Content Comparison

...

How you select a Load Balancer changes depending on your Data Classification. Please read Read more about how to identify the risk of your data: Data Classification Policy.

• low risk data Low Risk Data will use a AWS ALB Application Load Balancer (“ALB”) in your AWS account

• high + moderate risk data High Risk and Moderate Risk Data will use an ITS F5 LTM/BigIPLTM Load Balancer

Web Application Firewall (“WAF”) in Load Lalancing

• We recommend a WAF to protect ALBs

• The implementation of WAF is up to you to research and configure

Access Logging

It is important and required to log HTTP access logs - AWS ALB supports this via S3. Working examples are detailed in terraform below.

AWS Network Load Balancers (“NLB”)

An advanced Boad Balancer - useful for complex configurations. It follows the same rules mentioned for Low Risk and High and Moderate Risk Data, plus WAF, and Access Logging. Configuration is left to the AWS account Sysadmin.

Low Risk - AWS ALBs

You can create public (and private) load balancers inside your AWS account for your low-risk web apps, with little help from ITS. You still need to request:

• Domain name validation and website content verification of ITS YaleSites or Yale School of Medicin Medicine (“YSM”).

• A TLS certificate created via AWS, and separately, approval validation for the certificate from ITS YaleSites

• DNS configuration from ITS for the website friendly name, e.g., example.yale.edu

High and Medium Risk - ITS F5 LTM Load Balancer

ITS F5 LTM/BigIP Load Balancers will be requested through servicenow ServiceNow of the Load Balancing Team. You have to do the following work before you request a Load Balancer. Be prepared with ticket numbers, and/or, email threads supporting these actions:

• Domain name validation and website content verification of ITS YaleSites or Yale School of Medicine (“YSM”).

• Security Design Review (“SDR”) with ITS security

...

• Security/ISO

Required Supporting Information for an ITS F5 LTM Load Balancer:

1. Name of the website or application

2. Desired Fully Qualified Domain Name (“FQDN”)

3. Brief description of the site or application.

4. NetId information for the site, application owner, COA for billing

5. IP address/AWS DNS Alias record of resource to be Load Balanced

High Level Steps to Create an AWS ALB

This is a technical multi-step process which is to be performed by a technical resource whom administers the AWS account, not ITS. A high level overview:

...

• Only create AWS ALBs for low-risk data web applications

  • How to verify that data is a low risk and perform data classification - Data Classification Policy

  • Moderate risk and high risk data classification services cannot use AWS ALB, and must load balance through ITS F5 LTM load balancing. Please open a support Incident in ServiceNow for Load Balancing for non-low-risk data-driven web apps.

  Low risk data does not need a Security Design Review ("SDR")

• Verify approval from YaleSites, and/or Yale School of Medicine ("YSM") med.yale.edu domain names, for the domain name and website content

  • For Yalesites approval - *.yale.edu - email webmaster@yale.edu

  • For med.yale.edu domain names, email the YSM, ysm.editor@yale.edu

• Enter useful tag information for accounting purposes

...

• https://github.com/YaleUniversity/yalecloud-terraform-examples

• Backend targets: create

  • Create an HTTPS listener on the backend web app

    • E.g., nginx self-signed certificate listening on port 443/HTTPS

• Configure the access logging to an S3 bucket in your account.

• Optionally, configure WAF

AWS Certificate Manager (“ACM”)

You will need valid HTTPS/TLS certificates for AWS ALBs.

...