AWS Network Load Balancer with EC2, VPC, Route 53, LB and SSL Certificate Manager

Load Balance :

Load Balancer is basically a device or service that distributes user traffic across multiple servers . When we talk about Load Balancer in terms of AWS , we must undertand it properly that initially there are 2 types of Load balancer

Regional Load Balancer :: A regional load balancer in Amazon Web Services (AWS) distributes traffic within a region. It does this by routing requests to registered targets, such as EC2 instances, in one or more Availability Zones . AWS Global Accelerato is Regional Based Load Balancer

VPC Based Load Balancer :: A VPC based load balancer in Amazon Web Services (AWS) is a load balancer that operates within a Virtual Private Cloud (VPC). It distributes requests from clients to targets in a target group

a) Application Load Balancer: it works on HTTP and HTTPS Protocol , HTTP and HTTPS is again a TCp protocol, but Application LB dosent supports UDP protocol.

b) Network Load balancer: It supports TCP and UDP proctocl.

UDP is used for Gaming, Zoom, Teams but Application LB dosent supports this

TCP example is File transfer, Winscp , emails.It works on Source and Destination. And it always wait or Destination to Acknowledge if it actually connect or not

UDP it dosen’t wait for destiantion ACK. LIke in Gaming it broadcast like in PUBG we can hear the other partner in ground, we can know as we can hear that, so it keeps sending the packets. Zoom or Teems session.

We will inplement above architecture .

—> Create Domain

—> Create ACM

—> Create VPC

—> Create EC2

—> Change the SG rules

—> Create Target Group

Implementation Steps ::

Step 1 ) Creat a ACM, before that create a Domain, in any Provider

Create a Domain

Go to any domain provider. and create a domain. Publish it

Now Once published, add the domain to Route 53 → Hosted Zones → Created Hosted Zon

Domain name = apurvtech.xyz → Public → Created Hosted Zone

Go to ACM → Request → Request a Public Certificate

.apurvtech.xyz \= you need to replace it with own domain name , * is a wild card character, so that your websit can be easily searchable

Leave all the certiticate default and Click on Request .

After sometime, you will see the CNAME and CNAME Value

Copy the CNAME - Route 53 → Hosted Zone → Create Record →

Record name = CNAME (remove “.apurvtech.xyz)

Record Type = CNAME

Vale = CNAME Value

Create Record

Alternative way

While I was using Go daddy, it was taking a lot of time to publish and once published, the certificate I created was taking long to approval, it was in Pending Approval

What I did ? ( I used Go Daddy for Domain Name, but it was taking ages, for certificate in ACM to issue. Its because of GoDaddy issue)

I created a Account in Cloudflare

Add → Existing Domain - > gave my domain name (.apurvtech.xyz) → continuted it for DNS scanning

Once added , Click on YouDomain

DNS → Records → Add Records

In Nane = Give the CNAME from the Certificate you created in above step but remove .apurvtech.xyz

IN IPv4 Address = CNAME Value

Proxy Status = Off

Click on Save

In Sometime you will get the Certificate status as Issued

MOST IMPORTANT, You Need to to add DNS records in Cloudflare → your domain as well

The First record is what we added, using CNAME and CVALUE.

The Second Record is we need to give name of our Domain (apurvtech.xyz) and Target will be (NLB DNS)

This will help to redirect the traffic inside AWS NLB.

Step 2) Create a VPC → Create VPC → VPC and More

10.0.0.0/16 (CIDR)

Private subnet =3

PublicSubet =3

Nat Gateway = 1 in AZ → Create VPC

Step 3) Go to Security Groups → All TCP / TLS/ SSH ports, For now allow ALL TRAFFIC

Save rules

Step 4 ) Create Instance in Private Subnet, create 3 t2.micro Instance in 1 in each Private Subnet, also past the below script in user data section

#!/bin/bash

sudo apt update
sudo apt install nginx -y
sudo systemctl restart nginx
sudo systemctl enable nginx
echo "<h1>$(cat /etc/hostname)</h1>" >> /var/www/html/index.nginx-debian.html
echo "<h1>US-EAST-1A-SERVERS</h1>" >> /var/www/html/index.nginx-debian.html

Step 5) Now create Target Groups

Taeget Gru →Creeat TG →

Protocol : Port

TCP :

Select approporte VPC

Next → Select all prvate Instances - Creeat TG

Step 6 ) Go to LB

Creeat LB → NLB → Internet Facing ( Basically used to make communocation with internal EC2 instance using PV IP addrss → VPC = VPC you created → Selet Public Subets only

Listeners and routing

Secure listener settings

Create Load balance

Step 7) Now try create accessing the URL from Different Browser..

Happy Learning !!!

****************************************************************************************************

TIPS: TROUBLESHOOTING POINTS

There colud be situation that you cannot access your URL. This issue is mostly becaue of certificate. What we need to to is, we need to acc a NEW certficiate in AWS-ACM

Domaine name has to be = apurvtech.xyz , there will be no wildcard character, as shown below I created 2 certificates

Next we need to make add the new certificate to SNi In Load Balancer Listener,

NLB → Listeners → TLS:443 (click on the check box ) → In Action menur → ADD SSL CERTIFICATE FOR SNI , select that

Click on that option and once done you will see 2 certificate there.

Click on the newly added certificate , —> Include as pending below

Listener certificates for SNI (1)

“Additional certificates support Server Name Indication (SNI). This enables the load balancer to support multiple domains on the same port and provide a different certificate for each domain.“

So basically it happens many times that , even though after doing all the configuration properly, the traffic dosent hits to our Load Balance, because, root domain , certificate has to be created differently. And when we add wildcard character, it dosent takes it into consideration.

So when we create a new certificate for our root domain (apurvtech.xyz) , and add it to listner, bring suppor for DNS and hits our Load balance

********************************************************************************************