如何配置 AWS 网络负载均衡器以使用 Terraform 路由 HTTPS 流量？

Question

我正在尝试使用 API Gateway\xe2\x80\x99s VPC 链接将流量路由到 HTTPS 上的内部 API。\n但是，VPC 链接迫使我将 API\xe2\x80\x99s 负载均衡器从“应用程序”更改为“网络”。

\n\n

据我所知，网络负载均衡器位于第 4 层，因此不知道 HTTPS。

\n\n

我习惯使用第 7 层应用程序负载均衡器。因此，我不确定应该如何在 terraform 中配置或使用网络负载均衡器。

\n\n

以下是我在 Terraform 中配置网络负载均衡器的尝试。\n健康检查失败，我不确定我做错了什么。

\n\n

resource "aws_ecs_service" \xe2\x80\x9capp\xe2\x80\x9d {\n  name = "${var.env}-${var.subenv}-${var.appname}"\n  cluster = "${aws_ecs_cluster.cluster.id}"\n  task_definition = "${aws_ecs_task_definition.app.arn}"\n  desired_count = "${var.desired_app_count}"\n  deployment_minimum_healthy_percent = 50\n  deployment_maximum_percent = 200\n  iam_role = "arn:aws:iam::${var.account}:role/ecsServiceRole"\n\n  load_balancer {\n    target_group_arn = "${aws_lb_target_group.app-lb-tg.arn}"\n    container_name = "${var.env}-${var.subenv}-${var.appname}"\n    container_port = 9000\n  }\n  depends_on = [\n    "aws_lb.app-lb"\n  ]\n}\n\nresource "aws_lb" \xe2\x80\x9capp-lb" {\n  name               = "${var.env}-${var.subenv}-${var.appname}"\n  internal           = false\n  load_balancer_type = "network"\n  subnets = "${var.subnet_ids}"\n  idle_timeout = 600\n\n  tags {\n    Owner = ""\n    Env = "${var.env}"\n  }\n}\n\nresource "aws_lb_listener" \xe2\x80\x9capp-lb-listener" {\n  load_balancer_arn = "${aws_lb.app-lb.arn}"\n  port = 443\n  protocol = "TCP"\n\n  default_action {\n    type = "forward"\n    target_group_arn = "${aws_lb_target_group.app-lb-tg.arn}"\n  }\n}\n\nresource "aws_lb_target_group" \xe2\x80\x9capp-lb-tg" {\n  name = "${var.env}-${var.subenv}-${var.appname}"\n  port = 443\n  stickiness = []\n\n  health_check {\n    path = "/actuator/health"\n  }\n\n  protocol = "TCP"\n  vpc_id = "${var.vpc_id}"\n}\n

\n\n

作为参考，这是我之前在尝试切换到网络负载均衡器之前配置应用程序负载均衡器的方式：

\n\n

resource "aws_ecs_service" "app" {\n  name = "${var.env}-${var.subenv}-${var.appname}"\n  cluster = "${aws_ecs_cluster.cluster.id}"\n  task_definition = "${aws_ecs_task_definition.app.arn}"\n  desired_count = "${var.desired_app_count}"\n  deployment_minimum_healthy_percent = 50\n  deployment_maximum_percent = 200\n  iam_role = "arn:aws:iam::${var.account}:role/ecsServiceRole"\n\n  load_balancer {\n    target_group_arn = "${aws_lb_target_group.app-alb-tg.arn}"\n    container_name = "${var.env}-${var.subenv}-${var.appname}"\n    container_port = 9000\n  }\n  depends_on = [\n    "aws_alb.app-alb"]\n}\n\nresource "aws_alb" "app-alb" {\n  name = "${var.env}-${var.subenv}-${var.appname}"\n  subnets = "${var.subnet_ids}"\n  security_groups = [\n    "${var.vpc_default_sg}",\n    "${aws_security_group.app_internal.id}"]\n  internal = false\n  idle_timeout = 600\n  tags {\n    Owner = ""\n    Env = "${var.env}"\n  }\n}\n\nresource "aws_lb_listener" "app-alb-listener" {\n  load_balancer_arn = "${aws_alb.app-alb.arn}"\n  port = "443"\n  protocol = "HTTPS"\n  ssl_policy = "ELBSecurityPolicy-2015-05"\n  certificate_arn = "${var.certificate_arn}"\n\n  default_action {\n    type = "forward"\n    target_group_arn = "${aws_lb_target_group.app-alb-tg.arn}"\n  }\n}\n\nresource "aws_lb_target_group" "app-alb-tg" {\n  name = "${var.env}-${var.subenv}-${var.appname}"\n  port = 80\n  health_check {\n    path = "/actuator/health"\n  }\n  protocol = "HTTP"\n  vpc_id = "${var.vpc_id}"   \n}\n

\n

Answer 1

网络负载均衡器会自动对流经它的非 UDP 流量执行被动运行状况检查，因此如果这足够了，您只需删除主动运行状况检查配置即可。

如果要启用主动运行状况检查，则可以使用 TCP 运行状况检查（默认），该检查仅检查端口是否打开，或者您可以指定 HTTP/HTTPS 协议并指定路径。理想情况下，当您尝试指定运行状况检查路径但未将协议设置为 HTTP 或 HTTPS 时，AWS API 会出错，但显然现在情况并非如此。

对于 Terraform，这看起来像这样：

resource "aws_lb_target_group" "app-alb-tg" {
  name     = "${var.env}-${var.subenv}-${var.appname}"
  port     = 443
  protocol = "TCP"
  vpc_id   = "${var.vpc_id}"

  health_check {
    path     = "/actuator/health"
    protocol = "HTTPS"
  }
}

请记住，主动运行状况检查将从网络负载均衡器的角度（而不仅仅是源流量）检查目标上的端口是否打开。这意味着您的目标需要允许来自 NLB 所在子网以及源流量所在的安全组或 CIDR 范围等的流量。