Views:

Background on AWS Elastic Load Balancing

AWS Elastic Load Balancing can automatically distribute incoming traffic across multiple DSM. The traffic can be in a single Availability Zone or across multiple Availability Zones, which depends on your DSM design.

AWS ELB offers three (3) types of load balancers - Application Load Balancer (ALB), Network Load Balancer (NLB), and Classic Load Balancer (CLB). Among these, the Application Load Balancer is the best suited for load balancing of HTTP and HTTPS traffic.

To have a better load balancing throughput, we highly suggest customers to use HTTPs protocol of ALB type for Load Balancer Manager and Relay, as well as TCP protocol of NLB type for Load Balancer Heartbeat.

AWS ALB provides the following advanced features:

  • Load balancing to multiple ports on the same instance
  • IP addresses as targets
  • SSL offloading
  • Load balancer stickiness

Topology

Integration of AWS ELB and DSM LB

Test Environment

The procedure below uses the following:

  • DSM: Deep Security 11.0.340
  • DSA: Deep Security Agent 11.0.0-662 for Windows-x86_64
  • AWS VPC: Public subnet & Private subnet.
  • AWS ELB & Protocol: ALB (HTTPS) and NLB (TCP)
  • Database: AWS RDS, MS SQL 2016 Standard Edition
  • Browser: Chrome is recommend

Detailed Procedure

Make sure the Deep Security Manager and Deep Security Agents are all prepared and ready before you start creating the AWS ELB.

  1. Log in to AWS console.
  2. Navigate to EC2 > Load Balancing > Target Group.
  3. Create target group for Deep Security Load Balancer Manager with the following settings:
    • Name: (e.g. "ALBHTTPS4119" to include Type: ALB; Protocol: HTTPS; Port: 4119)
    • Target type: Instance
    • Protocol: HTTPS
    • Port: 4119 (DSM port)
    • VPC: DSM's locate VPC
    • Health check setting: (keep the default settings)

    Create target group for Deep Security Load Balancer Manager

  4. Review your settings of the target group for Load Balancer Manager.
  5. After the target group is created, enable its stickiness session for at least 10 minutes.

    Set stickiness to 10 minutes

  6. Register the target. Add instances of DSM to the target group, then save.

    Add instances of DSM to the target group

  7. Navigate back to EC2 > Load Balancing > Target Group.
  8. Create target group for Deep Security Load Balancer Relay with the following settings:
    • Name: (e.g. "ALBHTTPS4122" to include Type: ALB; Protocol: HTTPS; Port: 4122)
    • Target type: Instance
    • Protocol: HTTPS
    • Port: 4122 (Relay port)
    • VPC: DSR's locate VPC
    • Health check setting: (keep the default settings)
  9. Review your settings of the target group for Load Balancer Relay.
  10. After the target group is created, enable its stickiness session for at least 10 minutes.

    Set stickiness to 10 minutes

  11. Register the target. Add instances of DSR to the target group, then save.

    Add instances of DSR to the target group

  12. Go back to EC2 > Load Balancing > Target Group.
  13. Create target group for Deep Security Load Balancer HeartBeat with the following settings:
    • Name: (e.g. "NLBTCP4120" to include Type: NLB; Protocol: TCP; Port: 4120)
    • Target type: IP
    • Protocol: TCP
    • Port: 4120 (HeartBeat port)
    • VPC: DSM's locate VPC
    • Health check setting: (keep the default settings)
  14. Review your settings of the target group for Load Balancer HeartBeat.
  15. Register the target. Add instances of DSM to the target group, then save.

