SSL ccertificates have an expiration date (yout set) and must be renewed\
Load Balacer - SSL Certificates
The load balacer uses and** X.509 certificate** (SSL/TLS server certificcate)
You can manage certificcates using ACM (AWS Certificate Manager)
You can create upload your own certificates alternatively
HTTPS listener
You must specify a default certificate
You can add an optional list of certs to support multiple domains
Clients can use SNI (Server Name Indication) to specify the host name they reach
Ability to specify a security policy to support older versions of SSL / TLS (legacy clients)\
## SSL - Server Name idication (SNI)
SNI sloves the problem of loadinng multiple SSL certificates onto one web server (to serve multiple websites)
-It’s a ‘newer’ protocol, and requires the client to indicate the hostname of the target server in the initial SSL hanshake
The server will then find the correct certificccate, or return the default one
Note:
Only work for ALB & CLB (newer generation), Cloudfront
Does not work for CLB ( older gen)\
Elastic Load Balancers - SSL Certicates
Classic Load Balancer (v1)
Support only one SSL certificate
Must use multiple CLB for multiple host name with multiple SSL certificates
Application Load Balanccer (v2)
Supports multiple listeners with multiple SSL certificcates
Uses serve name indication (SNI) to make it work
Network Load Balancer (v2)
Supports multiple listeners with multiple SSL certificates
Uses Server Name Indication (SNI) to make it work
Connection Draining
Feature naming
Connection Draining - for CLB
Deregistration Delay - for ALB & NLB
Time to complete “i-fight request” while the instance is de-registerinng or unhealthy
Stops sending ew request to EC2 instance which is de-registering
Between 1 to 3600 seconds ( default 300 seconds)
Can be disabled (set value to 0)
Set to a low value if your request are short\
What’s an Auto Scaling Group?
In real-life, the load on your websites and application can change
In the cloud, you can create and get rid of servers very quickly
The goal of an Auto Scalinng Group (ASG) is to:
Scale out (add EC2 instances) to match an increased load
Scale in (remove EC2 instances) to match a decreased load
Ensure we have a minimum and a maximum number of machinnes running
Automatically Register new instances to a load balancer\
Auto Sccaling Group in AWS With Load Balancer
A launch configuration
AMI + Instance Type
EC2 User data
EBS Volumes
Security Groups
SSH key pair
Min size / Max size / Initial capacity
Network + Subnets informatio
Load balancer information
Scaling Policies\
Auto Scaling Alarms
It is possible to scale an ASG based on* CloudWatch alarms*
An Alarm monitors a metric (such as Average CPU)
Metrics are computed for the overall ASG instances
Based on the alarm
We can create scale-out policies (increase the number of instances)
We can create scale-in policcies (decrease the number of instances)\
Auto scaling new rules
It is now possible to define “better” auto scaling rules that are directly managed by EC2
Target Average CPU Usage
Number of request on ELB per instance
Average Network In
Average Network Out
These rules are are easier to setup and can make more sense\
Auto Scaling Custom Metric
We can auto scale based on a custom metric ( number of connect users)
Send custom metric from application on EC2 to CloudWatch (PutMetric API)
Create CloudWatch alarm to react to low / high values
Use the CloudWatch alarm as the scaling policy for ASG\
ASG Brain Dump
Scaling policies can be on CPU, Network… and can even be on custom metrics or based on a schedule (if you know your visitor patterns)
ASGs use Launch configurations or Launch configuration / launch template
IAM roles attached to an ASG will get assigned to EC2 instances
ASG are free. You pay for the underlying resources being launched
Having instances under an ASG means that if they get terminated for whatever reason, the ASG will automatically create new onces as a replacement. Extra safety!
ASG can terminate instances marked as unhealthy by an ALB(and hence replace them)\
Auto Sccaling Groups - Dynamic Scaling Policies
Target Trackkinng Scaling
Most simple and easy to set up
Example: I want the average ASG CPU to stay at around 40%
Simple / Step Scaling
When a CloudWatch alarm is triggerd(>70%), then add 2 units
When a CloudWatch alarm is triggerd(<30%), then remove 1
Sechedule Actions
Anticipate a sccaling based on known usage patterns
Example: increase the min capacity to 10 at 5 pm on Fridays\
Auto Scaling Groups - Predictive scaling
Predictive scaling: continously forecast load and schedule scaling ahead
analysis historical, generate forecast, schedule\
Good metrics to scale on
CPUUtillizatioon: Average CPU
utilization across your instances
RequestCountPerTarget: to make sure the number of requests per EC2 instances is stable
Average Network In/Out (if you’re application is network bound)
Any custom metric (that you push using CloudWatch)\
Auto Scaling Groups - Scaling cooldowns
After a scaling activity happes, you are in the cooldown period (300second)
During the cooldown period, the ASG will not launch or teminate additional instance (to allow for metrics to stabilize)
Advice: Use a ready to use AMI to reduce configuration time in order to be serving request faster and reduce the cooldown period\
If there are multiple instances in the AZ to choose from, delete the one with the oldest launch configuration
ASG tries the balance the number of instances across AZ by default\
ASG for solutions architects lifecycle hooks
By default as soon as an istance is launched in an ASG it’s in service
You have the** ability to perform **extra steps before the instance goes i service(Pendinng state)
You have the** ability to perform some actions** before the innstannce is terminated\
ASG for solutions architect launch template vs launch configuration
Both:
ID of the Amazon machie Image (AMI), the instance type, a key security groups, and the other parameter that you use to launch EC2 istances(tags, EC2 user-data)
Launch Configuration (Legacy):
Must be re-created every time
Launch Template (newer)
Can have multiple versions
Create parameters subsets (partial cconfiguration for re-use annd inheritance)