1
00:00:00,270 --> 00:00:01,103
‫So let's have a look

2
00:00:01,103 --> 00:00:04,500
‫at a few more advanced concepts for our load balancer.

3
00:00:04,500 --> 00:00:07,170
‫Number one is around network security.

4
00:00:07,170 --> 00:00:10,710
‫So currently, we access this load balancer

5
00:00:10,710 --> 00:00:13,380
‫through a security group here.

6
00:00:13,380 --> 00:00:15,630
‫This is my load balancer security group.

7
00:00:15,630 --> 00:00:18,150
‫And then we access our EC2 instances

8
00:00:18,150 --> 00:00:20,160
‫through their own security group.

9
00:00:20,160 --> 00:00:22,920
‫So right now, if I look at the public IP and access it,

10
00:00:22,920 --> 00:00:26,280
‫as you can see, I can access my EC2 instance directly,

11
00:00:26,280 --> 00:00:30,930
‫or I can access it, of course, through my load balancer.

12
00:00:30,930 --> 00:00:32,880
‫But it may be preferable

13
00:00:32,880 --> 00:00:36,750
‫to only access my EC2 instance through my load balancer.

14
00:00:36,750 --> 00:00:38,010
‫So how do we do this?

15
00:00:38,010 --> 00:00:39,510
‫Well, under instances,

16
00:00:39,510 --> 00:00:42,063
‫let's go for security groups, so right here.

17
00:00:43,890 --> 00:00:44,723
‫And we're going to look

18
00:00:44,723 --> 00:00:47,580
‫at the launch-wizard-1 security group.

19
00:00:47,580 --> 00:00:51,660
‫And in here, for the inbound rules, we're going to edit them

20
00:00:51,660 --> 00:00:53,490
‫and we're going to look at the HTTP rule.

21
00:00:53,490 --> 00:00:55,560
‫Right now, we allow everything

22
00:00:55,560 --> 00:00:58,470
‫from everywhere on this security group

23
00:00:58,470 --> 00:01:01,500
‫but we're gonna say is that no, the only traffic allowed

24
00:01:01,500 --> 00:01:04,500
‫in to our EC2 instance should be traffic coming

25
00:01:04,500 --> 00:01:06,480
‫from the load balancer.

26
00:01:06,480 --> 00:01:08,010
‫So how do we change this?

27
00:01:08,010 --> 00:01:09,480
‫Well, let's first delete this rule.

28
00:01:09,480 --> 00:01:12,600
‫You have to first delete it and then you add a new rule.

29
00:01:12,600 --> 00:01:15,120
‫And so again, we want HTTP.

30
00:01:15,120 --> 00:01:18,930
‫But this time, instead of having a CIDR block,

31
00:01:18,930 --> 00:01:20,520
‫you can scroll down and you can see

32
00:01:20,520 --> 00:01:22,560
‫that you can have security groups in there.

33
00:01:22,560 --> 00:01:25,110
‫So the security group we want to allow in

34
00:01:25,110 --> 00:01:28,200
‫is the security group of my load balancer.

35
00:01:28,200 --> 00:01:29,730
‫So if you just type load as well,

36
00:01:29,730 --> 00:01:31,170
‫it's going to filter the list.

37
00:01:31,170 --> 00:01:35,220
‫So then you select the security group of the load balancer.

38
00:01:35,220 --> 00:01:36,840
‫And the effect of this is that,

39
00:01:36,840 --> 00:01:40,500
‫if we save this rule and have a look at it.

40
00:01:40,500 --> 00:01:44,190
‫Now, if we have a look at our EC2 instance directly

41
00:01:44,190 --> 00:01:48,240
‫and I refresh this page, as you can see, it's timing out,

42
00:01:48,240 --> 00:01:50,700
‫because it's not being able to access the instance

43
00:01:50,700 --> 00:01:54,600
‫because I'm not allowed to access directly, the instance.

44
00:01:54,600 --> 00:01:59,070
‫But if you refresh the load balancer, well the low balancer

45
00:01:59,070 --> 00:02:02,040
‫can still access my instances because in the rule

46
00:02:02,040 --> 00:02:04,920
‫that we have created in our security group,

47
00:02:04,920 --> 00:02:07,530
‫we allow inbounds coming from,

48
00:02:07,530 --> 00:02:09,600
‫if you have a look at here, we allow inbound coming

49
00:02:09,600 --> 00:02:12,780
‫from the security group of the application load balancer.