    Add instances of DSM to the target group

  16. Review the whole target groups.

    Review the whole target groups

  1. Go to EC2 > Load Balancing > Load Balancer.
  2. Create AWS Load Balancer and configure with the settings below:
    • Name: (e.g. "ALBHTTPS4119" preferrably same with the target group)
    • Scheme: Internet-facing (Public IP) or Internal (Private IP)
    • IP address type: IPv4 or Ipv6
    • Load Balancer Protocol: HTTPS
    • Load Balancer Port: 4119
    • VPC: DSM's locate VPC.
    • Availability Zone: Depends on your DSM node design (Single Zone or Cross Zone)

    Create AWS Load Balancer

  3. On Configure Security Settings, you may upload or create your certificate on AWS ACM. In this case, we create a certificate from ACM, so Choose a certificate from ACM is selected.

    Choose a certificate from ACM

  4. On Configure Security Group, you may create a new or select an existing security group which depends on your policy.

    Configure Security Group

  5. On Configure Routing, route the HTTPs request into the target group which you have created.

    Load Balancer Name: ALBHTTPS4119
    Target Group Name: ALBHTTPS4119

    Route the HTTPs request into the target group

  6. Expand Advanced health check settings and modify Success codes from "200" to "302".

    Advanced health check settings

  7. Verify the targets that you selected and registered, and then click Create.

    Verify the targets that you selected and registered

  8. Go back to EC2 > Load Balancing > Load Balancer.
  9. Create Load Balancer Relay with the following settings:
    • Name: (e.g. "ALBHTTPS4122" preferrably same with the target group)
    • Scheme: Internet-facing (Public IP) or Internal (Private IP)
    • IP address type: IPv4 or Ipv6
    • Load Balancer Protocol: HTTPS
    • Load Balancer Port: 4122
    • VPC: DSM's locate VPC
    • Availability Zone: Depends on your DSM node design (Single Zone or Cross Zone)

    Create Load Balancer Relay

  10. Repeat Steps 3 to 5 to configure the security settings, security group, and routing.
  11. Expand Advanced health check settings and modify Success codes from "200" to "403".
  12. Verify the targets that you selected and registered, and then click Create.

    Verify the targets that you selected and registered

  13. Navigate back to EC2 > Load Balancing > Load Balancer.
  14. Create Load Balancer for DSM HeartBeat with the following settings:
    • Name: (e.g. "NLBTCP4120" preferrably same with the target group)
    • Scheme: Internal (Private IP)
    • IP address type: IPv4 or Ipv6
    • Load Balancer Protocol: TCP
    • Load Balancer Port: 4120
    • VPC: DSM's locate VPC
    • Availability Zone: Depends on your DSM node design (Single Zone or Cross Zone)

    Create Load Balancer for DSM HeartBeat

  15. Repeat Steps 3 to 5 to configure the security settings, security group, and routing.
  16. Verify the targets that you selected and registered, and then click Create.

    Verify the targets that you selected and registered

  1. Find the AWS Load Balancer's A Record.

    Find the AWS Load Balancer's A Record

  2. Map A Record to CNAME (Certificate domain name).

    Map A Record to CNAME

  3. Configure the CNAME record into the DSM's Load Balancers, then save. Make sure to keep the port number as default.

    Configure the CNAME record

  4. Turn on Allow Agent to specify hostname on Administration > System Settings > Agents page to get the exact hostname instead of the Load Balancer IP while doing Agent-Initiated Activation.

  1. Log in to DSM using Load Balancer Manager hostname.

    Log in to DSM using Load Balancer Manager hostname

    Log in to DSM using Load Balancer Manager hostname

  2. Confirm that the two (2) DSM nodes are alive.

    Confirm that the two (2) DSM nodes are alive

  3. Make sure all Deep Security Agents are managed and online.

    Make sure all Deep Security Agents are managed and online

To check the Deep Security Manager:

HTTPS
Request URL: https://x.x.x.x:4119/SignIn.screen
Request Method: GET
Status Code: 200

To check the Deep Security Relay, use any of the following:

HTTPS
Request URL https://x.x.x.x:4122/common_components
Request Method: GET
Status Code: 200

HTTPS
Request URL https://x.x.x.x:4122/
Request Method: GET
Status Code: 403

Keywords: amazon elb,deep security and aws elb,load balancer deep security