Load Balancing for Yale AWS Partner Accounts

A Load Balancer is a resource that can enable Internet and Yale-network-only web traffic to one or more EC2 VMs or ECS container replicas, while enabling HTTPS certificates.

How you select a Load Balancer changes depending on your Data Classification. Please read about how to identify the risk of your data: Data Classification Policy.

• low risk data will use a AWS ALB in your AWS account

• high + moderate risk data will use an ITS F5 LTM/BigIP

You can create public (and private) load balancers inside your AWS account for your low-risk web apps, with little help from ITS. You still need to request:

• Domain name validation and website content verification of ITS YaleSites or Yale School of Medicin (“YSM”).

• A TLS certificate via AWS, and separately, approval validation for the certificate from ITS YaleSites

• DNS configuration from ITS for the website friendly name, e.g., example.yale.edu

ITS F5 LTM/BigIP Load Balancers will be requested through servicenow of the Load Balancing Team. You have to do the following work before you request a Load Balancer:

• Domain name validation and website content verification of ITS YaleSites

• Security Design Review (“SDR”) with ITS security

AWS Application Load Balancers (“ALB”)s

This is a technical multi-step process which is to be performed by a technical resource whom administers the AWS account, not ITS. A high level overview:

• AWS ALB is applicable to low-risk data classification, web-apps

• Review of domain name selection and website content by YaleSites, or Yale School of Medicine (“YSM”)

• Backend load balancing target must use HTTPS, e.g., IIS, nginx, apache with self-signed certificate

• yale.edu HTTPS SSL Certificates can use AWS Certificate Manager (“ACM”) - for the public facing load balancer

• ALB can be setup manually, using command line, or with terraform as illustrated below

• DNS requests for yale.edu domain name requested of “DNS” group in ServiceNow

Pre-requisite Information Gathering

• Only create AWS ALBs for low-risk data web applications

  • How to verify that data is a low risk and perform data classification - Data Classification Policy

  • Moderate risk and high risk data classification services cannot use AWS ALB, and must load balance through ITS F5 load balancing. Please open a support Incident in ServiceNow for Load Balancing for non-low-risk data-driven web apps.

• Low risk data does not need a Security Design Review ("SDR")

• Verify approval from YaleSites, and/or Yale School of Medicine ("YSM") med.yale.edu domain names, for the domain name and website content

  • For Yalesites approval - *.yale.edu - email webmaster@yale.edu

  • For med.yale.edu domain names, email the YSM, ysm.editor@yale.edu

• Enter useful tag information for accounting purposes

Technical Documentation

Creating AWS ALBs with terraform

• https://github.com/YaleUniversity/yalecloud-terraform-examples

• Backend targets: create an HTTPS listener on the backend web app

  • E.g., nginx self-signed certificate listening on port 443/HTTPS

AWS Certificate Manager (“ACM”)

You will need valid certificates for AWS ALBs.

You can request valid yale.edu certificates via the AWS console inside ACM. Choose email validation, and automatically YaleSites (Yale Webmaster - webmaster@yale.edu) will be emailed. Requests should be appropriate for department and initiative, not too generic, and not wildcard for *.yale.edu.

Follow-up with an email to the YaleSites team

To: Lutinski, Robert robert.lutinski@yale.edu; Johnson, J'Vaughn jvaughn.johnson@yale.edu
Cc: Cloud Engineering cloudeng@yale.edu; webmaster@yale.edu webmaster@yale.edu
Subject: AWSCertificate Validation for - example.yale.edu

Hello,

FYI, a request for domain name owner validation is incoming: example.yale.edu.  This is for the ${my-webapp-namedservice}, for use in the AWS Certificate Manager ("ACM").
 
Thank you,

Best,
<your name>

DNS Requests

Request Public/Private DNS CNAME requests through the "DNS" group via ServiceNow Incident

Use the following template to create a DNS record and assign a ticket to the DNS group in ServiceNow (“SNOW”).

Create an Incident in Service Now assigned to the “Business service:” Infrastructure & Internet > Network Services > IP & DNS Support

Get tagging/metadata for the DNS team as show below

Short description:Create Private/Public DNS record for an AWS ALB: example.yale.edu

Hi,

Please create the following private/public DNS record(s):

CNAME:
example.yale.edu: example-yale-edu.${AWSaccountID}.us-east-1.elb.amazonaws.com.

metadata:
Description: A concise description of your web app
Device Type: AWS ALB
Location: us-east-1
Phone number: changeme
Primary User NetID: changeme

Thanks,

Your name