Stacktape

Sign up for freeSign up

Community slack channel
Discord channel
Github page

Application Load Balancers

Overview

  • Application Load balancer is an entry-point to your application. Load balancer routes traffic to your application and integrates easily with compute resources of your stack: functions, batch-jobs or multi-container-workloads.
  • Application load balancers are used to communicate with your compute resources using the HTTP protocol.
  • You can offload SSL/TLS (HTTPS) termination to the load-balancer instead of handling it as a part of your application.
  • You can easily configure custom domain names or put CDN in front of your application-load-balancer.

Under the hood

Application load balancer is an abstraction which under the hood uses AWS Application Load Balancer. By default Stacktape takes care of which ports(listeners) are open on the load balancer, but you are free to configure your own custom listeners.

When to use

An application load balancer is a good fit for many cloud applications. Whether your backend is running on multi-container-workloads or functions thanks to high throughput and low latency, an application load balancer is ideal for high load fast performing applications.

Advantages

  • Predictable pricing - Application load balancers have a predictable pricing model which can be found here. Even though application-load-balancers have fixed base price per month (as opposed to http-api-gateways, where you only pay for requests), when traffic is high application-load-balancer can be cheaper.
  • Scaling - Application load balancer is designed to handle traffic as it grows and can load balance millions of requests/sec.
  • Health checks - When an application load balancer is used with multi-container-workloads, the load balancer periodically checks the health of target containers. It only sends requests to healthy ones and automatically notifies multi-container-workload to replace unhealthy containers.
  • Content based routing - If your application is composed of several individual services, application-load-balancer can route a request to a service based on the content of the request such as Host field, Path URL, HTTP header, HTTP method, Query string or Source IP address (see section Integrating with compute resources).
  • Ease of use - Integrate with compute resources of your stack with few lines of config
  • Security - You can offload SSL/TLS (HTTPS) termination to the load-balancer instead of handling it as a part of your application. This means that any communication between load-balancer and client can be encrypted.

Disadvantages

  • Fixed price base - You are paying ~20$/month for application-load-balancer even if it is sitting idle. When you have low traffic application or do NOT need the advantages that application-load-balancer offers, you might try using http-api-gateway

Simple usage

ApplicationLoadBalancer  API reference
type
Required
properties.interface
Default: internet
properties.customDomains
properties.listeners
properties.cdn
properties.useHttps
properties.alarms
properties.disabledGlobalAlarms
properties.useFirewall
overrides

Copy
serviceName: posts-api-pg


resources:
  myLoadBalancer:
    type: 'application-load-balancer'


  basicLambda:
    type: function
    properties:
      packaging:
        type: stacktape-lambda-buildpack
        properties:
          entryfilePath: 'lambdas/js-lambda.js'
      events:
        - type: application-load-balancer
          properties:
            loadBalancerName: customLb
            priority: 5
            paths:
              - '*'

Application load balancer with function integration

Using HTTPS(TLS)

  • In order to use HTTPS(TLS) with your load balancers you can use property useHttps.
  • To use this property, your load balancer must have custom domain name specified. Stacktape will attach correct TLS certificate to the load balancer during deployment. See section Custom domain names to see how to use custom domain names with load balancer.
  • If you are using custom listeners you cannot use useHttps property (see section Configure custom listeners) .

Copy
resources:
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      customDomains:
        - my-app.mydomain.com
      useHttps: true

Integrating with compute resources

By creating event integration on a workload(multi-container-workload, function, batch-job), you are telling application load balancer to forward requests to the workload.

Each integration must specify:

  • loadBalancerName (and listenerPort if your load balancer uses custom listeners) that will forward requests to the integration
  • priority
    • priority determines order in which the integrations are evaluated by load balancer.
    • load balancer evaluates integrations from lowest value to highest value.
    • load balancer forwards the request to the first integration whose condition matches the request.
  • condition
    • condition determines which requests can be forwarded to the integration.
    • condition can be composed of path, queryString, headers and other parts of request.

