This post will cover how to set up an ELB based load balancer with multiple web servers and RDS within AWS and how to avoid the few gotchas along the way.
For keeping the basic steps simple, it is assumed that you have chosen the same availability zone in all the places where it is relevant. Setting up multi-availability zone farms will be the subject of another topic.
Setup the VPC
a) Create a unique VPC for your website. Do not use an existing VPC unless you know for sure how it fits in with the existing VPC setup. Use a CIDR Block of say 10.0.0.0/16 which gives about 65K addresses for your VPC.
Make sure you have the DNS Resolution and DNS Hostnames set to true, so that EC2 instances that get created with hostnames such as ip-10-0-1-56 get resolved to their correct IP.
b) Create the Internet Gateway for use by the VPC. This allows your VPC to connect to the Internet. Associate your Internet Gateway to the VPC created in (a).
c) Create a Security Group - this one will be for communications to the VPC and within the VPC. Name it appropriately such as MyWebsite-VPC-SecGroup. We will later create another security group for the Internet side of things. Assuming this is a LAMP/LEMP stack, you will probably have to allow
- port 22 (from your IP(s) only)
- 80, 8080 (or similar if you are running a reverse proxy such as Varnish and Apache/Nginx on 8080) from within the same security group only. Enter the Security Group name in the Source field.
- 3306 (assuming the Mysql/Aurora/MariaDB setup will use this port) from within the same security group only.
d) Create a Subnet. If you are going to use the Amazon RDS service you will need two subnets. Amazon currently forces you to use a different separate subnet for the RDS instance.
Note: - Now, when creating these subnets you have to be careful with the CIDR block chosen. If you create the first subnet with the same CIDR of 10.0.0.0/16 that you used for your VPC, you will have exhausted all the IPs for that VPC and will not be able to create another subnet that will need to be within the IP address range of your VPC but that doesn't overlap your first subnet. You will receive error messages similar to "CIDR block 10.0.1.0/24 overlaps with pre-existing CIDR block 10.0.0.0/16 from subnet-6afacb2c (10.0.0/16)" OR "10.0.0.2/16 is not within the range of 10.0.0.1/16". To avoid those,
- Subnet 1 - Create this subnet with a CIDR block of say 10.0.1.0/24 which gives you about 250 IPs. This subnet will be used to launch the Web servers .
- Subnet 2 - Create this subnet with a CIDR block of say 10.0.2.0/24 which again gives you about 250 IPs. Make sure you create this subnet in a different availability zone (e.g. if the first one used ap-southeast-2a, then the second one would be ap-southeast-2b). This subnet will be required to launch the RDS instance even if you are putting your RDS instance in the same availability zone of Subnet 1.
The networking setup should now be complete. We can now head to the EC2 section of AWS.
Create the Web servers and Load Balancer (ELB)
- Port 80 from the whole world
- Port 443 from the whole world , everything else can remain blocked.
- Setup port forwarding for HTTP and (if your site supports HTTPS) for HTTPS. Its probably a good idea for simple sites to terminate the HTTPS traffic at the load balancer and have the ELB communicate with the instances using HTTP only. In that case, you can have the 443 traffic forwarded to the port 80.
- Stickiness. Unless its required by the application (in cases where sessions are stored on file locally on the web server), its best to leave this turned off. This allows ELB to distribute the load evenly between the configured instances.
- Setup the instances that will be part of this ELB. These will be the web servers created earlier.
- Make the ELB part of the same subnet (Subnet 1) as the web servers and the VPC.
- Make the ELB part of two security groups, the MyWebsite-VPC-SecGroup and the MyWebsite-ELB-SecGroup. The latter allows traffic into the ELB from the whole world, and the former allows the ELB to communicate with the instances in the VPC-SecGroup. Without this, you will not be able to have the ELB communicate with the VPC and secure the VPC at the same time.
Create the RDS instance
- Based on your server sizing, pick an RDS instance size, database type (MariaDB/Aurora/Mysql) and version.
- Add to the VPC
- Select Publicly Accessible to No (most cases don't need the database to be publicly accessible)
- Make sure you select the MyWebsite-VPC-SecGroup and not the ELB security group
- Select the Subnet 2.
- Make sure you select the same availability zone as your web servers and ELB (assuming you want them all in one).
- Deselect Multi-AZ (unless you need it, it costs more but gives you better availability). Note that the Subnet in a different availability zone is still needed if you don't need Multi-AZ and even if you don't plan to place your RDS instance in that different availability zone.
- Your RDS instance is now created with two subnets.