Load Balancing for Yale AWS Partner Accounts

AWS Application Load Balancers (“ALB”)s

Pre-requisite Information Gathering

• Only create AWS ALBs for low-risk data web applications .

  • How to verify that data is a low risk and perform data classification - Data Classification Policy

  • Moderate risk and high risk data classification services cannot use AWS ALB, and must load balance through ITS F5 load balancing. Please open a support Incident in ServiceNow for Load Balancing.

• Low risk data do not need a Security Design Review ("SDR"):

• Verify approval from YaleSites, and/or Yale School of Medicine ("YSM") med.yale.edu domain names, for the domain name and website content

  • For Yalesites approval - *.yale.edu - email webmaster@yale.edu

  • For med.yale.edu domain names, email the YSM, ysm.editor@yale.edu

• Enter useful tag information for accounting purposes

Technical Documentation

Creating AWS ALBs with terraform

• https://github.com/YaleUniversity/yalecloud-terraform-examples

• Backend targets: create an HTTPS listener on the backend web app

  • E.g., nginx self-signed certificate listening on port 443/HTTPS

AWS Certificate Manager (“ACM”)

You will need valid certificates for AWS ALBs.

You can request valid yale.edu certificates via the AWS console inside ACM. Choose email validation, and automatically YaleSites (Yale Webmaster - webmaster@yale.edu) will be emailed. Requests should be appropriate for department and initiative, not too generic, and not wildcard for *.yale.edu.

Follow-up with an email to the YaleSites team

To: Lutinski, Robert robert.lutinski@yale.edu; Johnson, J'Vaughn jvaughn.johnson@yale.edu
Cc: Cloud Engineering cloudeng@yale.edu; webmaster@yale.edu webmaster@yale.edu
Subject: AWSCertificate Validation for - example.yale.edu

Hello,

FYI, a request for domain name owner validation is incoming: example.yale.edu.  This is for the ${my-webapp-namedservice}, for use in the AWS Certificate Manager ("ACM").
 
Thank you,

Best,
<your name>

DNS Requests

Request Public/Private DNS CNAME requests through the "DNS" group via ServiceNow Incident

Use the following template to create a DNS record and assign a ticket to the DNS group in ServiceNow (“SNOW”).

Create an Incident in Service Now assigned to the “Business service:” Infrastructure & Internet > Network Services > IP & DNS Support

Get tagging/metadata for the DNS team as show below

INC1767828
Short description:Create Private/Public DNS record for an AWS ALB: example.yale.edu

Hi,

Please create the following private/public DNS record(s):

CNAME:
hunala-app-staging.yale.edu: example-yale-edu.661617135.us-east-1.elb.amazonaws.com.

metadata:
Description: A concise description of your web app
Device Type: AWS ALB
Location: us-east-1
Phone number: changeme
Primary User NetID: changeme

Thanks,

Your name