Application Load Balancer¶
The AWS Application Load Balancer is used to facilitate high traffic throughput, multi-zone availability, SSL termination, and integrates with Istio VirtualService routing.
DNS¶
Two distinct Fully Qualified Domain Names are required for Self Managed Prefect.
1. api.
Further, these domains will then be used for the Common Names and/or Subject Alternate Names for SSL Certificates.
Once the Application Load Balancers have been provisioned, an A record will be created automatically with a dynamic, randomized address like http://<alb name>-<random hash UUID>-<account>.<region>.elb.amazonaws.com.
Using Route 53, or your existing DNS provider, CNAME (Alias) records should be created to route traffic - one each for the api and app sub-domains to match the appropriate Load Balancer.
SSL Termination¶
SSL Certificates are required to properly secure the client interactions with the API, even in a self-hosted scenario.
There are a number of possible how-tos, Certificate Authorities, and vendors available to issue and sign certificates, so this section describes the requirements to implement.
Requesting a Certificate¶
Certificates can be self-generated, or requested through a vendor, such as AWS Certificate Manager, DigiCert, or LetsEncrypt.
AWS Certificate Manager (ACM) will certify certificates for free for AWS hosted infrastructure.
Two separate domains need to be issued - one for the API, and one for the UI. This can be done in a single certificate, with a Subject Alternate Name, or through two separate certificate requests. A wildcard certificate is also viable.
Rules and Policies¶
Two listeners are established per load balancer. One listener on port 80, and a separate listener on port 443.
A default redirect rule is established to route traffic from port 80 to 443.
Certificate Management¶
Certificate expiration should be generated in accordance with internal / security policies.