hi if a NLB is having a target instance allowing TCP port 80 traffic that means we are not associating any security group to secure the instance so any one can talk to the instance without routing to NLB which makes instance vulnerable how can we secure the instance to allow traffic only from nlb and no other connection can be made to instance
Hi, Your are securing environment at 2 places [ one at Subnet/VPC level by NACL and other at instance level by Security Group] so whenever you are configuring AWS NLB then the DNS that you will create for your application to route the request to servers is only routing it via AWS NLB. While using NLB you dont have to assign public IP address to servers as if you with best practices standard then servers needs to be kept in private zones instead public zone. Ultimately traffic is getting routed via NLB to EC2 instances. Let me know if that clear your doubts.
Both are correct as Network Load Balancer functions at the fourth layer of the Open Systems Interconnection (OSI) model. After this load balancer receives a connection request, it selects a target from the target group for the default rule. It attempts to open a TCP connection to the selected target on the port specified in the listener configuration. So in shot NLB listens on TCP connection which makes it as layer 4 LB. Let me know if that suffice your query.
Although we say it as Network LB, but it uses Layer-4 (Transport) protocols(TCP). Hence we can say it works on Transport layer not on Network Layer of OSI model.
@@soumyasouravpatnaik2246 I got the point where that created confusion with OSI model from my documentation.. Yes we call it as Network LB or layer 4 LB [or Transport Layer of OSI..] .. Thanks for keeping focus.. Highly appreciate..
thanks for sharing good explanation videos of NLB. There is NLB configured in my customer network with overlay IP setup and Overlay IP configured in registered target group. if possible can you provide the demo of overlay IP with NLB. thanks in advance.
I guess you are looking for a scenario where a 3rd IP which holds ur application servers in NLB target group , which makes NLB as ur frontend and rest backend logic remain same .. Correct me if my understanding is wrong.. I already have one of that video released where i showed how you can use ALB as target group of NLB with new AWS feature and in description section another method is there that shows Lambda function do the ip lookup and place those virtual IP address in NLB target group.. Please have a look .. th-cam.com/video/TR9acyhXCNo/w-d-xo.html
NLB is layer3 not 4 which i corrected in description.. Layer 7 is application/presentation layer in OSI model which you can think of more of a http/https traffic handling and layer 3 is transport layer where traffic handling occurs at tcp ports.. In contrast to L2 and L3 load balancers, L7 load balancers are software that operates at the application layer. Popular L7 load balancing tools include Nginx and HAProxy. Many of them are open source, making it easy to add SSL termination and implement new protocols like HTTP/3.
@@Cloud4DevOps I tried it. If I enable only TLS, it won't listen on port 80. In other words, https is working but not http. I'd like to listen on both the ports but redirect port 80 to 443. I'm unable to figure out how to do that part.
Ahh.. i got your point as you are looking for redirection from http to https. I would suggest to use AWS ALB instead of NLB as we have in built feature for redirection in ALB which is layer 7 function. As per what i remember http to https redirection is not provided by NLB due to it works at TCP layer. You can configure both ports in NLB [80/443] like TCP port and can do the redirection from target instance. NLB TLS listener generally terminate the front-end connection and then to decrypt requests from clients before sending them to the targets.. Always prefer to use Layer 7 LB for such requests. Leet me know if that helps..
As per what i know we have support for http2 with AWS ALB which basically you dont get directly with NLB in AWS and NLB can't load balance grpc properly. I haven't seen any update yet on NLB enhancement for gRPC and also what i remember we had an issue on implementation side with NLB and gPRC. You might can raise support request with AWS if there is any enhancement with NLB side. Let me know if that helps..
I tried with ALB with ECS , since ALB has given with http/2 support only problem is backend it converts response http/1.1 as its not full http/2 support. You might can explore github.com/grpc/grpc/blob/master/doc/load-balancing.md which helped me with more understanding when i used few months back...
Its a network term only .. Routing is the process of selecting a path for traffic in a network or between or across multiple networks. ... Packet forwarding is the transit of network packets from one network interface to another. Intermediate nodes are typically network hardware devices such as routers, gateways, firewalls, or switches.
sorry, but useless explanation ... NLB for port 80, really? Why not ALB then? For NLB it would be more interesting to check applications that are working on other not http ports
It may be useless for you , still there are use cases where individual run application on port 80.. Also i taken a generic example how NLB works which from your work perspective doesn't seem to work which again is fine.. I try to teach concept which clears understanding on topic and few os individuals search for exact topic which they want to implement in their env without making effort and thats not my goal of teaching.. I need professional understand the concept and then apply... All type of comments are welcome on this channel..