Following example shows two integrations:

  • integration attached to mySingleContainer which forwards all requests (wildcard path *) to the multi-container-workload.
  • integration attached to myFunction which forwards requests with URL prefixed with /lambda-service/ to the function.
  • since integration on myFunction has lower priority it is evaluated before integration on mySingleContainer

Copy
resources:
  myLoadBalancer:
    type: 'application-load-balancer'


  mySingleContainer:
    type: 'multi-container-workload'
    properties:
      containers:
        - name: myCont
          packaging:
            type: stacktape-image-buildpack
            properties:
              entryfilePath: containers/ts-container.ts
          environment:
            - name: PORT
              value: '80'
          events:
            - type: application-load-balancer
              properties:
                loadBalancerName: myLoadBalancer
                containerPort: 80
                priority: 3
                paths:
                  - '*'
      resources:
        cpu: 0.25
        memory: 512


  myFunction:
    type: function
    properties:
      packaging:
        type: stacktape-lambda-buildpack
        properties:
          entryfilePath: my-lambda.js
      events:
        - type: application-load-balancer
          properties:
            loadBalancerName: myLoadBalancer
            priority: 2
            paths:
              - '/lambda-service/*'

Application load balancer with function and multi-container-workload integrations.

More information on integrating compute resources with application load balancer can be found:

Custom domain names

Stacktape allows you to connect your custom domain names to some of your resources (Web Service, HTTP API Gateways, Application Load Balancers and Buckets with CDNs).

Connecting a custom domain to the resource does 2 things:

  • Creates DNS records:
    • If you use your custom domain with a resource, Stacktape automatically creates a DNS record (during deploy) pointing the specified domain name to the resource.
  • Adds TLS certificates
    • If the origin resource (HTTP API Gateway, Application Load Balancer or CDN) uses HTTPS protocol, Stacktape takes care of issuing and attaching correct (free, AWS-managed) certificate to the resource. This means, you do not have to deal with TLS termination as it is handled by the connected resource.
    • If you want to use your own certificates, you can configure customCertificateArns.

To manage a custom domain, it first needs to be added to your AWS account. This means that a hosted zone (collection of records managed together for a given domain) for your domain exists in your AWS account and your domain registrar's name servers are pointing to it. To learn more, refer to Adding a domain guide.

Copy
resources:
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      customDomains:
        - my-app.mydomain.com
      useHttps: true

Configure custom listeners

  • Listeners provide a way to expose ports of application-load-balancer. They makes application-load-balancer accessible from the outside.

  • Listeners are listening on specified ports and forward traffic to compute resources through event integrations(functions, multi-container-workloads or batch-jobs).

  • Listeners are used to expose specific ports of the Load balancer.
  • If you do not specify any listeners:
    • If property useHttps is set to true, then two listeners are created:
      • HTTPS listener (port 443) - all traffic is routed to this listener
      • HTTP listener (port 80) - automatically redirects to HTTPS listener
    • If property useHttps is not set or is set to false, one listener is created:
      • HTTP listener (port 80) - all traffic is routed to this listener
ApplicationLoadBalancerListener  API reference
Parent:ApplicationLoadBalancer
protocol
Required
port
Required
customCertificateArns
whitelistIps
defaultAction

Copy
resources:
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      listeners:
        - port: 80
          protocol: HTTP


  myFunction:
    type: function
    properties:
      packaging:
        type: stacktape-lambda-buildpack
        properties:
          entryfilePath: my-lambda.js
      events:
        - type: application-load-balancer
          properties:
            loadBalancerName: myLoadBalancer
            # you need to specify listener port when referencing load balancer with custom listeners
            listenerPort: 80
            priority: 5
            paths:
              - '*'

Application load balancer with single listener and function integration.

Using HTTPS with custom listeners

If you are using custom listeners, you can configure listener to use HTTPS. In order to do that you can either:

  1. Have custom domain name specified. Stacktape will attach correct TLS certificates (for the domain) to the listener during deployment. See section Custom domain names to see how to use custom domain names with load balancer.

