Amazon AWS DevOps Engineer Professional – Incident and Event Response (Domain 5) & HA, Fault T… part 3
- ASG – ALB Integration
Okay. So now let’s attach an alb to this auto scaling group to see how we can have health checks and so on. So back into load balancers, I’m going to create an application of balancer. So it’s going to be an alb and I’m going to call it Demo alb. And it’s going to be internet facing on port http port 80. And the AZ is going to be on three AZ. In my vpc I configure the security settings and the security group and I’ll select a new security group and I’ll allow port ad from anywhere, configure routing and I’m going to create a new target group. Okay? And I’ll call it demo. Target group. It’s going to be instance based because the auto scaling group will attach instances directly to this target group and then the protocol will be Http.
The port will be 80. Now for the health check we’re going to do a protocol Http and the path is going to be called Health HTML. This is so that whenever the alb goes to this url, then it sees the word healthy and it returns a 200 and it’s happy about it. Okay? So here we can see the advanced health check settings and we can say okay, the healthy structure is five. The unhealthy threshold is two, timeouts 5 seconds. interval of health check is going to be every 10 seconds and then success code is going to be 200. So whenever I refresh this page right now, because we get back a page in return, this is a 200 type of code.
Okay. Now we’re going to register targets and we could add the instance from here click on Review and click on Create and this has been created. Excellent. And what we can do as well is go to the auto scaling group and in here I’m going to edit the auto scaling group configuration, scroll all the way down and add a target group, demo target group in here so that newly created instances will be added directly to this target group. And now for the health check type, let’s look at it. So right now it says EC two as a health check type. That means that if the instance has a failure based on EC two health checks. So if we go back to our instances and look at the status checks, these would be the kind of EC two health checks we have.
So system status check and instance status check. If one of these fail then right now the auto scaling group would go ahead and terminate the instance. But we could set an Elb health check type so that if the alb that we have created, the load balancer we have created does fail the health check, then the instance will be terminated. And this makes a lot more sense to do when we attach an alb to our target, to our otis coming group. So we’ll just keep it as health check type elb and the grace period is going to be 60 seconds. Okay excellent. I’m going to save this. And here we go. So now we have one instance, one desired, one in one max.
So let’s also go ahead and edit the number of desired instances. So I’m going to set the desired capacity to two so that one more instance is created and it makes sense to have some load balancing. Okay. So now we have two instances being created and if I go to my target group I should be seeing the two instances under this target group. So let’s go to targets. Yes, both instances are registered under this target group and as we can see the status of them is healthy. So that means the health check is passing and if I go directly now to my load balancer and look at the dns name for this load balancer which is right here and open it and refresh we get different ips back.
So that means that our auto scaling group, our load balancer is working and is balancing the load between the two instances. So this is all great. And if we went into the health HTML page we also get healthy back. So this is good, this is working perfectly. So let’s get back in here excellence. So we are going to keep this page on and then what we’re going to do is go to our target groups in here and I’m going to delete one health HTML page so that now one instance should not return a health check back and so the instance should be terminated because of the ASG setting we have set before. So let’s go to this instance.
I’m going to connect using EC, two instance connect, here we go. And in here I’m going to do pseudosu and I’m going to do remove varwar www. HTML and then health HTML I’ll say yes, remove it. And so now what will happen is that this health check should fail. So let’s wait for the status to become unhealthy and then we’ll see what happens in the auto scaling group. So now one instance is unhealthy. So if we go to the auto scaling group itself in here and we go to activity history, the instances actually so one is now unhealthy. So the health status is unhealthy and so what should happen is that this instance should be terminated by our autoscaling group because the health check type is Elb.
So let’s wait a little bit and I think we should see an event in here very very soon. Okay so as we can see now the instance is being terminated and the cause is that the instance was taken out of service in response to an Elb system health check failure. So one instance is being terminated and so there is an Elb connection draining for that instance that is happening and then when it will be all done the instance will be fully terminated and a new one should come up. So let’s wait for this. Perfect. So now this instance got terminated and a new instance is being created as a result of having one instance instead of desired capacity being two.
So this is perfect. This one instance is being created and now our Otiscaling group is back to normal. So this just shows the power and the resiliency of oto scaling groups here in response to a health check that’s failed. Finally, there’s one more thing you need to know about, which is the slow start supports for application of the balancers. So the idea is that if you come up with a new instance in here and you don’t want right away for it to be overloaded with queries and requests, then you may want to have linear progression towards full capacity for that instance. And as such, if you go to target groups, you are able to define a slow start mode.
So let’s take our demo target group, and in here I’m going to edit the attribute, and we can set a slow start duration all the way from 330 seconds to 900 seconds. So 15 minutes, so we can say, okay, we can say 60. And what will happen is that this new instance that comes up in this target group will not get its full capacity of request until 60 seconds have elapsed. So that means that from zero to 60 seconds, it will gradually increase the number of requests done to this instance, so that it can take time to, for example, warm up a cache and so on. So the idea is that you don’t want your new instances to be right away taking too many requests.
