Content Comparison

A load balancer is a resource that can enable Internet and Yale-network-only web traffic to one or more EC2 VMs or ECS container replica(s). The load balancer holds the HTTPS certificate and serves as an encryption endpoint.

General Considerations

Selecting a load balancer depends on your Data Classification.

...

• AWS ALB is applicable to low-risk data classification, web-apps

• Review of domain name selection and website content by YaleSites, or Yale School of Medicine (“YSM”)

• Backend load balancing target must use HTTPS, e.g., IIS, nginx, apache with self-signed certificate

• yale.edu HTTPS SSL Certificates can use AWS Certificate Manager (“ACM”) - for the public facing load balancer

• ALB can be setup manually, using command line, or with terraform as illustrated below

• DNS requests for yale.edu domain name requested of “DNS” group in ServiceNow

Pre-requisite Information Gathering

• Only create AWS ALBs for low-risk data web applications

  • How to verify that data is a low risk and perform data classification - Data Classification Policy

  • Moderate risk and high risk data classification services cannot use AWS ALB, and must load balance through ITS F5 LTM load balancing. Please open a support Incident in ServiceNow for Load Balancing for non-low-risk data-driven web apps.

• Verify approval from YaleSites, and/or Yale School of Medicine ("YSM") med.yale.edu domain names, for the domain name and website content

  • For Yalesites approval - *.yale.edu - email webmaster@yale.edu

  • For med.yale.edu domain names, email the YSM, ysm.editor@yale.edu

• Enter useful tag information for accounting purposes

Technical Documentation

Creating AWS ALBs with terraform

• https://github.com/YaleUniversity/yalecloud-terraform-examples

• Backend targets

  • Create an HTTPS listener on the backend web app

    • E.g., nginx self-signed certificate listening on port 443/HTTPS

• Configure the access logging to an S3 bucket in your account.

• Optionally, configure WAF

AWS Certificate Manager (“ACM”)

You will need valid HTTPS/TLS certificates for AWS ALBs.

...

FYI, a request for domain name owner validation is incoming: example.yale.edu.  This is for the ${my-webapp-namedservice}, for use in the AWS Certificate Manager ("ACM").
 
Thank you,

Best,
<your name>

DNS Requests

Request Public/Private DNS CNAME requests through the "DNS" group via ServiceNow Incident

...