Copy
resources:
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      customDomains:
        - my-app.mydomain.com
      listeners:
        - protocol: HTTPS
          port: 443

  1. Set customCertificateArns property to make the listener use custom certificate of your choice (you can create certificate in AWS console). In this case you also need to handle DNS records for your domain, i.e point correct domain name to the load balancer (if you use custom domains Stacktape can handle DNS records for you).

Copy
resources:
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      listeners:
        - port: 443
          protocol: HTTPS
          customCertificateArns:
            - arn:aws:acm:eu-west-1:999999999999:certificate/8ab817b5-c4fa-4b1d-8b72-d6082cb40351

Default listener action

Default listener action determines what to do with a request that does not match any event integration associated with this listener (see Integrating with compute resources).

Redirect

LbRedirect  API reference
Parent:ApplicationLoadBalancerListener
type
Required
properties.statusCode
Required
properties.path
properties.query
properties.port
properties.host
properties.protocol

The following example shows application-load-balancer with two listeners:

  • HTTPS listener at port 443
  • HTTP listener at port 80. HTTP listener has default redirect action configured. This means that any HTTP request is automatically redirected to its HTTPS version.

Copy
resources:
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      customDomains:
        - my-app.mydomain.com
      listeners:
        - port: 443
          protocol: HTTPS
        - port: 80
          protocol: HTTP
          defaultAction:
            type: redirect
            properties:
              statusCode: HTTP_301
              protocol: HTTPS
              port: 443

CDN

You can configure AWS Cloudfront CDN (Content Delivery Network) to be in front of your application-load-balancer.

  • CDN is a globally distributed network that can cache responses from your Application Load Balancer at the edge - close to your users.
  • AWS Cloudfront has 205 edge locations on 6 continents.
  • The CDN is used to:
    • reduce latency & improve load times
    • reduce bandwidth costs
    • reduce the amount of traffic coming to the origin
    • improve security
  • The "origin" is the resource (Application Load Balancer) to which CDN is attached. CDN caches responses from the origin at the edge for specified amount of time.
  • If the content requested by the client is in the CDN cache, the CDN immediately returns it to the client without making a request to the origin.
  • If the content is NOT in the cache, the CDN makes a request to the Origin. The response from the origin is then forwarded to the client, and cached at the edge.
  • The CDN has its own URL endpoint.

For information about using CDN refer to our CDN docs.

Using firewall

You can use web-app-firewall to protect your resources from common web exploits that could affect application availability, compromise security, or consume excessive resources.

To lean more, check web-app-firewall documentation.

Copy
resources:
  myFirewall:
    type: web-app-firewall
    properties:
      scope: regional
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      useFirewall: myFirewall

Referenceable parameters

The following parameters can be easily referenced using $ResourceParam directive directive.

To learn more about referencing parameters, refer to referencing parameters.

domain

  • default domain name of load balancer

  • Usage: $ResourceParam('<<resource-name>>', 'domain')
customDomains

  • Comma-separated list of custom domain names assigned to the Load balancer (only available if you use custom domain names)

  • Usage: $ResourceParam('<<resource-name>>', 'customDomains')
cdnDomain

  • Default domain of the CDN distribution (only available if you DO NOT configure custom domain names for the CDN).

  • Usage: $ResourceParam('<<resource-name>>', 'cdnDomain')
cdnUrl

  • Default url of the CDN distribution (only available if you DO NOT configure custom domain names for the CDN).

  • Usage: $ResourceParam('<<resource-name>>', 'cdnUrl')
cdnCustomDomains

  • Comma-separated list of custom domain names assigned to the CDN (only available if you configure custom domain names for the CDN).

  • Usage: $ResourceParam('<<resource-name>>', 'cdnCustomDomains')
cdnCustomDomainUrls

  • Comma-separated list of custom domain name URLs of the CDN (only available if you configure custom domain names for the CDN).

  • Usage: $ResourceParam('<<resource-name>>', 'cdnCustomDomainUrls')

Need help? Ask a question on SlackDiscord or info@stacktape.com.