Overview and basic concepts
- Application Load balancer is an entry-point to your application. Load balancer routes traffic to your application and integrates easily with workloads of your stack: functions, batch-jobs or container-workloads.
- Application load balancers are used to communicate with your workloads using the HTTP protocol.
- You can offload SSL/TLS (HTTPS) termination to the load-balancer instead of handling it as a part of your application.
- You can easily configure custom domain names or put CDN in front of your application-load-balancer.
When to use
An application load balancer is a good fit for many cloud applications. Whether your backend is running on container-workloads or functions thanks to high throughput and low latency, an application load balancer is ideal for high load fast performing applications.
Advantages
- Predictable pricing - Application load balancers have a predictable pricing model which can be found here. Even though application-load-balancers have fixed base price per month (as opposed to http-api-gateways, where you only pay for requests), when traffic is high application-load-balancer can be cheaper.
- Scaling - Application load balancer is designed to handle traffic as it grows and can load balance millions of requests/sec.
- Health checks - When an application load balancer is used with container-workloads, the load balancer periodically checks the health of target containers. It only sends requests to healthy ones and automatically notifies container-workload to replace unhealthy containers.
- Content based routing - If your application is composed of several individual services, application-load-balancer can route a request to a service based on the content of the request such as Host field, Path URL, HTTP header, HTTP method, Query string or Source IP address (see section Integrating with workloads).
- Ease of use - Integrate with workloads of your stack with few lines of config
- Security - You can offload SSL/TLS (HTTPS) termination to the load-balancer instead of handling it as a part of your application. This means that any communication between load-balancer and client can be encrypted.
Disadvantages
- Fixed price base - You are paying ~20$/month for application-load-balancer even if it is sitting idle. When you have low traffic application or do NOT need the advantages that application-load-balancer offers, you might try using http-api-gateway
Simple usage
No description
Type: string "application-load-balancer"
Configures accessibility of the Load balancer
Type: string ENUM
Possible values: internalinternet
internet
: Load balancer is accessible from the internetinternal
: Load balancer is accessible only from within the same VPC network To learn more about VPCs, refer to Stacktape docs
Configures custom domains for this Load balancer
Type: Array of string
Stacktape allows you to connect your custom domain names to some of your resources (HTTP API Gateways, Application Load Balancers and Buckets with CDNs).
Connecting a custom domain to the resource does 2 things:
- Creates DNS records:
- If you use your custom domain with a resource, Stacktape automatically creates a DNS record (during deploy) pointing the specified domain name to the resource.
- Adds TLS certificates
- If the origin resource (HTTP API Gateway, Application Load Balancer or CDN) uses HTTPS protocol, Stacktape takes care of issuing and attaching correct (free, AWS-managed) certificate to the resource. This means, you do not have to deal with TLS termination as it is handled by the connected resource.
- If you want to use your own certificates, you can configure
customCertificateArns
property on the load balancers listener.
To manage a custom domain, it first needs to be added to your AWS account. This means that a hosted zone (collection of records managed together for a given domain) for your domain exists in your AWS account and your domain registrar's name servers are pointing to it. To learn more, refer to Adding a domain guide.
Configures custom listeners (combinations of port and protocol) for this load balancer
Type: Array of ApplicationLoadBalancerListener
- Listeners are used to expose specific ports of the Load balancer.
- If you do not specify any listeners:
- If property
useHttps
is set to true, then two listeners are created:- HTTPS listener (port 443) - all traffic is routed to this listener
- HTTP listener (port 80) - automatically redirects to HTTPS listener
- If property
useHttps
is not set or is set to false, one listener is created:- HTTP listener (port 80) - all traffic is routed to this listener
- If property
Configures AWS Cloudfront CDN (Content Delivery Network) to be in front of your Application Load Balancer
Type: ApplicationLoadBalancerCdnConfiguration
- CDN is a globally distributed network that can cache responses from your Application Load Balancer at the edge - close to your users.