I am quite sure you are aware of layer4 Load Balancing concept if not no issues.. generally when a TCP connection comes from a source and reach/pass through your Layer4-LB this doesn't terminate the TCP connection at the LB but rather allow the connection to persist to the backend using connection tracking. This prevents them from storing large amounts of state and can be performant with regards to handling more connections. Having said when it comes to termination which is another function with L4-LB , typically with TCP connection, when a SYN is sent from a source to the Layer4 termination LB, the Layer4-LB terminates this by sending an ACK back to the source i.e acknowledging the SYN. The Layer4-LB then establishes a new TCP connection to the backend server, and sends the packet to the appropriate backend. If you are not aware of the TCCP handshake concept please watch below video to get understanding:- th-cam.com/video/enET2x2eHU8/w-d-xo.html Let me know if that clarifies your query.
@ajareti, you must understand osi model :), You are right saying that it is layer 3 for network load balancer but AWS NLB though it is named as network load balancer but work at protocol/connection level, so it is actually layer 4 for AWS NLB. The gateway load balancer of AWS work at layer 3. Please read AWS documents for more information.
@@damienspectre4231 i do know couple of folks from UK use this slang too.. dont want to get into this big debate discussion over here and this is not the place.. if you have any concern in logic feel free to comment.. thanks
God bless the indians. Always with good content everywhere. Thank you so much!
Thanks for visiting !!!
Network layer is the 3rd layer in OSI model, why you mentioned 4th layer?
That was one of my mistake ..
I too had the same question but I think its 4th layer in TCP/IP Model
hi if a NLB is having a target instance allowing TCP port 80 traffic that means we are not associating any security group to secure the instance so any one can talk to the instance without routing to NLB which makes instance vulnerable how can we secure the instance to allow traffic only from nlb and no other connection can be made to instance
Hi,
Your are securing environment at 2 places [ one at Subnet/VPC level by NACL and other at instance level by Security Group] so whenever you are configuring AWS NLB then the DNS that you will create for your application to route the request to servers is only routing it via AWS NLB. While using NLB you dont have to assign public IP address to servers as if you with best practices standard then servers needs to be kept in private zones instead public zone.
Ultimately traffic is getting routed via NLB to EC2 instances. Let me know if that clear your doubts.
You can also use NAT gateway with your private subnet access which will make your server more secured.
you mention NLB works in layer 4 and you called it Network layer but transport is layer 4 of the OSI can you please correct me if am wrong
Both are correct as Network Load Balancer functions at the fourth layer of the Open Systems Interconnection (OSI) model. After this load balancer receives a connection request, it selects a target from the target group for the default rule. It attempts to open a TCP connection to the selected target on the port specified in the listener configuration. So in shot NLB listens on TCP connection which makes it as layer 4 LB. Let me know if that suffice your query.
Although we say it as Network LB, but it uses Layer-4 (Transport) protocols(TCP). Hence we can say it works on Transport layer not on Network Layer of OSI model.
@@soumyasouravpatnaik2246 I got the point where that created confusion with OSI model from my documentation.. Yes we call it as Network LB or layer 4 LB [or Transport Layer of OSI..] .. Thanks for keeping focus.. Highly appreciate..
thanks for sharing good explanation videos of NLB.
There is NLB configured in my customer network with overlay IP setup and Overlay IP configured in registered target group. if possible can you provide the demo of overlay IP with NLB. thanks in advance.
I guess you are looking for a scenario where a 3rd IP which holds ur application servers in NLB target group , which makes NLB as ur frontend and rest backend logic remain same .. Correct me if my understanding is wrong.. I already have one of that video released where i showed how you can use ALB as target group of NLB with new AWS feature and in description section another method is there that shows Lambda function do the ip lookup and place those virtual IP address in NLB target group.. Please have a look .. th-cam.com/video/TR9acyhXCNo/w-d-xo.html
Hi, can you please shed some light on layer 7 & layer 4, like exactly how it differentiates from each other?
NLB is layer3 not 4 which i corrected in description.. Layer 7 is application/presentation layer in OSI model which you can think of more of a http/https traffic handling and layer 3 is transport layer where traffic handling occurs at tcp ports..
In contrast to L2 and L3 load balancers, L7 load balancers are software that operates at the application layer. Popular L7 load balancing tools include Nginx and HAProxy. Many of them are open source, making it easy to add SSL termination and implement new protocols like HTTP/3.
Super video
What if we want to route client to an arbitrary port while connecting to TCP (in NLB)?
We have an option to provide that during NLB creation.
In step 1 where you select VPC and AZs what device are the ip addresses for?
To route request from LB to Backend server you have to give IP address of servers..
Could you please take gateway load balancer demo and aws firewall topic please
Gateway load balancer is new and i am working on getting concept/demo out this week..
@@Cloud4DevOps that's Great... Add aws network firewal concept also to ur list please... Thank you in advance
L4 is transport layer not network layer . Kindly correct
I have corrected that in description section long back ..thanks
That’s nice..because i was watching and I didn’t checked description..!!
