External TLS on AWS NLB
Terminate TLS on an AWS Network Load Balancer for a Hydrolix cluster
Overview
Use an AWS Network Load Balancer (NLB) to automate provisioning and renewal of AWS Certificate Manager (ACM) certificates.
This solution delegates responsibility for certificate acquisition and TLS termination to an AWS NLB, which passes decrypted connection requests through to the Hydrolix cluster.
Under this setup, the AWS NLB handles all of the TLS communication with the clients. For successful TLS connections, the NLB creates a new plaintext connection to the Hydrolix cluster for external, incoming traffic on specified ports.
Hydrolix applications see load balancer IPs
The NLB initiates the plaintext connections to the Hydrolix cluster from its own IP ranges. The original client IP isn't available.
See Enable TLS for more TLS options.
Prerequisites
Before you can start this guide, you'll need the following
- A deployed Hydrolix cluster running in AWS
- An AWS NLB associated with the cluster
- The list of names for the certificate
The AWS Application Load Balancer (ALB) is a different product and doesn't work with Hydrolix external TLS termination.
Process outline
- Determine necessary hostnames for the certificate.
- Acquire a certificate from AWS Certificate Manager (ACM).
- Configure the tunables in the Hydrolix cluster.
- Verify configuration.
For an explanation of tunables, see Hydrolix tunables.
Hostnames for certificate
Use the cluster hostname for the certificate. Example: {myhost}.hydrolix.live.
If you would like to use in-cluster services that require their own hostname, such as Superset or Quesma, include the wildcard record *.{myhost}.hydrolix.live.
Acquire certificate
Follow the AWS instructions Set up to use AWS Certificate Manager to acquire a certificate with the list of hostnames for your cluster.
Once the certificate is issued, collect the certificate's Amazon Resource Name (ARN) for use when configuring the Hydrolix cluster.
Configure tunables
- Set the tunable
terminate_tls_at_lbto the valuetrue. - Add annotations to
traefik_service_annotationstunable to identify the certificate, ports, and protocols.
After replacing ${CERTIFICATE_ARN} with the identity of your certificate, include the following fragment into your cluster spec file.
terminate_tls_at_lb: true
traefik_service_annotations:
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: ""
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${CERTIFICATE_ARN}
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443,9440,8088,9444"
service.beta.kubernetes.io/aws-load-balancer-type: nlb
The setting terminate_tls_at_lb reconfigures the Hydrolix cluster to expect plaintext connections.
The traefik_service_annotations reconfigure the NLB to use the specified certificate and direct traffic into your cluster.
After modifying hydrolixcluster.yaml, deploy to your cluster.
kubectl apply -f hydrolixcluster.yaml
Verify configuration
Verify the cluster is serving the certificate. Use any option to create a TLS network connection to the cluster.
- Visit the cluster URL with a browser,
https://{myhost}.hydrolix.liveand ensure the browser issues no TLS warnings. - Use a command line tool like
curl https://{myhost}.hydrolix.liveand ensure no TLS warnings.
Related
The above configuration describes public NLBs. The same Hydrolix configuration applies when working with AWS private NLBs. Customers using private NLBs can also use Private certificates in AWS Certificate Manager.
Updated 1 day ago