balancers | Implementation of HTTP load-balancers | Load Balancing library

I originally posted this question as an issue on the GitHub project for the AWS Load Balancer Controller here: https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/2069.

I'm seeing some odd behavior that I can't trace or explain when trying to get the loadBalacnerDnsName from an ALB created by the controller. I'm using v2.2.0 of the AWS Load Balancer Controller in a CDK project. The ingress that I deploy triggers the provisioning of an ALB, and that ALB can connect to my K8s workloads running in EKS.

Here's my problem: I'm trying to automate the creation of a Route53 A Record that points to the loadBalancerDnsName of the load balancer, but the loadBalancerDnsName that I get in my CDK script is not the same as the loadBalancerDnsName that shows up in the AWS console once my stack has finished deploying. The value in the console is correct and I can get a response from that URL. My CDK script outputs the value of the DnsName as a CfnOutput value, but that URL does not point to anything.

In CDK, I have tried to use KubernetesObjectValue to get the DNS name from the load balancer. This isn't working (see this related issue: https://github.com/aws/aws-cdk/issues/14933), so I'm trying to lookup the Load Balancer with CDK's .fromLookup and using a tag that I added through my ingress annotation:

I need some suggestions for best practicality, security and maintainability

The scenario is:

• We have a private VPC with some servers,
• We have users that can access server A and A only
• Some users can access A, and B.
• Other only B and so on.

They need to access to theses servers from home and office.

The current idea is having a multiuser OpenVPN server with IPTables blocking access to the servers that the user can't access

Is there another option using AWS tools (VPCs,Security Groups, ACLs, Load Balancers, or others)?

Or other solutions better than this one?

Draw of current arch:

• One boundary server that does the bridge from the open world to the Private VPC (With OpenVpn and IPTables)
• 5 servers inside the private VPC
• 10 Users with different levels of access

Thanks

I'm testing out Vault in Kubernetes and am installing via the Helm chart. I've created an overrides file, it's an amalgamation of a few different pages from the official docs.

The pods seem to come up OK and into Ready status and I can unseal vault manually using 3 of the keys generated. I'm having issues getting 404 when browsing the UI though, the UI is presented externally on a Load Balancer in AKS. Here's my config:

I have an AWS classic load balancer. Here are my listeners :

The AWS classic load balancer is doing tls termination, and redirecting the traffic to port 30925 of my nodes
The process listening on port 30925 is an istio gateway, redirecting traffic afterwards based on the SNI of the request

However, the AWS classic load balancer doesn't seems to keep the SNI of the request after tls termination

Is there any documentation regarding the behavior of the load balancer in that situation?
I found a couple of links talking about SNI (here for example), but it's only talking about the load balancer itself handling the routing of the SNI

So, here is the problem I ran into, I am trying to build a very small-scale MVP app that I will be releasing soon. I have been able to figure out everything from deploying the flask application with Dokku (I'll upgrade to something better later) and have been able to get most things working on the app including S3 uploading, stripe integration, etc. Here is the one thing I am stuck on, how do I generate SSL certs on the fly for customers and then link everything back to the Python app? Here are my thoughts:

I can use a simple script and connect to the Letsencrypt API to generate and request certs once domains are pointed to my server(s). The problem I am running into is that once the domain is pointed, how do I know? Dokku doesn't connect all incoming requests to my container and therefore Flask wouldn't be able to detect it unless I manually connect it with the dokku domains:add command?

Is there a better way to go about this? I know of SSL for SaaS by Cloudflare but it seems to only be for their Enterprise customers and I need a robust solution like this that I don't mind building out but just need a few pointers (unless there is already a solution that is out there for free - no need to reinvent the wheel, eh?). Another thing, in the future I do plan to have my database running separately and load balancers pointing to multiple different instances of my app (won't be a major issue as the DB is still central, but just worried about the IP portion of it). To recap though:

Client Domain (example.io) -> dns1.example.com -> Lets Encrypt SSL Cert -> Dokku Container -> My App

Please let me know if I need to re-explain anything, thank you!

I used the following helm chart to install Jenkins

https://artifacthub.io/packages/helm/jenkinsci/jenkins

The problem is it does't build docker images, saying there's no docker. Docker was installed on host with sudo apt install docker-ce docker-ce-cli containerd.io

I have a running Web server on Google Cloud. It's a Debian VM serving a few sites with low-ish traffic, but I don't like Cloudflare. So, Cloud CDN it is.

I created a load balancer with static IP.

I do all the items from the guides I've found. But when it comes time to Add origin to Cloud CDN, no load balancer is available because it's "unhealthy", as seen by rolling over the yellow triangle in the LB status page: "1 backend service is unhealthy".

At this point, the only option is to choose Create a Load Balancer.

I've created several load balancers with different attributes, thinking that might be it, but no luck. They all get the "1 backend service is unhealthy" tag, and thus are unavailable.

---Edit below---

During LB creation, I don't see anywhere that causes the LB to know about the VM, except in cert issue (see below). Nowhere does it ask for any field that would point to the VM.

I created another LB just now, and here are those settings. It finishes, then it's marked unhealthy.

Type HTTP(S) Load Balancing

Internet facing or internal only? From Internet to my VMs

(my VM is not listed in backend services, so I create one... is this the problem?)

Create backend service

• Backend type: Instanced group
• Port numbers: 80,443
• Enable Cloud CDN: checked
• Health check: create new: https, check /

Simple host and path rule: checked

New Frontend IP and port

• Protocol: HTTPS
• IP: v4, static reserved and issued
• Port: 443
• Certificate: Create New: Create Google-managed certificate, mydomain.com and www.mydomain.com

I am trying to run some of my micro services within consul service mesh. As per consul documentation, it is clear that consul takes care of routing, load balancing and service discovery. But their documentation also talks about 3rd party load balancers like NGINX, HAProxy and F5.

https://learn.hashicorp.com/collections/consul/load-balancing

If consul takes care of load balancing, then what is the purpose of these load balancers.

My assumptions,

1. These load balancers are to replace the built-in load balancing technique of consul, but the LB still uses consul service discovery data. (Why anyone need this !!!)

2. Consul only provides load balancing for east-west traffic (within the service mesh). To load balance north-south traffic (internet traffic), we need external load balancers.

Please let me know which of my assumption is correct

I have two GKE cluster (GKE-OLD and GKE-NEW) running behind two separate load balancers.

The GKE-OLD cluster runs behind a L4 global load balancer where as the GKE-NEW cluster runs behind a L7 load balancer.

The services of the clusters are accessible through two separate domain names.

www.service.company.com points to the L4 load balancer behind which the GKE-OLD cluster is running.

www.service-1.company.com points to the L7 load balancer behind which the GKE-NEW cluster is running.

I want to eventually get rid of the old cluster and LB associated with it. However, I want to keep the domain name (www.service.company.com) from the old cluster and eventually retire the www.service-1.company.com domain name that is associated with the new cluster.

Before I decommission the old cluster, the current setup I want to have should look something like this:

My questions are:

Can we have multiple domains pointing at same IP address (LB) and same domain pointing at multiple IP addresses (LBs) at the same time? www.service.company.com and www.service-1.company.com pointing at the same load balancer. And www.service.company.com pointing at both L4 and L7 LBs.