How to add tls support and redirect port listening on 80 to secure port (443)?
There is an option to use TLS configuration in NLB , use that to configure TLS instead of sending data over TCP. Let me know if that helps.
@@Cloud4DevOps I tried it. If I enable only TLS, it won't listen on port 80. In other words, https is working but not http. I'd like to listen on both the ports but redirect port 80 to 443. I'm unable to figure out how to do that part.
Ahh.. i got your point as you are looking for redirection from http to https. I would suggest to use AWS ALB instead of NLB as we have in built feature for redirection in ALB which is layer 7 function. As per what i remember http to https redirection is not provided by NLB due to it works at TCP layer. You can configure both ports in NLB [80/443] like TCP port and can do the redirection from target instance. NLB TLS listener generally terminate the front-end connection and then to decrypt requests from clients before sending them to the targets.. Always prefer to use Layer 7 LB for such requests. Leet me know if that helps..
@@Cloud4DevOps Thanks a lot!
Actually we dont need to select SG in networkload balancing.what if we dont select any SG in NLB?
Network Load Balancers do not have associated security groups. If you are using NLB then SG has to be defined at Intance level..
does AWS NLB with with GRPC (which uses http2)?
As per what i know we have support for http2 with AWS ALB which basically you dont get directly with NLB in AWS and NLB can't load balance grpc properly. I haven't seen any update yet on NLB enhancement for gRPC and also what i remember we had an issue on implementation side with NLB and gPRC. You might can raise support request with AWS if there is any enhancement with NLB side. Let me know if that helps..
@@Cloud4DevOps what load balancer do you use with GRPC - and which one is suggested?
I tried with ALB with ECS , since ALB has given with http/2 support only problem is backend it converts response http/1.1 as its not full http/2 support. You might can explore github.com/grpc/grpc/blob/master/doc/load-balancing.md which helped me with more understanding when i used few months back...
@@Cloud4DevOps you should created target group with 2 different ports
Requirement depend upon the project to project which can differ .. I have given example on the concept side..
in AWS, what is the meaning of Route?
Its a network term only .. Routing is the process of selecting a path for traffic in a network or between or across multiple networks. ... Packet forwarding is the transit of network packets from one network interface to another. Intermediate nodes are typically network hardware devices such as routers, gateways, firewalls, or switches.
sorry, but useless explanation ... NLB for port 80, really? Why not ALB then? For NLB it would be more interesting to check applications that are working on other not http ports
It may be useless for you , still there are use cases where individual run application on port 80.. Also i taken a generic example how NLB works which from your work perspective doesn't seem to work which again is fine.. I try to teach concept which clears understanding on topic and few os individuals search for exact topic which they want to implement in their env without making effort and thats not my goal of teaching.. I need professional understand the concept and then apply... All type of comments are welcome on this channel..
Where is the difference between alb and nlb
it part of video , you can see difference table and similarities i had discussed ..
He showed what features are available in Network Balancer, but he did not mention what is going on in backside . How this TCP process is going on.
I am quite sure you are aware of layer4 Load Balancing concept if not no issues.. generally when a TCP connection comes from a source and reach/pass through your Layer4-LB this doesn't terminate the TCP connection at the LB but rather allow the connection to persist to the backend using connection tracking. This prevents them from storing large amounts of state and can be performant with regards to handling more connections. Having said when it comes to termination which is another function with L4-LB , typically with TCP connection, when a SYN is sent from a source to the Layer4 termination LB, the Layer4-LB terminates this by sending an ACK back to the source i.e acknowledging the SYN. The Layer4-LB then establishes a new TCP connection to the backend server, and sends the packet to the appropriate backend.
If you are not aware of the TCCP handshake concept please watch below video to get understanding:-
th-cam.com/video/enET2x2eHU8/w-d-xo.html
Let me know if that clarifies your query.
@@Cloud4DevOps great explanation. thanks!
@@bhakta_rg Thanks.. Please stay tune for more production scenario related videos.
Layer 4 is NOT the network layer of OSI, it is the TRANSPORT layer.
The OSI Network layer is Layer 3.
Giving you a big fat DISLIKE and moving on.
@ajareti, you must understand osi model :), You are right saying that it is layer 3 for network load balancer but AWS NLB though it is named as network load balancer but work at protocol/connection level, so it is actually layer 4 for AWS NLB. The gateway load balancer of AWS work at layer 3. Please read AWS documents for more information.
why do indians introduce themselves as "Shashank this side"? or "Prashant this side"?
Its not only Indians , as i have seen lot of people from US/UK do the same as well !! :)
@@Cloud4DevOps Im from UK. We dont use that. This "I am XYZ this side" is specific to Indians. What is "this side" mean?
@@damienspectre4231 i do know couple of folks from UK use this slang too.. dont want to get into this big debate discussion over here and this is not the place.. if you have any concern in logic feel free to comment.. thanks