enterprise ec2 quick start guide v1 -...
TRANSCRIPT
Enterprise EC2Quick Start Guide
v1.3
Copyright © 2002 - 2011 Loadbalancer.org, Inc.
1
Table of Contents
Introduction.................................................................................................................................................. 3Why Use Load balancer.org's EC2 Load balancer?...............................................................................3
Amazon EC2 terminology............................................................................................................................ 3Getting started............................................................................................................................................. 3Signing up to AWS....................................................................................................................................... 4Deploying the load balancer........................................................................................................................ 4
Security groups....................................................................................................................................... 4Launch instance...................................................................................................................................... 6Elastic IP's............................................................................................................................................ 14Accessing the WUI............................................................................................................................... 14
Using the WUI............................................................................................................................................ 15Overview............................................................................................................................................... 15Servers................................................................................................................................................. 15
Configuring Server Rules................................................................................................................. 15SSL termination.................................................................................................................................... 16
Obtaining & using a VeriSign test certificate for use with SSL.........................................................16Using your Windows IIS certificate..................................................................................................19
Security................................................................................................................................................. 20Account................................................................................................................................................. 21Maintenance......................................................................................................................................... 23Stats..................................................................................................................................................... 24
Accessing the load balancer using SSH....................................................................................................25Linux..................................................................................................................................................... 25Windows............................................................................................................................................... 25
Accessing the load balancer using WinSCP..............................................................................................28Example configurations............................................................................................................................. 29
Example 1 - the default setup (HTTP mode).........................................................................................29Example 2 - SSL termination on the backend servers (TCP mode)......................................................30Example 3 - SSL termination on the load balancer (HTTP cookie backend)........................................31
API............................................................................................................................................................. 32Loadbalancer.org technical support...........................................................................................................33
2
IntroductionAmazon Web Services (AWS) provides a cloud based platform to deploy web services. It allows services to be deployed as and when required. There are no upfront costs, and charges are only made for what is used making it an extremely flexible and cost effective solution.
Loadbalancer.org's new EC2 based load balancer allows customers to rapidly deploy and configure a load balancing solution. The load balancer utilizes HAproxy & Pound, both well proven in our existing product range.
Why Use Load balancer.org's EC2 Load balancer?Amazon does already offer a load balancing solution which is great for some deployments but has the following limitation:
1. It is layer 4 only (round robin)
2. Doesn't support SSL termination
3. Doesn't support Cookies
4. Doesn't support WAN or SNAT load balancing (i.e. non-local servers)
5. Doesn't support URL matching rules or multiple back-end clusters
6. Doesn't support application maintenance modes
7. Doesn't support customized health checks
Our EC2 offering addresses these limitations.
Amazon EC2 terminology
Acronym TerminologyAmazon AWS Amazon Web ServicesAmazon S3 Amazon Simple Storage Service
Amazon EC2 Amazon Elastic Compute CloudAmazon VPC Amazon Virtual Private CloudAmazon AMI Amazon Machine Image
Getting startedTo start using Amazon web Services (AWS), you'll first need to create an account, select which features you want to use and enter your payment details.
The following sections in this guide provide details on how to setup an Amazon account and how to get a basic load balancer up and running.