50
00:02:12,780 --> 00:02:15,213
‫So here we have tightened network security.

51
00:02:16,110 --> 00:02:17,640
‫The second thing I want to show you

52
00:02:17,640 --> 00:02:20,430
‫is around application load balancer rules.

53
00:02:20,430 --> 00:02:23,460
‫So currently, if you go into this ALB right here

54
00:02:23,460 --> 00:02:26,523
‫and we go under listeners and I click on it,

55
00:02:28,050 --> 00:02:31,050
‫as you can see, I have a rules section.

56
00:02:31,050 --> 00:02:32,850
‫And the rule is saying that right now,

57
00:02:32,850 --> 00:02:37,200
‫you send everything to my demo target group ALB.

58
00:02:37,200 --> 00:02:38,400
‫But it's possible because we have

59
00:02:38,400 --> 00:02:40,737
‫an application load balancer to manage rules

60
00:02:40,737 --> 00:02:42,930
‫and to make a few rules.

61
00:02:42,930 --> 00:02:45,750
‫And so let's have a look at the rules we can add.

62
00:02:45,750 --> 00:02:48,420
‫So we can add a rule here, for example, insert rule.

63
00:02:48,420 --> 00:02:50,850
‫And here we can have conditions

64
00:02:50,850 --> 00:02:52,920
‫based on how the request looks like.

65
00:02:52,920 --> 00:02:53,753
‫And so we can say,

66
00:02:53,753 --> 00:02:56,940
‫"If the host header has a specific value,

67
00:02:56,940 --> 00:03:00,030
‫then send to a different target group."

68
00:03:00,030 --> 00:03:01,920
‫Or, "If the path is different,

69
00:03:01,920 --> 00:03:04,890
‫then again send to a different target group."

70
00:03:04,890 --> 00:03:06,247
‫Or for example, let's have a play,

71
00:03:06,247 --> 00:03:11,247
‫"If the path is /error, then return a fixed response

72
00:03:11,490 --> 00:03:16,487
‫of code 404 and saying, 'Not found, custom error'."

73
00:03:19,410 --> 00:03:20,823
‫Let's save this.

74
00:03:22,110 --> 00:03:24,600
‫And now we have, if the path is /error,

75
00:03:24,600 --> 00:03:26,310
‫then return a fixed response.

76
00:03:26,310 --> 00:03:27,143
‫We could have other rules.

77
00:03:27,143 --> 00:03:30,480
‫For example, if the path is /other-service,

78
00:03:30,480 --> 00:03:33,540
‫then forward to, and then another target group

79
00:03:33,540 --> 00:03:34,530
‫that we could define in here,

80
00:03:34,530 --> 00:03:36,000
‫but we don't have one right now.

81
00:03:36,000 --> 00:03:39,270
‫Or for example, if the path is other service,

82
00:03:39,270 --> 00:03:41,610
‫then we can delete this and we can say,

83
00:03:41,610 --> 00:03:46,230
‫redirect to HTTPS, or HTTP with a different path

84
00:03:46,230 --> 00:03:47,370
‫and a different status.

85
00:03:47,370 --> 00:03:49,200
‫So as you can see, we can have a lot

86
00:03:49,200 --> 00:03:52,650
‫of complex rules in here in our load balancer,

87
00:03:52,650 --> 00:03:53,610
‫and this is why we wanna use

88
00:03:53,610 --> 00:03:56,880
‫an application load balancer when it comes to HTTP.

89
00:03:56,880 --> 00:04:00,030
‫So let's just test our special path /error.

90
00:04:00,030 --> 00:04:03,750
‫So I go back in here and I go to my load balancer.

91
00:04:03,750 --> 00:04:07,593
‫So here's my demo ALB, I will copy the DNS name.

92
00:04:08,610 --> 00:04:09,780
‫So if I paste this one, well,

93
00:04:09,780 --> 00:04:13,050
‫of course we get our EC2 instances or two.

94
00:04:13,050 --> 00:04:17,790
‫But then if I do /error, it says, "Not found, custom error."

95
00:04:17,790 --> 00:04:20,700
‫And so I get a custom error message, so it's working.

96
00:04:20,700 --> 00:04:22,050
‫So that's it for load balancer.

97
00:04:22,050 --> 00:04:24,600
‫We've seen a couple of advanced features.

98
00:04:24,600 --> 00:04:27,783
‫I hope you liked it, and I will see you in the next lecture.