Creating an AWS Load Balancer

This guide shows you how to add an application load balancer in front of your Garden Enterprise Kubernetes Cluster in AWS.

We will outline the process in six steps with references to the official AWS documentation.

Step 1: Configure a load balancer and a listener.

Step 2: Configure security settings for an HTTPS listener. You'll need to configure the availability zones so that your new load balancer is in the same VPC as your EKS cluster and in a public subnet.

Step 3: Configure a security group. Here you'll need to apply the security group that your EKS worker nodes are using. This is necessary for the load balancer to be able to forward traffic to the worker nodes. Furthermore you'll need to add a security group for port 80 and port 443 so that they are open to accepting connections through the public internet.

Step 4: Configure a target group. When configuring the health checks on the target groups in this step please choose the success codes 200 - 404. This is necessary because we also want the default backend which returns 404 to be recognized as healthy.

Step 5: Configure targets for the target group. Here you will need to select your worker nodes from your EKS cluster as the targets in the target group.

Step 6: Create the load balancer.

As an alternative to configuring the load balancer via AWS Console, you can also use terraform. This small snippet is an example on how to set up an application load balancer. Please keep in mind that you again need to pay attention to the security groups and health checks. You will need to replace all of the values starting with my- with your own.

Please also check the documentation on the application load balancer terraform module.

module "alb" {
  source  = "terraform-aws-modules/alb/aws"
  version = "~> 5.0"

  name = "garden-enterprise-lb"

  load_balancer_type = "application"

  vpc_id             = "my-eks-vpc-id"
  subnets            = ["my-public-subnet"]
  security_groups    = ["my-http-and-https-secgroup", "my-eks-workernode-secgroup"]

  target_groups = [
    {
      name_prefix      = "default-"
      backend_protocol = "HTTP"
      backend_port     = 80
      target_type      = "instance"
      health_check     = { matcher = "200-404" }
    }
  ]

  https_listeners = [
    {
      port               = 443
      protocol           = "HTTPS"
      certificate_arn    = "my-certificate-resource"
      target_group_index = 0
    }
  ]

  http_tcp_listeners = [
    {
      port        = 80
      protocol    = "HTTP"
      action_type = "redirect"
      redirect = {
        port        = "443"
        protocol    = "HTTPS"
        status_code = "HTTP_301"
      }
    }
  ]

  tags = {
    Environment = "Garden-LB"
  }
}