3
Signing up to AWSTo create a new AWS account, go to http://aws.amazon.com/ and click Create an AWS Account in the top right corner. Fill in all the required details, then sign into AWS. When you first sign in, you'll then need to sign up for EC2:
• Sign into AWS
• Select the Amazon EC2 tab
• Click Sign Up for Amazon EC2
• Enter your credit card details
• Enter your telephone number - an automated call will be made, you must enter the displayed PIN number to create the account
• You can now return to the AWS home page and sign in
NB. Once you sign up for EC2, an S3 and VPC account will also be created automatically
Deploying the load balancer
Security groupsSecurity groups allow ports to be opened for access to applications and also management purposes. Typically the following ports will be needed for the Loadbalancer.org AMI:
Port Purpose22 SSH – always useful for console access
80 HTTP based services
443 HTTPS based services
7777 load balancer reports
9443 load balancer management
A security group named 'default' is automatically created. This can be modified to suit all your instances although you may prefer to setup a group specifically for the load balancer. To setup a new Security Group :
• Click Security Groups in the Navigation pane on the left side
• Click Create Security Group
4
• Enter an appropriate name & description
• Click Create
• To add the required ports, in the lower pane select Connection Method = SSH, Protocol = TCP, From Port = 22, To Port = 22, Source IP = 0.0.0.0/0 (or more restrictive as needed)
• Click Save
• Now repeat for the remaining ports in the list. For ports 7777 & 9443 use Connection Method = Custom
• Once complete the list will appear as follows:
To view each security group, click the appropriate name and the group details will be displayed in the lower pane
5
Launch instanceSelect Instances on the Navigation Pane, ensure that EU West is selected as the Region, then click Launch Instance. The following screen will be displayed:
Click the Community AMIs tab, then refine the search criteria by typing “loadbalancer” into the filter field as shown below:
ENTERPRISE-EC2-V1.3-demo.manifest.xml – this is a fully functional 30 day trial and can be deployed immediately by clicking the appropriate Select button
ENTERPRISE-EC2-V1.3-PAY-AS-YOU-GO.manifest.xml – used for production deployments. This version must first be purchased by clicking the red button positioned below the price per hour on our buy-now page:
http://www.loadbalancer.org/ec2.php
Once payment is completed the production version can also be started in the same way as the demo version
To continue, click the appropriate Select button to the right of each option
6
Enter Instance Details:
Leave the default settings & click Continue
7
Enter Advanced Instance Details:
Leave the default settings & click Continue
8
Enter Instance Name:
Enter an appropriate name for the instance, click Continue
9
Configure Key Pairs:
Enter an appropriate name for the key pair, then click Create & Download your Key Pair. This file contains the private key, so save the pem file in a safe place - this can be used later to secure your connections, e.g. with SSH for command line access to the load balancer.
NB. This private key is used for secure access to the load balancer instance once its up and running. It's not used for SSL termination. For this please refer to the SSL Termination section later in this guide.
Once this is done, click Continue
10
Select Security Group for the Instance:
Select the required security group and click Continue
11
Confirm Selected Options:
Click Launch
12
Close the Wizard:
Your new instance will now start
Click Close
The next step is to assign a public IP address and then configure the Load balancer for your environment as detailed in the following sections.
13
Elastic IP'sTo assign a public IP address to the instance, select Elastic IPs in the navigation pane, then click Allocate New Address at the top of the screen.
You'll now need to associate this with the instance. To do this, click the check-box to select the IP, then click Associate and confirm your selection.
Now when you view your Instance, you'll see that the IP has been allocated. You can now access the management Interface via this IP address as explained in the following section.
Accessing the WUIIn a browser, navigate to the Elastic IP as follows (9443 is the default secure management port):
https://<Elastic IP>:9443
You'll receive an warning about the certificate as its a self signed cert not related to a Internet based CA. Confirm you want to continue and a login prompt will be displayed. Use the following credentials:
Username: loadbalancer
Password: loadbalancer
The following screen is displayed:
In the trial version shown above, the number of days remaining is shown in the yellow box.
14
Using the WUI
OverviewThis tab shows the basic performance stats for the instance as well as the XML and HAPoxy config files. It is possible to modify these files directly, but it's recommended to allow the interface to handle the config file changes to ensure syntax rules are followed.
ServersThis is where you specify the front-end and back-end servers. Front end-servers are Internet facing and distribute connections to the back-end servers.
• Servers can be specified using their DNS name or by IP address
It's important to understand that the load balancer only has one IP address. Therefore all configured services are bound to this address. When creating new frontends its only necessary to
define the port since the IP address is automatically set. For this reason, each frontend must have a unique port number.
Configuring Server Rules
It's possible to customise the way requests are handled. Rules can be added that examine the headers, the start of a URL path or the end of a URL path. For example, a 'path_end' rule could be added that sends requests that end in .swf to a different backend server. To configure rules click the 'rules' link next to the relevant Frontend.
15
SSL terminationSSL can be terminated on the load balancer. A default self-signed certificate is provided, although normally this will be replaced with your own certificate using the Upload Certificate option in the interface.
Obtaining & using a VeriSign test certificate for use with SSL
1) Connect to the Console of the load balancer – see the previous section on how to do this with Linux and Windows.
