Amazon Web Services (AWS) Application Load Balancer (ALB) is a powerful service that distributes incoming traffic across multiple targets, ensuring high availability and scalability for your applications. One of its key features is the ability to configure ALB with multiple domains, allowing you to host multiple applications or websites on a single load balancer. In this blog, we will explore how to set up an Application Load Balancer with multiple domains, the benefits it offers, and the steps to configure it effectively.
Benefits of Using ALB with Multiple Domains:
- Cost Efficiency: Hosting multiple applications on a single ALB helps optimize costs, as you can consolidate resources and reduce the number of load balancers needed.
- Simplified Management: By using a single ALB for multiple domains, you centralize management tasks, making it easier to configure, monitor, and maintain your infrastructure.
- Enhanced Flexibility: ALB’s path-based routing allows you to direct traffic to different target groups based on the domain or path specified in the request, providing flexibility and customization for each application.
- Simplified SSL/TLS Termination: ALB can handle SSL/TLS termination for multiple domains, eliminating the need to manage SSL certificates separately for each application.
Step-by-Step Guide to Configure ALB with Multiple Domains:
Step 1: Create Target Groups
Start by creating target groups for each of your applications. A target group defines the set of targets (EC2 instances, containers, or Lambda functions) that ALB routes traffic to. For example, create a target group for “app1.domain1.com” and another for “app2.domain2.com.”
- Sign in to the AWS Management Console and open the Amazon EC2 Dashboard.
- In the left-hand menu, under “Load Balancing,” click on “Target Groups.”
- Click the “Create target group” button.
- Provide a name for your target group, such as “app1-domain1-targetgroup” to easily identify the application and domain it belongs to.
- Choose the protocol and port that your instances are listening on. For example, if your application uses HTTP and listens on port 80, select “HTTP” and enter “80.”
- In the “Target type” section, choose the appropriate target type for your applications. It can be “Instance,” “IP,” or “Lambda function,” depending on your setup. For most web applications, “Instance” is commonly used.
- In the “Health checks” section, configure the settings for health checks. Health checks are used by the ALB to determine if an instance is healthy and able to handle traffic. Define the path for the health check endpoint and specify the health check protocol and port.
- Optionally, configure advanced health check settings, such as the healthy threshold count and the unhealthy threshold count. These settings determine how many consecutive successful or failed health checks are required to consider an instance healthy or unhealthy, respectively.
- Click the “Create target group” button to create the target group.
- Repeat the steps above to create additional target groups for each of your applications with different domains such as “app2-domain2-targetgroup”
Step 2: Set Up SSL/TLS Certificates(Optional)
For each domain, obtain SSL/TLS certificates either from AWS Certificate Manager (ACM) or upload your own certificate. Ensure that the certificates cover all the domains you want to host on the ALB.
To set up SSL/TLS certificates, you have two options:
- AWS Certificate Manager (ACM): AWS provides a managed service called ACM, which simplifies the process of provisioning, deploying, and renewing SSL/TLS certificates. ACM supports certificates for multiple domains (wildcard certificates) and allows you to request public certificates for your domain names directly from the ACM console.
- Third-Party Certificate Providers: If you prefer using SSL/TLS certificates from a third-party certificate provider, you can purchase or obtain them from a certificate authority (CA). Once you have the certificates, you need to upload them to AWS Identity and Access Management (IAM) and reference them when setting up the ALB.
You can read more about generating certificate using ACM here
Associating Certificates with the ALB Listener
After uploading the SSL/TLS certificates to ACM, you need to associate the appropriate certificate with the ALB listener. Follow these steps to do it:
- Go to the Amazon EC2 Dashboard and navigate to the “Load Balancers” section.
- Select your ALB, and in the “Listeners” tab, edit the HTTPS listener.
- Choose the appropriate certificate from the drop-down list under “Default SSL certificate.”
- Save the changes to associate the certificate with the ALB listener.
Configuring SSL/TLS Settings
You can configure additional SSL/TLS settings for the ALB, such as setting up security policies, enabling or disabling support for specific SSL/TLS versions and ciphers, and configuring the server order preference for certificates. These settings can be accessed and modified from the “Edit Listener” window for the HTTPS listener.
Step 3: Create Listener Rules for Domain-Based Routing
- In the left-hand menu in the EC2 Dashboard, click on “Load Balancers” and select the ALB you want to configure with multiple domains.
- In the “Listeners” tab, you will see the existing listener for your ALB. A listener listens for incoming requests on a specified port and protocol. By default, an ALB has a listener for HTTP on port 80. You may also have HTTPS listeners configured if you’re using SSL/TLS certificates.
- Click on “View/edit rules” next to the listener you want to add domain-based routing to. This will open the “Listener rules” configuration page.
- Click on “Add rule” to create a new rule.
- In the “Rule” configuration, specify the condition for the rule. Since we want to route traffic based on the domain, choose “Host header” from the dropdown list.
- In the “Value” field, enter the domain name you want to associate with this rule. For example, if you want to route requests for “app1.domain1.com” to a specific target group, enter “app1.domain1.com” as the value.
- Select the target group that you want to associate with this domain. This target group should contain the instances or containers serving the application associated with the specified domain.
- Repeat the steps above for each domain you want to add. For example, if you have another application associated with “app2.domain2.com,” create a rule with the condition “Host header” and the value “app2.domain2.com,” and then select the appropriate target group.
- You can also add a default rule that catches requests that don’t match any of the specific domain rules. This can be useful for handling requests for domains that are not explicitly configured. To do this, create a rule without specifying any conditions.
- After adding all the necessary rules, click “Save rules” to apply the changes.
Step 4: Configure Security Groups and Health Checks
Ensure that your security groups allow traffic from the ALB to reach the instances in your target groups. Set up health checks for each target group to ensure that unhealthy instances are automatically removed from the load balancer’s rotation.
- Define Health Check Path
Specify the endpoint path that ALB should use to perform health checks on your instances. This path should be an endpoint in your application that returns a 200 OK response when the instance is considered healthy. Example: “app1.domain1.com/” which should return a valid webpage 200 OK response.
- Configure Health Check Protocol and Port
Set the protocol (HTTP or HTTPS) and port that ALB should use for health checks. Ensure that the health check protocol and port match the protocol and port your instances are listening on.
- Set Health Check Interval and Timeout
Define the interval at which ALB should perform health checks and the timeout period for each health check request. These values should be adjusted based on the response times and expected stability of your applications.
- Determine Healthy and Unhealthy Thresholds
Set the number of consecutive successful health checks required to consider an instance healthy and the number of consecutive failed health checks to consider an instance unhealthy.
- Verify Health Check Endpoint
Once you have configured the health check settings, verify that the health check endpoint in your application is correctly responding with a 200 OK response when accessed by the ALB. If necessary, make adjustments to ensure the health check path is functioning correctly.
Step 5: Test the Configuration
Once your ALB is set up with multiple domains, thoroughly test each application to ensure proper routing and functionality. Use tools like cURL or web browsers to test the different domains and paths.
Configuring an Application Load Balancer with multiple domains offers a cost-effective and streamlined solution for hosting multiple applications on AWS. By leveraging ALB’s path-based routing and SSL/TLS termination capabilities, you can efficiently manage and distribute incoming traffic across different applications, providing a seamless experience for your users. As your infrastructure grows, this centralized approach will help you manage your resources effectively while ensuring the high availability and performance of your applications.