And so this is the slow start duration you can have for your target group. So anywhere from 30 seconds to 900 seconds, or if you set it to zero, then it disables right away, and the instance will receive its fair share of request directly right away. So I’ll set it to 60 seconds. We’ll won’t be showing the behavior of this because it’s really hard to show, but you get the idea. And so this is the feature of slow start duration. So that’s it for alb with auto scaling groups. I will show you another cool feature in the next lecture. So, see you in the next lecture.
- ASG – HTTPS on ALB
So now one thing I want to show you is how to enable Https on the load balancer and as well as implement redirection from http to https. So here what we’d like to do is in our listeners would be to add a listener and that listener to be a secure listener and to have a certificate on it. So we can right now we don’t have any certificates, so we need to request a new one. And to request a certificate you need to have a domain name. And so for this we need to go ahead and route 53 and purchase a domain name. So if you don’t want to do it, then that’s fine. You don’t have to purchase a domain name. But I’m going to show you all the way how this works.
So I’m going to get started with domain registration and I’m going to register a domain for this course and it’s going to be called stefan the Devops. com. And let’s check if it exists. And it does exist. So I’m going to buy it right now for one year. Okay, let’s get continue. So I’m going to enter my contact details. And so now the domain has been registered and I need to wait a little bit until the domain registration is done. So let me wait for this. Okay, so now the domain registration is completed. As we can see it is available and in hosted zones. There has been a hosted zone created for my domain within route 53, which means that I can create records in it directly for whatever I need.
Okay, so back into my certificate manager. Now we need to create a domain name, for example, app Stefandevops. com and we’re good to go. Let’s click on Next and we’ll have dns validation. Click on Review and we’re confirmed the request. So now this request is in progress and we need to create a cname record in the dns configuration for this to work. So what we’ll do is that we’ll go to this domain and we need to add this record in route 53. Thankfully now, because we have created this through aws, we can just click on Create record in route 53 and that will add the cname record. And this cname record is used so that the authority that will issue the certificate can verify that we do have the right over that domain name.
So click on Create and it was written successfully. And now it may take up to 30 minutes for the changes to propagate and for aws to validate the domain. In the meantime, what I can do is go to my load balancer. So I’m going to leave this and I’m going to look at the dns name for my load balancer, which is right here. And I’m going to go back to route 53, create a record set and this time I’m going to make it an alias record. And the target naming here is going to be the alb. So the demo alb right here. So it’s going to be an alias record and we are naming this app dot designdevops. com. So this should be all set and we’ll click on create and we’re good to go.
Now this domain should directly redirect to our load balancer. We can have a test by just going to this url and see if that works. So right now it can’t be reached. Here we go. Now it’s working. So now that our domain app defined, devops. com does redirect to our load balancer. So this is excellent.And not redirect is a CNN for it, okay, or an alias record. So now we just need to wait for a certificate manager to validate this record. So I’ll click on continue and I’ll wait for this validation to happen. So I’ll see you very soon. So the certificate is now issued. So this is perfect. And what I can do next is go back to my load balancer then listeners and I’m going to add a listener.
This listener is going to be an Https and the default action is going to forward to my demo target group. So that whenever we access the port here, we just forward to the target group we already have already created. We’ll leave this security policy on and the default ssl certificate is going to be the one from Amazon certificate manager, which is the one we have just created. Let’s click on save and now it’s been successfully created. So the only thing we have to do to make this work is going to go and edit the security group for having it work. So let’s edit the security group.
Let’s click on the security group in here and then I’m going to go to inbound edit, I’m going to add a rule, it’s going to be Https which is right here and click on Save. So now we should be able to access our load balancer over Https. So if we go to Https app stefan the devops. com, it can’t work. So we’ll need to wait a little bit to see if anything’s wrong. And now after a split second, it just worked. So now we get this. Hello weld and we get a little secure here saying this connection is secure and this is using the ssl certificate that we have created just from before. So one thing you may want to know is how do we force Https? Because right now I can access this website over Http and we get a not secure.
So how do we force redirection from Http to Https? Well, we’ll see how we can do this right now. And so for this very simple, we go to listeners and as we can see, we need to enable a redirection from http 82 four, four, three. So I’m going to click on this rule and click on edit and then I’m going to click on the default action. I’m going to remove this one and I’m going to add a redirect two and you’re going to redirect to Https on the port four, four, three, and you’re going to keep the original host path and query. And the return status is going to be 301, which means that the page has permanently moved from Http to Https, let’s say okay and update.
And now we are good to go. So what this means is that now whenever we access this page on port 80, it automatically redirects to Https on this listener right here. So to test that, let’s go back to our app. And so right now we are in not secure mode and the full url is using Http. But if I refresh this page now, we are redirected automatically to the secure version on Https, thanks to the rule we have implemented in here. So directly from within the alb, we are able to do secure redirection from http to https. And this helps us force the fact that all the traffic that will go into our demo target group will be using Https at the load balancer level. So that’s it for this lecture. I hope you liked it, I hope it was informative and I will see you in the next lecture.