I plan to host a GitLab instance on AWS. My only problem is the frontend loadbalancer. For git work we need HTTPS and SSH, both using the same host name. The Application Load Balancer (ALB) supports HTTPS termination with ACM certificates (which we need) but no TCP forwarding for SSH. The Network Load Balancer (NLB) supports TCP forwarding, but it isn't a good choice for HTTPS. There is the option of using the Classic Load Balancer, since it supports HTTP, HTTPS and TCP listeners, but should I really use that in 2021? And it also does not support HTTP/2 (would be a nice to have) I also thought about cascading an ALB behind an NLB: Network Load Balancer listens to TCP 22, 80 and 443, forwarding 22 to GitLab and the other two to an ALB which does the HTTPS termination (and the HTTP to HTTPS redirect) But that would require a complicated setup with a Lambda to update the ALB's IPs in the NLB's Target Groups, as described here: https://aws.amazon.com/blogs/networking-and-content-delivery/using-static-ip-addresses-for-application-load-balancers/ Is there an elegant solution or do I have to use a Classic Loadbalancer?

amazon-web-servicesgitlabamazon-elbaws-application-load-balancer

Reputation: 186

Use AWS Loadbalancer for HTTPS and SSH

I plan to host a GitLab instance on AWS. My only problem is the frontend loadbalancer.

For git work we need HTTPS and SSH, both using the same host name.

The Application Load Balancer (ALB) supports HTTPS termination with ACM certificates (which we need) but no TCP forwarding for SSH.
The Network Load Balancer (NLB) supports TCP forwarding, but it isn't a good choice for HTTPS.
There is the option of using the Classic Load Balancer, since it supports HTTP, HTTPS and TCP listeners, but should I really use that in 2021? And it also does not support HTTP/2 (would be a nice to have)

I also thought about cascading an ALB behind an NLB: Network Load Balancer listens to TCP 22, 80 and 443, forwarding 22 to GitLab and the other two to an ALB which does the HTTPS termination (and the HTTP to HTTPS redirect) But that would require a complicated setup with a Lambda to update the ALB's IPs in the NLB's Target Groups, as described here: https://aws.amazon.com/blogs/networking-and-content-delivery/using-static-ip-addresses-for-application-load-balancers/

Is there an elegant solution or do I have to use a Classic Loadbalancer?

Upvotes: 7

Answers (1)

NerdyMcNerd

Reputation: 186

After some further reading and trying I came to the conclusion that I'll use a Classic Loadbalancer.

Reasons:

Classic Loadbalancers are not officially deprecated
AWS states in their Documentation that Support for HTTP(S) and TCP is one of the reasons to choose a Classic Loadbalancer
Using a Network Loadbalancer for HTTP(S) termination and TCP is possible, but Network loadbanalcers do not support Security Groups (which is an explicit requirement in my case)

Edit:

AWS just announced that they now support ALB as a target for an NLB. With this feature, the setup with cascading the two loadbalancers, with the NLB forwarding HTTP/HTTPS to the ALB is the preferable one.

Here is the Announcment on AWS Blog: https://aws.amazon.com/de/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/

Upvotes: 9

Use AWS Loadbalancer for HTTPS and SSH

Answers (1)

Edit:

Related Questions