Load Balancing for Yale AWS Partner Accounts

A Load Balancer is a resource that can enable Internet and Yale-network-only web traffic to one or more EC2 VMs or ECS container replicas, while enabling HTTPS certificates.

How you select a Load Balancer changes depending on your Data Classification. Read more about how to identify the risk of your data: Data Classification Policy.

• Low Risk Data will use a AWS Application Load Balancer (“ALB”) in your AWS account

• High Risk and Moderate Risk Data will use an ITS LTM Load Balancer

Web Application Firewall (“WAF”) in Load Lalancing

• We recommend a WAF to protect ALBs

• The implementation of WAF is up to you to research and configure

Access Logging

It is important and required to log HTTP access logs - AWS ALB supports this via S3. Working examples are detailed in terraform below.

AWS Network Load Balancers (“NLB”)

An advanced Boad Balancer - useful for complex configurations. It follows the same rules mentioned for Low Risk and High and Moderate Risk Data, plus WAF, and Access Logging. Configuration is left to the AWS account Sysadmin.

Low Risk - AWS ALBs

You can create public (and private) load balancers inside your AWS account for your low-risk web apps, with little help from ITS. You still need to request:

• Domain name validation and website content verification of ITS YaleSites or Yale School of Medicine (“YSM”).

• A TLS certificate created via AWS, and separately, approval validation for the certificate from ITS YaleSites

• DNS configuration from ITS for the website friendly name, e.g., example.yale.edu

High and Medium Risk - ITS F5 LTM Load Balancer

ITS F5 LTM/BigIP Load Balancers will be requested through ServiceNow of the Load Balancing Team. You have to do the following work before you request a Load Balancer. Be prepared with ticket numbers, and/or, email threads supporting these actions:

• Domain name validation and website content verification of ITS YaleSites or Yale School of Medicine (“YSM”).

• Security Design Review (“SDR”) with ITS Security/ISO

Required Supporting Information for an ITS F5 LTM Load Balancer:

1. Name of the website or application

2. Desired Fully Qualified Domain Name (“FQDN”)

3. Brief description of the site or application.

4. NetId information for the site, application owner, COA for billing

5. IP address/AWS DNS Alias record of resource to be Load Balanced

High Level Steps to Create an AWS ALB

This is a technical multi-step process which is to be performed by a technical resource whom administers the AWS account, not ITS. A high level overview:

• AWS ALB is applicable to low-risk data classification, web-apps

• Review of domain name selection and website content by YaleSites, or Yale School of Medicine (“YSM”)

• Backend load balancing target must use HTTPS, e.g., IIS, nginx, apache with self-signed certificate

• yale.edu HTTPS SSL Certificates can use AWS Certificate Manager (“ACM”) - for the public facing load balancer

• ALB can be setup manually, using command line, or with terraform as illustrated below

• DNS requests for yale.edu domain name requested of “DNS” group in ServiceNow

Pre-requisite Information Gathering

• Only create AWS ALBs for low-risk data web applications

  • How to verify that data is a low risk and perform data classification - Data Classification Policy

  • Moderate risk and high risk data classification services cannot use AWS ALB, and must load balance through ITS F5 LTM load balancing. Please open a support Incident in ServiceNow for Load Balancing for non-low-risk data-driven web apps.

• Verify approval from YaleSites, and/or Yale School of Medicine ("YSM") med.yale.edu domain names, for the domain name and website content

  • For Yalesites approval - *.yale.edu - email webmaster@yale.edu

  • For med.yale.edu domain names, email the YSM, ysm.editor@yale.edu

• Enter useful tag information for accounting purposes

Technical Documentation

Creating AWS ALBs with terraform

• https://github.com/YaleUniversity/yalecloud-terraform-examples

• Backend targets

  • Create an HTTPS listener on the backend web app

    • E.g., nginx self-signed certificate listening on port 443/HTTPS

• Configure the access logging to an S3 bucket in your account.

• Optionally, configure WAF

AWS Certificate Manager (“ACM”)

You will need valid HTTPS/TLS certificates for AWS ALBs.

You can request valid yale.edu certificates via the AWS console inside ACM. Choose email validation, and automatically YaleSites (Yale Webmaster - webmaster@yale.edu) will be emailed. Requests should be appropriate for department and initiative, not too generic, and not wildcard for *.yale.edu.

Follow-up with an email to the YaleSites team

To: Lutinski, Robert robert.lutinski@yale.edu; Johnson, J'Vaughn jvaughn.johnson@yale.edu
Cc: Cloud Engineering cloudeng@yale.edu; webmaster@yale.edu webmaster@yale.edu
Subject: AWSCertificate Validation for - example.yale.edu

Hello,

FYI, a request for domain name owner validation is incoming: example.yale.edu.  This is for the ${my-webapp-namedservice}, for use in the AWS Certificate Manager ("ACM").
 
Thank you,

Best,
<your name>

DNS Requests

Request Public/Private DNS CNAME requests through the "DNS" group via ServiceNow Incident

Use the following template to create a DNS record and assign a ticket to the DNS group in ServiceNow (“SNOW”).

Create an Incident in Service Now assigned to the “Business service:” Infrastructure & Internet > Network Services > IP & DNS Support

Get tagging/metadata for the DNS team as show below

Short description:Create Private/Public DNS record for an AWS ALB: example.yale.edu

Hi,

Please create the following private/public DNS record(s):

CNAME:
example.yale.edu: example-yale-edu.${AWSaccountID}.us-east-1.elb.amazonaws.com.

metadata:
Description: A concise description of your web app
Device Type: AWS ALB
Location: us-east-1
Phone number: changeme
Primary User NetID: changeme

Thanks,

Your name