- AWS Cloudfront has 205 edge locations on 6 continents.
- The CDN is used to:
- reduce latency & improve load times
- reduce bandwidth costs
- reduce the amount of traffic coming to the origin
- improve security
- The "origin" is the resource (Application Load Balancer) to which CDN is attached. CDN caches responses from the origin at the edge for specified amount of time.
- If the content requested by the client is in the CDN cache, the CDN immediately returns it to the client without making a request to the origin.
- If the content is NOT in the cache, the CDN makes a request to the Origin. The response from the origin is then forwarded to the client, and cached at the edge.
- The CDN has its own URL endpoint.
Enables HTTPS on the load balancer (default load balancer listener)
Type: boolean
- If set to true:
- load balancer uses HTTPS protocol for the incoming connection
- all incoming HTTP protocol connections are redirected to the HTTPS
- To use this property, you also need to specify custom domain in
customDomains
property
Overrides one or more properties of the specified child resource.
Type: Object
- Child resources are specified using their cloudformation logical id (e.g.
MyBucketBucket
). - To see all configurable child resources for given Stacktape resource, use
stacktape stack-info --detailed
command. - To see the list of properties that can be overridden, refer to AWS Cloudformation docs.
Copy
serviceName: posts-api-pgresources:myLoadBalancer:type: 'application-load-balancer'basicLambda:type: functionproperties:packaging:type: stacktape-lambda-buildpackproperties:entryfilePath: 'lambdas/js-lambda.js'events:- type: application-load-balancerproperties:loadBalancerName: customLbpriority: 5paths:- '*'
Application load balancer with function integration
Using HTTPS(TLS)
- In order to use HTTPS(TLS) with your load balancers you can use property
useHttps
. - To use this property, your load balancer must have custom domain name specified. Stacktape will attach correct TLS certificate to the load balancer during deployment. See section Custom domain names to see how to use custom domain names with load balancer.
- If you are using custom listeners you cannot use
useHttps
property (see section Configure custom listeners) .
Copy
resources:myLoadBalancer:type: 'application-load-balancer'properties:customDomains:- my-app.mydomain.comuseHttps: true
Integrating with workloads
By creating event integration on a workload(container-workload, function, batch-job), you are telling application load balancer to forward requests to the workload.
Each integration must specify:
loadBalancerName
(andlistenerPort
if your load balancer uses custom listeners) that will forward requests to the integrationpriority
- priority determines order in which the integrations are evaluated by load balancer.
- load balancer evaluates integrations from lowest value to highest value.
- load balancer forwards the request to the first integration whose condition matches the request.
- condition
- condition determines which requests can be forwarded to the integration.
- condition can be composed of
path
,queryString
,headers
and other parts of request.
Following example shows two integrations:
- integration attached to mySingleContainer which forwards all requests (wildcard path
*
) to the container-workload. - integration attached to myFunction which forwards requests with URL prefixed with
/lambda-service/
to the function. - since integration on myFunction has lower priorty it is evaluated before integration on mySingleContainer
Copy
resources:myLoadBalancer:type: 'application-load-balancer'mySingleContainer:type: 'container-workload'properties:containers:- name: myContpackaging:type: stacktape-image-buildpackproperties:entryfilePath: containers/ts-container.tsenvironment:- name: PORTvalue: '80'events:- type: application-load-balancerproperties:loadBalancerName: myLoadBalancercontainerPort: 80priority: 3paths:- '*'resources:cpu: 0.25memory: 512myFunction:type: functionproperties:packaging:type: stacktape-lambda-buildpackproperties:entryfilePath: my-lambda.jsevents:- type: application-load-balancerproperties:loadBalancerName: myLoadBalancerpriority: 2paths:- '/lambda-service/*'
Application load balancer with function and container-workload integrations.
