| Table of Contents |
|---|
General Considerations
A load balancer is a resource that can enable Internet and Yale-network-only web traffic to one or more EC2 VMs or ECS container replica(s). The load balancer holds the HTTPS certificate and serves as an encryption endpoint.
| Table of Contents |
|---|
General Considerations
Selecting a load balancer depends on your Data Classification.
...
Approval for your domain name and website content from either ITS YaleSites or Yale School of Medicine (“YSM”) (ysm.editor@yale.edu).
A TLS certificate created via AWS for your approved domain name. How to create an AWS ACM Certificate
DNS configuration from ITS for the website friendly name, e.g., example.yale.edu. This can be requested through ServiceNow of the IP and DNS Support team. After you create an ALB, you will need to create a DNS CNAME in Yale DNS to point to the ALB DNS record.
...
ITS F5 LTM/BigIP Load Balancers will can be requested through ServiceNow of the Load Balancing Team. You have to do the following work before you request a Load Balancer. Be prepared with ticket numbers, and/or, email threads supporting these actions:
...
Name of the website or application
Desired Fully Qualified Domain Name (“FQDN”)
Brief description of the site or application.
NetId Netid information for the site, /application owner, COA for billing
IP address/AWS DNS Alias record of resource to be Load Balanced - i.e., EC2 IP address.
...
This is a technical multi-step process which is to be performed by a technical resource whom who administers the AWS account, not ITS. A high level overview:
AWS ALB is applicable to low-risk data classification , web-apps.
Review of domain name selection and website content by with YaleSites, or Yale School of Medicine (“YSM”)
Backend load balancing target must use HTTPS, e.g., IIS, nginxNginx, apache Apache with self-signed certificate
yale.edu HTTPS SSL Certificates certificates can use AWS Certificate Manager (“ACM”) - for the public facing load balancer
ALB can be setup manually, using AWS command line, or with terraform Terraform as illustrated below
DNS requests for Request yale.edu domain name requested of “DNS” group through “IP and DNS support” team in ServiceNow
...
Prerequisite Information Gathering
Only create AWS ALBs for low-risk data web applications
How to verify Verify that data is a low risk and perform data classification - . See Data Classification Policy
Moderate risk and high risk data classification services cannot use AWS ALB, and must load balance through ITS F5 LTM load balancing. Please open a support Incident in ServiceNow for Load Balancing for non-low-risk data-driven web apps.
Verify approval Obtain approval for the domain name and website content from YaleSites , and/or or, for med.yale.edu domain names, from Yale School of Medicine ("YSM") med.yale.edu domain names, for the domain name and website content
For Yalesites approval - *.yale.edu - email webmaster@yale.edu
For med.yale.edu domain names, email the YSM, ysm.editor@yale.edu
Enter useful tag information for accounting purposes
...
https://github.com/YaleUniversity/yalecloud-terraform-examples
Backend targets
Create an HTTPS listener on the backend web app
E.g., nginx Nginx self-signed certificate listening on port 443/HTTPS
Configure the access logging to an S3 bucket in your account.
Optionally, configure a WAF
AWS Certificate Manager (“ACM”)
...
To: Lutinski, Robert robert.lutinski@yale.edu; Johnson, J'Vaughn jvaughn.johnson@yale.eduCc: Cloud Engineering cloudeng@yale.edu; webmaster@yale.edu webmaster@yale.eduSubject: AWSCertificate AWS Certificate Validation for - example.yale.edu
...
Request Public/Private DNS CNAME requests through the "IP & DNS suport" group via a ServiceNow Incidentincident
Use the following template to create a DNS record and assign a ticket to the DNS group in ServiceNow (“SNOW”).
Create an Incident incident in Service Now ServiceNow assigned to the “Business service:” Infrastructure & Internet > Network Services > IP & DNS Support
...