Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 16 Current »

General Considerations

A load balancer is a resource that can enable Internet and Yale-network-only web traffic to one or more EC2 VMs or ECS container replica(s). The load balancer holds the HTTPS certificate and serves as an encryption endpoint.

Selecting a load balancer depends on your Data Classification.

  • For web apps with Low Risk Data, you may use an AWS Application Load Balancer (“ALB”) in your AWS account

  • For web apps with High Risk and Moderate Risk Data you must use an ITS-managed F5 LTM load balancer in Yale’s on-prem data center.

Web Application Firewall (“WAF”)

Using a WAF is recommended for Low Risk Data and required for Moderate and High Risk Data. An AWS WAF may be used with your AWS ALB for low risk data. The implementation of a WAF for Moderate or High Risk data is up to you to research and configure.

Access Logging

It is important and required to log HTTP access logs - AWS ALB supports this via S3. Working examples are detailed in terraform below.

AWS Network Load Balancers (“NLB”)

NLB is an advanced load balancer - useful for complex configurations. It follows the same rules mentioned for Low Risk and High and Moderate Risk Data, plus WAF, and Access Logging. Configuration is left to the AWS account Sysadmin.

Low Risk - AWS ALBs

You can create public (and private) load balancers inside your AWS account for your low-risk web apps, with little help from ITS. You still need to request:

  • Approval for your domain name and website content from either ITS YaleSites or Yale School of Medicine (“YSM”) (ysm.editor@yale.edu).

  • A TLS certificate created via AWS for your approved domain name. How to create an AWS ACM Certificate

  • DNS configuration from ITS for the website friendly name, e.g., example.yale.edu. This can be requested through ServiceNow of the IP and DNS Support team. After you create an ALB, you will need to create a DNS CNAME in Yale DNS to point to the ALB DNS record.

Moderate and High Risk - ITS F5 LTM Load Balancer

ITS F5 LTM/BigIP Load Balancers can be requested through ServiceNow of the Load Balancing Team. You have to do the following work before you request a Load Balancer. Be prepared with ticket numbers, and/or, email threads supporting these actions:

  • Domain name validation and website content verification of ITS YaleSites or Yale School of Medicine (“YSM”).

  • Security Design Review (“SDR”) with ITS Security/ISO

Required Supporting Information for an ITS F5 LTM Load Balancer:

  1. Name of the website or application

  2. Desired Fully Qualified Domain Name (“FQDN”)

  3. Brief description of the site or application.

  4. Netid information for the site/application owner, COA for billing

  5. IP address/AWS DNS Alias record of resource to be Load Balanced - i.e., EC2 IP address.

High Level Steps to Create an AWS ALB

This is a technical multi-step process which is to be performed by a technical resource who administers the AWS account, not ITS. A high level overview:

  • AWS ALB is applicable to low-risk data classification web-apps.

  • Review domain name selection and website content with YaleSites, or Yale School of Medicine (“YSM”)

  • Backend load balancing target must use HTTPS, e.g., IIS, Nginx, Apache with self-signed certificate

  • yale.edu HTTPS SSL certificates can use AWS Certificate Manager (“ACM”) - for the public facing load balancer

  • ALB can be setup manually, using AWS command line, or with Terraform as illustrated below

  • Request yale.edu domain name through “IP and DNS support” team in ServiceNow

Prerequisite Information Gathering

  • Only create AWS ALBs for low-risk data web applications

    • Verify that data is a low risk and perform data classification. See Data Classification Policy

    • Moderate risk and high risk data classification services cannot use AWS ALB and must load balance through ITS F5 LTM load balancing. Please open a support Incident in ServiceNow for Load Balancing for non-low-risk data-driven web apps.

  • Obtain approval for the domain name and website content from YaleSites or, for med.yale.edu domain names, from Yale School of Medicine ("YSM")

  • Enter useful tag information for accounting purposes

Technical Documentation

Creating AWS ALBs with terraform

AWS Certificate Manager (“ACM”)

You will need valid HTTPS/TLS certificates for AWS ALBs.

You can request valid yale.edu certificates via the AWS console inside ACM. Choose email validation, and automatically YaleSites (Yale Webmaster - webmaster@yale.edu) will be emailed. Requests should be appropriate for department and initiative, not too generic, and not wildcard for *.yale.edu.

Follow-up with an email to the YaleSites team

To: webmaster@yale.edu
Cc: Cloud Engineering cloudeng@yale.edu; hostmaster@yale.edu
Subject: AWS Certificate Validation for - example.yale.edu

Hello,

FYI, a request for domain name owner validation is incoming: example.yale.edu.  This is for the ${my-webapp-namedservice}, for use in the AWS Certificate Manager ("ACM").
 
Thank you,

Best,
<your name>

DNS Requests

Request Public/Private DNS CNAME requests through the "IP & DNS suport" group via a ServiceNow incident

Use the following template to create a DNS record and assign a ticket to the DNS group in ServiceNow.

Create an incident in ServiceNow assigned to the “Business service:” Infrastructure & Internet > Network Services > IP & DNS Support

Get tagging/metadata for the DNS team as show below


Short description:Create Private/Public DNS record for an AWS ALB: example.yale.edu

Hi,

Please create the following private/public DNS record(s):

CNAME:
example.yale.edu: example-yale-edu.${AWSaccountID}.us-east-1.elb.amazonaws.com.

metadata:
Description: A concise description of your web app
Device Type: AWS ALB
Location: us-east-1
Phone number: changeme
Primary User NetID: changeme

Thanks,

Your name

  • No labels