9.2.4 (Optional) Creating an AWS EC2 Load Balancer

If multiple Access Gateway and Identity Server instances have been created and configured for clustering, you can configure an AWS EC2 load balancer for each cluster to balance the load of incoming requests across the clustered instances. A separate load balancer is used for an Identity Server cluster and an Access Gateway cluster.

The following procedures provide differences in the configuration details for Identity Server load balancer and Access Gateway load balancer wherever required.

Repeat the steps in Creating Target Groups, Creating an Elastic IP Address, and Creating a Load Balancer, and create separate target groups, elastic IP addresses, and load balancers for Identity Server and Access Gateway clusters.

Creating Target Groups

A target group provides a way to associate the load balancer to the IP addresses of instances (targets) among which the load will be distributed.

IMPORTANT:For each load balancer, create two target groups: one for HTTP and one for HTTPS.

For more information about target groups, see Target group.

Perform the following steps to create a target group:

  1. In the EC2 Dashboard, click Target Groups under LOAD BALANCING.

  2. Click Create target group.

  3. Specify the following details:

    Field

    Description

    Target group name

    Specify a name for the target group.

    Protocol

    Select TCP.

    Port

    Specify the port on which the server is configured for listening.

    IMPORTANT:You need to create two separate target groups for each load balancer, one for HTTP and one for HTTPS.

    For Access Gateway

    Specify the following values:

    • If you are creating the target group for the HTTPS traffic, specify 443.

    • If you are creating the target group for the HTTP traffic, specify 80.

    For an Identity Server listening on the default ports of 8080/8443

    Specify the following values:

    • If you are creating the target group for the HTTPS traffic, specify 8443.

    • If you are creating the target group for the HTTP traffic, specify 8080.

    You can use iptables to configure the listeners on Identity Server to use other ports. See Translating Identity Server Configuration Port.

    Target type

    Select ip.

    VPC

    Select the same VPC that you have selected for the instances of Access Manager components.

    Health Check Settings

    Protocol

    When creating a target group for the HTTPS protocol, select HTTPS.

    When creating a target group for the HTTP protocol, select HTTP.

    The load balancer uses this protocol while performing health checks.

    Path

    Specify the destination path for health checks.

    For Identity Server, specify /nidp/app/heartbeat.

    For Access Gateway, specify /nesp/app/heartbeat.

    Advanced health check settings

    Keep the default values.

  4. Click Create.

  5. Enable session stickiness.

    1. Select the target group you have created.

    2. In the Description tab, click Edit attributes.

    3. Select Enable for Stickiness.

  6. Add the IP addresses of instances (targets) among which load will be distributed.

    1. In the edit mode, select the Targets tab, and then click Edit.

    2. Click the + (Register targets) icon.

    3. Specify the following details:

      Field

      Description

      Network

      Populated with the VPC that you have selected under VPC in Step 3.

      IP

      Specify the private IP address of Identity Server or Access Gateway instances (targets) to register as targets that you want to add in the load balancer.

      Port

      Populated with the port value that you have specified for Port in Step 3.

    4. Click Add to list.

    5. Click Register.

    6. Repeat Step 6.b to Step 6.e and add other instances of the same component type that you want to add in the load balancer.

Creating an Elastic IP Address

An elastic IP address is a public IPv4 address, which is reachable from the Internet. Elastic IP addresses are used as the listeners for the load balancers.

  1. Click Services > EC2.

  2. Click Elastic IPs.

  3. Click Allocate new address.

  4. Click Allocate.

    A static IPv4 address is allocated that is not used by any other resource.

  5. Click Close.

Creating a Load Balancer

Perform the following steps to create a load balancer:

  1. In the left menu, click Load Balancers.

  2. Click Create Load Balancers.

  3. Click Create under Network Load Balancer.

  4. Specify the following details:

    Field

    Description

    Name

    Specify a name for the load balancer.

    Scheme

    Select internet-facing.

    Listeners

    Specify the listener ports as follows:

    For Identity Server:

    • Load Balancer Protocol: TCP

    • Load Balancer Port: 8080

    Click Add listener and specify the following:

    • Load Balancer Protocol: TCP

    • Load Balancer Port: 8443

    For Access Gateway:

    • Load Balancer Protocol: TCP

    • Load Balancer Port: 80

    Click Add listener and specify the following:

    • Load Balancer Protocol: TCP

    • Load Balancer Port: 443

    Availability Zones

    1. Select the same VPC that you have created earlier for Access Manager components.

    2. Select the Availability Zone in which Access Manager instances are available.

      The load balancer routes traffic to the targets in the specified Availability Zones only.

    3. Select the Subnet where the Access Manager component, for which you are configuring this load balancer, is available.

    4. In Elastic IP, select the elastic IP address you created for this load balancer in Creating an Elastic IP Address.

    Tags

    Do not make any change.

  5. Click Next: Configure Routing.

  6. Under Target group, specify the following details:

    Field

    Description

    Target group

    Select Existing target group.

    Name

    Select a target group from the list.

    You can select only one target group. For example, select the target group that you have created for the HTTP protocol.

    After creating the load balancer, you need to modify the listener port 8443 to use the target group that is configured for the HTTPS protocol. See Step 12 of this section.

    Protocol

    Populated with the value that you have configured in the specified target group. Review to ensure that the value is listed correctly.

    Port

    Populated with the value that you have configured in the specified target group. Review to ensure that the value is listed correctly.

    Target type

    Populated with the value that you have configured in the specified target group. Review to ensure that the correct value is listed.

  7. Under Health Checks, review the following details:

    Field

    Description

    Protocol

    Populated with HTTPS or HTTP based on the configuration of the target group you selected in Step 6. See Creating Target Groups.

    Path

    Populated with the health URL that you configured in the target group selected in Step 6. See Creating Target Groups.

    Advanced health check settings

    Keep the default values.

  8. Click Next: Register Targets.

    The list of all targets registered with the target group that you selected is displayed. You can modify this list only after creating the load balancer.

  9. Click Next: Review.

  10. Verify that the load balancer details are correct.

  11. Click Create and then click Close.

  12. Update the listener ports to use the appropriate target groups.

    1. Select the load balancer you have created.

    2. Select the Listeners tab.

      By default, both listeners (HTTP and HTTPS) are configured to forward to the same target group that you have created in Step 6 > Name.

    3. Select the HTTPS listener (8443 for Identity Server or 443 for Access Gateway).

    4. Click Actions > Edit to change the target group of the HTTPS listener.

    5. In Default target group, select the HTTPS target group for that component type (Identity Server or Access Gateway).

    6. Click Save.

NOTE:For scaling recommendations, see Recommendations for Scaling Access Manager Components in Public Cloud.