AWS: add second internal load balancer to elastic beanstalk in terraform

Question

Is it possible to manipulate beanstalk's autoscaling group and target group in terraform adding additional (internal) load balancer? If yes, how?

I want to have 2 load balancers one internal and the other one public. I found this workaround from AWS:

https://aws.amazon.com/it/blogs/networking-and-content-delivery/using-static-ip-addresses-for-application-load-balancers/

Is there any other smarter solution?

Answer 1

you can extend its TargetGroupARNs from EB on your optionsettings,

using cloudformation syntax:

  - Namespace: aws:cloudformation:template:resource:property
    ResourceName: AWSEBAutoScalingGroup
    OptionName: TargetGroupARNs
    Value: [{\"Ref\":\"AWSEBV2LoadBalancerTargetGroup\"},"ARN_FROM_A_EXTERNAL_TARGETGROUP_LINKING_TO_ANOTHER_LOADBALANCER"}]

and, yes, I just found a reference to aws:cloudformation:template:resource:property here, there is no documentation at all

Answer 2

I think that this can be perfectly achieved, but you need a small change in the approach.

You will not have 2 load balancers inside of EB, but instead, your beanstalk will describe the infrastructure starting in the second load balancer, set as internal, and then you will add another public load balancer that is pointing to the BE load balancer.

We can achieve this in a much easier way than the one proposed in AWS blog.

For this, your BE setup will be pretty much the same that you have, but:

• set the load balancer as type network. This is the only type that will allow you to have Static IPs in the load balancer.
• set the load balancer to be internal (inside of network configuration of beanstalk, set visibility as internal, and uncheck "assign public IP address to EC2 instances..."
• assign Elastic IPs to your load balancer, at least 2, in different availability zones.
• the rest of your Beanstalk stays as you have it.

Now create a public load balancer:

• This can be of any type you need. Maybe ALB if you want to do SSL termination or any other layer 7 magic. Also, it has to be public
• create a new target group. The Target type of this group should be IP.
• Register the 2 Elastic IPs of your network load balancer above.
• Add a listener to your ALB pointing to this target group

and this will do the magic. You will need to check how to do this in terraform, but the approach is quite straightforward so I'm sure terraform will let you do it.

---

The advantage of this as opposed to the AWS blog (that is designed for a quite different purpose), is that here the internal load balancer is network, while the external doesn't need to be. With the NLB being the internal one, you avoid a lot of overhead in the infrastructure and also avoid dynamic logic like the lambda they propose to register IP addresses. With this approach, you get a much more declarative architecture, easier to describe in terraform and easier to maintain once in production.

Answer 3

You can only associate a target group with one load balancer. Once you associate a target group to a load balancer that target group will no longer be available to associate with another ALB.

You could possibly come up with a work around using different approaches like port and security group rules, or create a second target group.

None of this is what Elastic beanstalk is designed to do. It's merely an easy way for developers to push code and remain hands off of the underlying infrastructure. When the complexity level increases its time to move away from EB.