2) Generate the Private Key & set permissions
mkdir certsopenssl genrsa -out /certs/lb.key 1024chmod 400 /certs/lb.key
3) Generate the CSRopenssl req -new -nodes -key /certs/lb.key -out /certs/lb.csr
the following shows the prompts and sample answers:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:GB
State or Province Name (full name) [Berkshire]:hampshire
Locality Name (eg, city) [Newbury]:portsmouth
Organization Name (eg, company) [My Company Ltd]:loadbalancer.org
Organizational Unit Name (eg, section) []:support
Common Name (eg, your name or your server's hostname) []:www.loadbalancer.org
Email Address []:[email protected]
16
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: .
An optional company name []: .
===> The file lb.csr has now been created on the load balancer in the directory /certs/
N.B. When prompted for the x509 common name, make sure you enter the fully qualified hostname the certificate will be used with. e.g. www.loadbalancer.org
4) Copy the Private Key & CSR to your workstation
Under Linux:scp -i LBkeypair1.pem root@<IP address>:/certs/lb.key /local path/lb.keyscp -i LBkeypair1.pem root@<IP address>:/certs/lb.csr /local path/lb.csr
Under Windows:
- Connect to the load balancer using WinSCP as described earlier in this guide
- Copy the files /certs/lb.key & /certs/lb.csr to your workstation
5) Create your Verisign test certificate
Open the following page and click FREE TRIAL:
http://ww w.verisign.com/ssl/buy-ssl-certificates/free-ssl-certificate-trial/
• Copy the contents of lb.csr to the first CSR screen, select Server not listed and click Continue
• When prompted for a challenge phrase and reminder question use only simple letters and numbers
• Verisign will then email your new test certificate - normally within a few minutes
6) Installing the certificate
• Login to the console and access the SSL Termination tab
• Click add new SSL port
• Update the default settings if needed and click save
• Click upload certificate
• Delete the contents of the top & bottom pane (these are for the default self signed cert)
• Copy/paste the private key to the top pane & the certificate obtained from Verisign to the bottom pane. You should also add Verisign's trial intermediate certificate (a link is provided in the email from Verisign) in the bottom pane after the certificate as follows:
17
-----BEGIN CERTIFICATE----- certificate contents goes here-----END CERTIFICATE----------BEGIN CERTIFICATE----- intermediate certificate contents go here-----END CERTIFICATE-----
e.g.
-----BEGIN CERTIFICATE-----MIICJTCCAY4CAQAwgaoxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlIYW1wc2hpcmUxEzARBgNVBAcTClBvcnRzbW91dGgxGTAXBgNVBAoTEExvYWRiYWxhbmNlci5vcmcxMSYwJAYJKoZIhvcNAQkBFhdyb2JlcnRAbG9hZGJhbGFuY2VyLm9yZzCBnzANBgkq-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIICJTCCAY4CAQAwgaoxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlIYW1wc2hpcmUxEzARBgNVBAcTClBvcnRzbW91dGgxGTAXBgNVBAoTEExvYWRiYWxhbmNlci5vcmcxEDAOBgNVBAsTB1N1cHBvcnQxHTAbBgNVBAMTFHd3dy5sb2FkYmFsYW5jZXIub3Jn-----END CERTIFICATE-----
• Click Save
• Now restart Pound using the pop-out or Maintenance > Restart Pound
18
Using your Windows IIS certificate
For Windows, its often easiest to get the certificate working on the server first. The certificate can then be exported from Windows in .pfx format, then converted to .pem format and copied to the load balancer. The steps for this process are:
1) Export the certificate from IIS - once the certificate is working correctly on your Windows server, export the certificate from Windows – including the private key. Make sure you select the option for all certs in the chain, the format must be .pfx
For the common name, make sure you enter to fully qualified domain name for your web server, e.g. www.loadbalancer.org
2) Download & install openssl - download openssl using the following link & install on your PC: http://www.slproweb.com/download/Win32OpenSSL-1_0_0a.exe
3) Extract the private key – in a command window, type the following:\openssl\bin\openssl pkcs12 -in drive:\path\cert.pfx -nocerts -out drive:\path\cert.pk
(You'll be prompted for the password used to create the pfx file, and a passphrase to write the output file)
4) Unencrypt the private key – in a command window, type the following:\openssl\bin\openssl rsa -in drive:\path\cert.pk -out drive:\path\cert.pkun
(You'll be prompted for the passphrase that you entered in the previous step)
5) Extract the certificate – in a command window type the following:\openssl\bin\openssl pkcs12 -in drive:\path\cert.pfx -clcerts -nokeys -out drive:\path\cert.cer
(You'll be prompted for the password used to create the pfx file)
6) Copy the private key (cert.pkun) and certificate (cert.cer) to the load balancer
- go to SSL Termination
- click upload certificate
- paste the contents of the private key into the top pane and the certificate into the lower pane
- click save
7) Now restart Pound - (Maintenance > Restart Pound)
19
SecurityThis section offers another way to configure access to the load balancer. Changes made here also reflected in the Security Groups section of the AWS management console & vice-a-verse
N.B.Your Access Key ID & Secret Access Key must be entered in section 1) of the Account Tab for the to work. Both can be obtained from the Access Credentials section available under Account in the AWS Management Console.
