Amazon web services 如何配置AWS网络负载平衡器,以使用Terraform路由HTTPS流量?
我正在尝试使用API网关的VPC链接将流量路由到HTTPS上的内部API。 但是,VPC链接迫使我将API的负载平衡器从“应用程序”更改为“网络” 我知道网络负载均衡器位于第4层,因此不知道HTTPS 我习惯于使用第7层应用程序负载平衡器。因此,我不确定我应该如何配置或使用terraform中的网络负载平衡器 下面是我在Terraform中配置网络负载平衡器的尝试。 健康检查失败了,我不确定我做错了什么Amazon web services 如何配置AWS网络负载平衡器,以使用Terraform路由HTTPS流量?,amazon-web-services,terraform,aws-api-gateway,terraform-provider-aws,aws-load-balancer,Amazon Web Services,Terraform,Aws Api Gateway,Terraform Provider Aws,Aws Load Balancer,我正在尝试使用API网关的VPC链接将流量路由到HTTPS上的内部API。 但是,VPC链接迫使我将API的负载平衡器从“应用程序”更改为“网络” 我知道网络负载均衡器位于第4层,因此不知道HTTPS 我习惯于使用第7层应用程序负载平衡器。因此,我不确定我应该如何配置或使用terraform中的网络负载平衡器 下面是我在Terraform中配置网络负载平衡器的尝试。 健康检查失败了,我不确定我做错了什么 resource "aws_ecs_service" “app” { name = "$
resource "aws_ecs_service" “app” {
name = "${var.env}-${var.subenv}-${var.appname}"
cluster = "${aws_ecs_cluster.cluster.id}"
task_definition = "${aws_ecs_task_definition.app.arn}"
desired_count = "${var.desired_app_count}"
deployment_minimum_healthy_percent = 50
deployment_maximum_percent = 200
iam_role = "arn:aws:iam::${var.account}:role/ecsServiceRole"
load_balancer {
target_group_arn = "${aws_lb_target_group.app-lb-tg.arn}"
container_name = "${var.env}-${var.subenv}-${var.appname}"
container_port = 9000
}
depends_on = [
"aws_lb.app-lb"
]
}
resource "aws_lb" “app-lb" {
name = "${var.env}-${var.subenv}-${var.appname}"
internal = false
load_balancer_type = "network"
subnets = "${var.subnet_ids}"
idle_timeout = 600
tags {
Owner = ""
Env = "${var.env}"
}
}
resource "aws_lb_listener" “app-lb-listener" {
load_balancer_arn = "${aws_lb.app-lb.arn}"
port = 443
protocol = "TCP"
default_action {
type = "forward"
target_group_arn = "${aws_lb_target_group.app-lb-tg.arn}"
}
}
resource "aws_lb_target_group" “app-lb-tg" {
name = "${var.env}-${var.subenv}-${var.appname}"
port = 443
stickiness = []
health_check {
path = "/actuator/health"
}
protocol = "TCP"
vpc_id = "${var.vpc_id}"
}
resource "aws_ecs_service" "app" {
name = "${var.env}-${var.subenv}-${var.appname}"
cluster = "${aws_ecs_cluster.cluster.id}"
task_definition = "${aws_ecs_task_definition.app.arn}"
desired_count = "${var.desired_app_count}"
deployment_minimum_healthy_percent = 50
deployment_maximum_percent = 200
iam_role = "arn:aws:iam::${var.account}:role/ecsServiceRole"
load_balancer {
target_group_arn = "${aws_lb_target_group.app-alb-tg.arn}"
container_name = "${var.env}-${var.subenv}-${var.appname}"
container_port = 9000
}
depends_on = [
"aws_alb.app-alb"]
}
resource "aws_alb" "app-alb" {
name = "${var.env}-${var.subenv}-${var.appname}"
subnets = "${var.subnet_ids}"
security_groups = [
"${var.vpc_default_sg}",
"${aws_security_group.app_internal.id}"]
internal = false
idle_timeout = 600
tags {
Owner = ""
Env = "${var.env}"
}
}
resource "aws_lb_listener" "app-alb-listener" {
load_balancer_arn = "${aws_alb.app-alb.arn}"
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2015-05"
certificate_arn = "${var.certificate_arn}"
default_action {
type = "forward"
target_group_arn = "${aws_lb_target_group.app-alb-tg.arn}"
}
}
resource "aws_lb_target_group" "app-alb-tg" {
name = "${var.env}-${var.subenv}-${var.appname}"
port = 80
health_check {
path = "/actuator/health"
}
protocol = "HTTP"
vpc_id = "${var.vpc_id}"
}
resource "aws_lb_target_group" "app-alb-tg" {
name = "${var.env}-${var.subenv}-${var.appname}"
port = 443
protocol = "TCP"
vpc_id = "${var.vpc_id}"
health_check {
path = "/actuator/health"
protocol = "HTTPS"
}
}
请记住,活动运行状况检查将从网络负载平衡器的角度(不仅仅是源流量)检查目标上的端口是否打开。这意味着您的目标将需要允许来自NLB所在的子网以及源流量来源的安全组或CIDR范围等的流量。这适用于正常还是错误?如果没有错误,是否只是健康检查失败?这看起来好像AWS在应用它时会在验证中失败(Terraform做这件事会很棘手,因为它不正式支持跨参数验证)但在未将健康检查协议设置为HTTP/HTTPS的情况下,您不应该指定健康检查路径。请检查此链接,如果我没有记错,您需要将“协议”从TCP更改为TLS。当我使用TCP aws_lb_listener尝试此操作时,出现以下错误:“侦听器和以下目标组具有不兼容的协议”。抱歉,复制粘贴了错误的目标组定义。只是对目标组上的健康检查协议进行了更改,因此您仍然应该将TCP流量传递到目标,但使用HTTP或HTTPS协议进行健康检查。Np,有一件事我不太确定,那就是ssl策略和证书应该放在哪里。正如在前面的ALB中一样,我在aws_lb_listener中设置了这个。但考虑到我现在使用的是NLB,我是否可以假设它们不再需要?如果您在NLB卸载TLS,而不是执行直通TCP,那么您只需要
ssl\u策略certificate\u arn