaborate on the payload-aware, payload-agnostic modes? Also can the webserver know if the original connection was over SSL?
– Ali
Oct 5 '15 at 16:18
I've added some additional info to the answer to address these points.
– Michael - sqlbot
Oct 5 '15 at 16:52
and unlike the other two types of balancers, the instances need to be on public subnets, and use their own public IPs for this.I'm very glad to read this. Can you provide a reference to this information?
– Felipe Alvarez
Mar 4 '18 at 9:33
1
@FelipeAlvarez as it turns out, the complete picture is substantially more complex. While this is the most intuitive configuration, Network Load Balancer is integrated with the actual network infrastructure in such a way that it captures the TCP streams (presumably via the network state tables) from the target instances and can rewrite them and work as expected even if the instances aren't configured this way. Target instances need a default route declared in VPC -- it is disregarded for the return packets, but must still be present. The absence of a default route creates a blackhole.
– Michael - sqlbot
Mar 4 '18 at 14:02
add a comment |
Thanks. Could you elaborate on the payload-aware, payload-agnostic modes? Also can the webserver know if the original connection was over SSL?
– Ali
Oct 5 '15 at 16:18
I've added some additional info to the answer to address these points.
– Michael - sqlbot
Oct 5 '15 at 16:52
and unlike the other two types of balancers, the instances need to be on public subnets, and use their own public IPs for this.I'm very glad to read this. Can you provide a reference to this information?
– Felipe Alvarez
Mar 4 '18 at 9:33
1
@FelipeAlvarez as it turns out, the complete picture is substantially more complex. While this is the most intuitive configuration, Network Load Balancer is integrated with the actual network infrastructure in such a way that it captures the TCP streams (presumably via the network state tables) from the target instances and can rewrite them and work as expected even if the instances aren't configured this way. Target instances need a default route declared in VPC -- it is disregarded for the return packets, but must still be present. The absence of a default route creates a blackhole.
– Michael - sqlbot
Mar 4 '18 at 14:02
Thanks. Could you elaborate on the payload-aware, payload-agnostic modes? Also can the webserver know if the original connection was over SSL?
– Ali
Oct 5 '15 at 16:18
Thanks. Could you elaborate on the payload-aware, payload-agnostic modes? Also can the webserver know if the original connection was over SSL?
– Ali
Oct 5 '15 at 16:18
I've added some additional info to the answer to address these points.
– Michael - sqlbot
Oct 5 '15 at 16:52
I've added some additional info to the answer to address these points.
– Michael - sqlbot
Oct 5 '15 at 16:52
and unlike the other two types of balancers, the instances need to be on public subnets, and use their own public IPs for this. I'm very glad to read this. Can you provide a reference to this information?– Felipe Alvarez
Mar 4 '18 at 9:33
and unlike the other two types of balancers, the instances need to be on public subnets, and use their own public IPs for this. I'm very glad to read this. Can you provide a reference to this information?– Felipe Alvarez
Mar 4 '18 at 9:33
1
1
@FelipeAlvarez as it turns out, the complete picture is substantially more complex. While this is the most intuitive configuration, Network Load Balancer is integrated with the actual network infrastructure in such a way that it captures the TCP streams (presumably via the network state tables) from the target instances and can rewrite them and work as expected even if the instances aren't configured this way. Target instances need a default route declared in VPC -- it is disregarded for the return packets, but must still be present. The absence of a default route creates a blackhole.
– Michael - sqlbot
Mar 4 '18 at 14:02
@FelipeAlvarez as it turns out, the complete picture is substantially more complex. While this is the most intuitive configuration, Network Load Balancer is integrated with the actual network infrastructure in such a way that it captures the TCP streams (presumably via the network state tables) from the target instances and can rewrite them and work as expected even if the instances aren't configured this way. Target instances need a default route declared in VPC -- it is disregarded for the return packets, but must still be present. The absence of a default route creates a blackhole.
– Michael - sqlbot
Mar 4 '18 at 14:02
add a comment |
According to AWS documentation for NLB, it is layer 4 not layer 3. Also the backend or target servers are not required to be on a public subnet. As a matter of fact the IP address ranges of the target groups must be one of the following:
The following are the possible target types:
instance
The targets are specified by instance ID.
ip
The targets are specified by IP address.
When the target type is ip, you can specify IP addresses from one of the following CIDR blocks:
The subnets of the VPC for the target group
10.0.0.0/8 (RFC 1918)
100.64.0.0/10 (RFC 6598)
172.16.0.0/12 (RFC 1918)
192.168.0.0/16 (RFC 1918)
Important
You can't specify publicly routable IP addresses.
I hope this helps.
answered Apr 16 at 11:35
RBPRBP
111
New contributor
RBP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
According to AWS documentation for NLB, it is layer 4 not layer 3. Also the backend or target servers are not required to be on a public subnet. As a matter of fact the IP address ranges of the target groups must be one of the following:
The following are the possible target types:
instance
The targets are specified by instance ID.
ip
The targets are specified by IP address.
When the target type is ip, you can specify IP addresses from one of the following CIDR blocks:
The subnets of the VPC for the target group
10.0.0.0/8 (RFC 1918)
100.64.0.0/10 (RFC 6598)
172.16.0.0/12 (RFC 1918)
192.168.0.0/16 (RFC 1918)
Important
You can't specify publicly routable IP addresses.
I hope this helps.
answered Apr 16 at 11:35
RBPRBP
111
New contributor
RBP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
According to AWS documentation for NLB, it is layer 4 not layer 3. Also the backend or target servers are not required to be on a public subnet. As a matter of fact the IP address ranges of the target groups must be one of the following:
The following are the possible target types:
instance
The targets are specified by instance ID.
ip
The targets are specified by IP address.
When the target type is ip, you can specify IP addresses from one of the following CIDR blocks:
The subnets of the VPC for the target group
10.0.0.0/8 (RFC 1918)
100.64.0.0/10 (RFC 6598)
172.16.0.0/12 (RFC 1918)
192.168.0.0/16 (RFC 1918)
Important
You can't specify publicly routable IP addresses.
I hope this helps.
answered Apr 16 at 11:35
RBPRBP
111
New contributor
RBP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
According to AWS documentation for NLB, it is layer 4 not layer 3. Also the backend or target servers are not required to be on a public subnet. As a matter of fact the IP address ranges of the target groups must be one of the following:
The following are the possible target types:
instance
The targets are specified by instance ID.
ip
The targets are specified by IP address.
When the target type is ip, you can specify IP addresses from one of the following CIDR blocks:
The subnets of the VPC for the target group
10.0.0.0/8 (RFC 1918)
100.64.0.0/10 (RFC 6598)
172.16.0.0/12 (RFC 1918)
192.168.0.0/16 (RFC 1918)
Important
You can't specify publicly routable IP addresses.
I hope this helps.
answered Apr 16 at 11:35
RBPRBP
111
New contributor
RBP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Apr 16 at 11:35
RBPRBP
111
New contributor
RBP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Apr 16 at 11:35
RBPRBP
111
answered Apr 16 at 11:35
RBPRBP
111
111
New contributor
RBP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
RBP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
RBP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f726752%2fdoes-the-elb-also-route-outbound-reply-traffic-in-aws%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