Once entered, the various Security Groups and related port settings are displayed:
20
Account
Section 1
Enter your Amazon Credentials here to enable the Security Tab. You can obtain your credentials from the AWS Management Console, under Account > Security Credentials > Access Credentials. Once entered, the Security Tab can be used to modify the port settings of your Security Groups.
Section 2
Enter the relevant Amazon credentials here to enable auto-scaling. The Certificate can be downloaded in the AWS Management Console under Account > Security Credentials > Access Credentials > X.509 Certificates then click Download under the relevant certificate. You can also select Create a new Certificate, the will enable you to download both the certificate and the private key. The AWS account number is displayed under the Sign-Out option on the AWS console.
Once entered, click the Save button to validate & save these details.
21
Section 3
Use this section to create a backup of your instance. This backup can then be used to re-deploy your instance if it goes down or fails for any reason. For the S3 Bucket name, use lowercase letters if the bucket does not already exist.
Section 4
This allows auto-scaling to be used. Enter the relevant Elastic IP, Key Pair name & Security Group. This will enable an exact copy of the instance to be automatically started if the instance fails for any reason. For the Key Pair name, you can use the same name entered for the key pair when the instance was first created (see page 10).
Once correctly configured, autoscaling will continue to bring up a new replacement instance even if you're trying to completely terminate the initial instance. To enable you to kill the autoscaled instance, when prompted save the kill script. To use it, you'll need to connect to the load balancer via SSH and run the script from there.
Do not click Save in section 4 until you receive the following message in section 3. The message confirms that all required steps are complete, and the new AMI is ready:
AMI image ready for launch with autoscaling.
This can also be verifed by going to the EC2 tab in AWS, selecting AMIs and verifying that a new AMI has been created with the same name that was specified in the Manifest Name field in section 3.
22
MaintenanceThis section allows logs to be viewed, services to be restated, the WUI password to be changed and global settings to be modified - for most applications the global settings can be left at their default values.
23
StatsThis displays HAproxy statistics. A separate section is created for each Front-end & each Back-end server.
24
Accessing the load balancer using SSHThis uses the private key that you downloaded when setting up your instance (please refer to page 10 of this guide). To connect to the load balancer using SSH, this private key must be used. Under Linux, the key can be used immediately, for Putty under Windows, the key must first be converted to a format required by Putty as detailed below.
Linux
# First change the permission of the private key file to allow only the owner read accesschmod 400 /path where saved/ec2-key-name.pem
# Now start SSH specifying the private key filessh -i /path where saved/ec2-key-name.pem root@dns-name or IP
WindowsFor putty, the private key must be converted into an appropriate format. To do this the Puttygen utility (included with Putty) must be used. Start Puttygen:
Click Load, change the filetype to all files and select the pem file saved earlier when creating your Key Pair.
You should see the following message:
25
Click OK
Now Click Save private key – this can then be used with putty
26
NB. You can also choose to enter an additional passphrase for improved security, if you don't, the following message will be displayed:
Click Yes and save the file with the default .ppk extension
Now close Puttygen and start Putty
Expand the SSH section as shown below
Click Browse and select the new .ppk file just created
When you open the SSH session, login as root – no password will be required.