More information on integrating workloads with application load balancer can be found:
Custom domain names
Stacktape allows you to connect your custom domain names to some of your resources (HTTP API Gateways, Application Load Balancers and Buckets with CDNs).
Connecting a custom domain to the resource does 2 things:
- Creates DNS records:
- If you use your custom domain with a resource, Stacktape automatically creates a DNS record (during deploy) pointing the specified domain name to the resource.
- Adds TLS certificates
- If the origin resource (HTTP API Gateway, Application Load Balancer or CDN) uses HTTPS protocol, Stacktape takes care of issuing and attaching correct (free, AWS-managed) certificate to the resource. This means, you do not have to deal with TLS termination as it is handled by the connected resource.
- If you want to use your own certificates, you can configure
customCertificateArns
property on the load balancers listener.
To manage a custom domain, it first needs to be added to your AWS account. This means that a hosted zone (collection of records managed together for a given domain) for your domain exists in your AWS account and your domain registrar's name servers are pointing to it. To learn more, refer to Adding a domain guide.
Copy
resources:myLoadBalancer:type: 'application-load-balancer'properties:customDomains:- my-app.mydomain.comuseHttps: true
Configure custom listeners
Listeners provide a way to expose ports of application-load-balancer. They makes application-load-balancer accessible from the outside.
Listeners are listening on specified ports and forward traffic to workloads through event integrations(functions, container-workloads or batch-jobs).
- Listeners are used to expose specific ports of the Load balancer.
- If you do not specify any listeners:
- If property
useHttps
is set to true, then two listeners are created:- HTTPS listener (port 443) - all traffic is routed to this listener
- HTTP listener (port 80) - automatically redirects to HTTPS listener
- If property
useHttps
is not set or is set to false, one listener is created:- HTTP listener (port 80) - all traffic is routed to this listener
- If property
Protocol used for the listener
Type: string ENUM
Possible values: HTTPHTTPS
- If
HTTPS
protocol is used, listener needs to have SSL/TLS certificates configured. This can be achieved in 2 ways:- Configure
customDomains
to make Stacktape automatically generate and use SSL/TLS certificates. - Configure
customCertificateArns
to use custom certificate (referenced by their ARN - Amazon Resource Name)
- Configure
Port number on which the listener is accessible
Type: number
- By default,
HTTPS
connections use port443
andHTTP
connections use port80
.
Used to configure custom SSL/TLS certificates
Type: Array of string
- Configuring certificates is not necessary, if you specify
customDomains
or you don't useHTTPS
protocol for this listener.
Limits accessibility of the listener to only specific IP addresses
Type: Array of string
- By default all IP addresses are whitelisted.
Configures the behavior of the listener for request that cannot be matched to any integration.
Type: LbRedirect
- At the moment, only default action supported is
redirect
.
Copy
resources:myLoadBalancer:type: 'application-load-balancer'properties:listeners:- port: 80protocol: HTTPmyFunction:type: functionproperties:packaging:type: stacktape-lambda-buildpackproperties:entryfilePath: my-lambda.jsevents:- type: application-load-balancerproperties:loadBalancerName: myLoadBalancer# you need to specify listener port when referencing load balancer with custom listenerslistenerPort: 80priority: 5paths:- '*'
Application load balancer with single listener and function integration.
Using HTTPS with custom listeners
If you are using custom listeners, you can configure listener to use HTTPS. In order to do that you can either:
- Have custom domain name specified. Stacktape will attach correct TLS certificates (for the domain) to the listener during deployment. See section Custom domain names to see how to use custom domain names with load balancer.
Copy
resources:myLoadBalancer:type: 'application-load-balancer'properties:customDomains:- my-app.mydomain.comlisteners:- protocol: HTTPSport: 443
- Set
customCertificateArns
property to make the listener use custom certificate of your choice (you can create certificate in AWS console). In this case you also need to handle DNS records for your domain, i.e point correct domain name to the load balancer (if you use custom domains Stacktape can handle DNS records for you).
