Versions Compared

Version Old Version 10 New Version 11
Changes made by

Darryl Wisneski

Darryl Wisneski

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

A Load Balancer load balancer is a resource that can enable Internet and Yale-network-only web traffic to one or more EC2 VMs or ECS container replicas, while enabling HTTPS certificates.

Selecting a Load Balancer changes depending on your Data Classification. Read more about how to identify the risk of your data: Data Classification Policy.

...

replica(s). The load balancer holds the HTTPS certificate and serves as an encryption endpoint.

General Considerations

Selecting a load balancer depends on your Data Classification.

  • For web apps with Low Risk Data, you may use an AWS Application Load Balancer (“ALB”) in your AWS account

  • For web apps with High Risk and Moderate Risk Data will you must use an ITS LTM Load Balancer-managed F5 LTM load balancer in Yale’s on-prem data center.

Web Application Firewall (“WAF”)

...

...

We recommend a WAF to protect ALBs

Using a WAF is recommended for Low Risk Data and required for Moderate and High Risk Data. An AWS WAF may be used with your AWS ALB for low risk data. The implementation of a WAF for Moderate or High Risk data is up to you to research and configure.

Access Logging

It is important and required to log HTTP access logs - AWS ALB supports this via S3. Working examples are detailed in terraform below.

AWS Network Load Balancers (“NLB”)

An advanced Boad Balancer NLB is an advanced load balancer - useful for complex configurations. It follows the same rules mentioned for Low Risk and High and Moderate Risk Data, plus WAF, and Access Logging. Configuration is left to the AWS account Sysadmin.

...

You can create public (and private) load balancers inside your AWS account for your low-risk web apps, with little help from ITS. You still need to request:

  • Domain Approval for your domain name validation and website content verification of from either ITS YaleSites or Yale School of Medicine (“YSM”) (ysm.editor@yale.edu).

  • A TLS certificate created via AWS , and separately, approval validation for the certificate from ITS YaleSitesfor your approved domain name. How to create an AWS ACM Certificate

  • DNS configuration from ITS for the website friendly name, e.g., example.yale.edu. After you create an ALB, you will need to create a DNS CNAME in Yale DNS to point to the ALB DNS record.

Moderate and High

...

Risk - ITS F5 LTM Load Balancer

ITS F5 LTM/BigIP Load Balancers will be requested through ServiceNow of the Load Balancing Team. You have to do the following work before you request a Load Balancer. Be prepared with ticket numbers, and/or, email threads supporting these actions:

...