27
Accessing the load balancer using WinSCP
With WinSCP, enter the relevant IP address and username root, then browse to the private key file created previously using PuttyGen
Click Login
28
Example configurations
Example 1 - the default setup (HTTP mode)
The Frontend:
The Backend:
Editing the Backends:
Key Points:
• the frontend mode is set to HTTP
• the front-end listens on port 80
• persistence is set to cookies
29
Example 2 - SSL termination on the backend servers (TCP mode)
The Frontend:
The Backend:
Editing the Backend:
Key Points:
• the frontend mode is set to TCP
• the frontend listens on both ports 80 & 443
• persistence is set to source IP
• no port is specified in the backend, traffic is then passed through to the same port on which it was received
30
Example 3 - SSL termination on the load balancer (HTTP cookie backend)
SSL Termination:
The Frontend:
The Backend:
Key Points:
• the backend only listens on port 80, SSL traffic is terminated on the load balancer and passed on to the backend servers unencrypted
31
APIAn API is available for modifying the running instance of the EC2 loadbalancer. It allows you to simply add and remove Real Servers to any defined Back-end Group.
If you have more than one back-end group you will need to specify the backend group to add the real serverto, if however, you only have one backend group defined the real server will be added to this group. The onlything which needs to be specified is the dns name / IP address of the real server being added. If the realserver label is not specified then the API will try a choose a default label.
Using function 'lb_modify' to add a server to a backed group
In this example only one backend group is defined on the EC2 load balancer. The following command can be entered on the real server:
ssh -i ec2_keypair.pem root@ec2loadbalancer “lb_modify -d realserverIP”
Doing the same but adding the server to backend group B1 with real server label L4:
ssh -i ec2_keypair.pem root@ec2loadbalancer “lb_modify -d realserverIP -b B1 -l L4”
Automatically Adding Real Servers to a BackEnd
If you have only one back end defined on the EC2 Loadbalancer Instance, you can use the following scriptto automatically add additional servers to the backend:
#!/bin/shPATH="/sbin:/bin:/usr/sbin:/usr/bin";AMI_KEY_PAIR="<path-to-ssh-key>";EC2_LOADBALANCER_IP="<ip-address-of-ec2-loadbalancer>";CURL=`which curl`;SSH=`which ssh`;AMI_ID="`$CURL -s http://169.254.169.254/latest/meta-data/ami-id`";AMI_IP="`$CURL -s http://169.254.169.254/latest/meta-data/local-ipv4`";
case "$1" instart)
$SSH -i $AMI_KEY_PAIR root@$EC2_LOADBALANCER_IP \"lb_modify -l $AMI_ID -d $AMI_IP \";exit 0;;;
stop)$SSH -i $AMI_KEY_PAIR root@$EC2_LOADBALANCER_IP \"lb_modify -l $AMI_ID-d $AMI_IP -r \";;;
*)exit 1;;;
esac;exit 0;
If you put this script in /etc/init.d on your real servers and link it to your startup/shutdown scripts (in /etc/rc2.d and above), when the real server boots up it will automatically be added to the cluster backend.
You will have to fill in the variables AMI_KEY_PAIR and EC2_LOADBALANCER_IP with the correct valuesfor your instance.
If you have more than one backend defined in the SSH line (located under start/stop statements) will have to
32
be amended with a switch to specify which backend to add the server to. The following example uses a backend called “BackEnd2”:
#!/bin/shPATH="/sbin:/bin:/usr/sbin:/usr/bin";AMI_KEY_PAIR="<path-to-ssh-key>";EC2_LOADBALANCER_IP="<ip-address-of-ec2-loadbalancer>";CURL=`which curl`;SSH=`which ssh`;AMI_ID="`$CURL -s http://169.254.169.254/latest/meta-data/ami-id`";AMI_IP="`$CURL -s http://169.254.169.254/latest/meta-data/local-ipv4`";case "$1" instart)
$SSH -i $AMI_KEY_PAIR root@$EC2_LOADBALANCER_IP \"lb_modify -l $AMI_ID -d$AMI_IP -b BackEnd2 \";exit 0;;;
stop)$SSH -i $AMI_KEY_PAIR root@$EC2_LOADBALANCER_IP \"lb_modify -l $AMI_ID-d $AMI_IP -r -b BackEnd2 \";;;
*)exit 1;;;
esac;exit 0;
Loadbalancer.org technical support
If you have any questions don't hesitate to contact the support team: [email protected]
33