Copy
resources:myLoadBalancer:type: 'application-load-balancer'properties:listeners:- port: 443protocol: HTTPScustomCertificateArns:- arn:aws:acm:eu-west-1:999999999999:certificate/8ab817b5-c4fa-4b1d-8b72-d6082cb40351
Default listener action
Default listener action determines what to do with a request that does not match any event integration associated with this listener (see integrating with workloads).
Redirect
Type of the default action
Type: string "redirect"
HTTP redirect code
Type: string ENUM
Possible values: HTTP_301HTTP_302
- Use
HTTP_301
for permanent redirect - Use
HTTP_302
for temporary redirect
Absolute path to redirect to.
Type: string
- Starting with the leading "/".
- Not percent-encoded.
Query parameters for the redirect.
Type: string
- URL-encoded when necessary, but not percent-encoded.
- Do not include the leading "?", as it is automatically added.
- Use
Port for the redirect.
Type: number
- You can specify a value from 1 to 65535 or
#{port}
.
Hostname for the redirect.
Type: string
- Not percent-encoded.
Protocol for the redirect.
Type: string ENUM
Possible values: HTTPHTTPS
- Must be
HTTP
,HTTPS
, or#{protocol}
. - You cannot redirect
HTTPS
toHTTP
.
The following example shows application-load-balancer with two listeners:
- HTTPS listener at port 443
- HTTP listener at port 80. HTTP listener has default redirect action configured. This means that any HTTP request is automatically redirected to its HTTPS version.
Copy
resources:myLoadBalancer:type: 'application-load-balancer'properties:customDomains:- my-app.mydomain.comlisteners:- port: 443protocol: HTTPS- port: 80protocol: HTTPdefaultAction:type: redirectproperties:statusCode: HTTP_301protocol: HTTPSport: 443
CDN
You can configure AWS Cloudfront CDN (Content Delivery Network) to be in front of your application-load-balancer.
- CDN is a globally distributed network that can cache responses from your Application Load Balancer at the edge - close to your users.
- AWS Cloudfront has 205 edge locations on 6 continents.
- The CDN is used to:
- reduce latency & improve load times
- reduce bandwidth costs
- reduce the amount of traffic coming to the origin
- improve security
- The "origin" is the resource (Application Load Balancer) to which CDN is attached. CDN caches responses from the origin at the edge for specified amount of time.
- If the content requested by the client is in the CDN cache, the CDN immediately returns it to the client without making a request to the origin.
- If the content is NOT in the cache, the CDN makes a request to the Origin. The response from the origin is then forwarded to the client, and cached at the edge.
- The CDN has its own URL endpoint.
For information about using CDN refer to our CDN docs.
Referenceable parameters
The following parameters can be easily referenced using $ResourceParam directive directive.
To learn more about referencing parameters, refer to referencing parameters.
default domain name of load balancer
- Usage:
$ResourceParam('<<resource-name>>', 'domain')
Comma-separated list of custom domain names assigned to the Load balancer (only available if you use custom domain names)
- Usage:
$ResourceParam('<<resource-name>>', 'customDomains')
Default domain of the CDN distribution (only available if you DO NOT configure custom domain names for the CDN).
- Usage:
$ResourceParam('<<resource-name>>', 'cdnDomain')
Default url of the CDN distribution (only available if you DO NOT configure custom domain names for the CDN).
- Usage:
$ResourceParam('<<resource-name>>', 'cdnUrl')
Comma-separated list of custom domain names assigned to the CDN (only available if you configure custom domain names for the CDN).
- Usage:
$ResourceParam('<<resource-name>>', 'cdnCustomDomains')
Comma-separated list of custom domain name URLs of the CDN (only available if you configure custom domain names for the CDN).
- Usage:
$ResourceParam('<<resource-name>>', 'cdnCustomDomainUrls')