ALB 支援 SNI

AWS 宣佈 ALB 支援 SNI 了:「Application Load Balancers Now Support Multiple TLS Certificates With Smart Selection Using SNI」。

不過這篇比較有趣的是,他範例用的是 VimIsBetterThanEmacs.comVimIsTheBest.com 這兩個網域名稱 XDDD:

I’ll use a few example websites like VimIsBetterThanEmacs.com and VimIsTheBest.com. I’ve purchased and hosted these domains on Amazon Route 53, and provisioned two separate certificates for them in AWS Certificate Manager (ACM). If I want to securely serve both of these sites through a single ALB, I can quickly add both certificates in the console.

AWS NLB 也可以指定 IP address 當後端了

月初的時候 AWS ALB 支援 IP address 當後端 (AWS ALB 可以設定 IP address 當作後端伺服器了),然後推出 AWS NLB (AWS 推出新的 Load Balancer:NLB (Network Load Balancer)),然後這個功能也被做到 NLB 上了:「Elastic Load Balancing: Network Load Balancer now supports load balancing to IP addresses as targets for AWS and on-premises resources」。

就如同說明的,這樣可以透過 VPN 架構 (無論是 AWS Direct Connect 或是一般的 IPsec VPN) 共用機房與雲端上的資源:

We are pleased to announce that Network Load Balancers can now distribute traffic to AWS resources using their IP addresses as targets in addition to the instance IDs. You can now also load balance to resources in on-premises locations reachable over AWS Direct Connect and resources in EC2-Classic. Load balancing across AWS and on-premises resources using the same load balancer makes it easy for you to migrate-to-cloud, burst-to-cloud, or failover-to-cloud.

除了中國區以外的 region 都可以用這個功能了:

Load balancing using IP addresses is available today for existing and new Network Load Balancers in all public AWS regions except the China (Beijing) region. You can get started using the AWS Management Console, AWS Command Line Interface (CLI), or AWS SDK.

AWS 推出新的 Load Balancer:NLB (Network Load Balancer)

從一開始推出的 ELB (Elastic Load Balancer),到 ALB (Application),現在則推出了 NLB (Network):「New Network Load Balancer – Effortless Scaling to Millions of Requests per Second」。

有這些特性:

  1. Static IP Addresses
  2. Zonality
  3. Source Address Preservation
  4. Long-running Connections
  5. Failover

雖然不能確定 AWS 用的技術是什麼,但這裡面有好幾個很明顯就是 DSR (Direct Server Return) 架構的特性 (包括了限制與優點)。

另外也因為不用處理 L7 的內容,效能比起 ELB/ALB 好很多,夠大的用量下,價錢也低不少。對於不少非 HTTP/HTTPS 的應用應該很好用,就算是 HTTP/HTTPS,單純一點的應用應該也不錯...

AWS ALB 可以設定 IP address 當作後端伺服器了

AWS ALB 推出直接設定 IP address 當作後端伺服器的功能:「New – Application Load Balancing via IP Address to AWS & On-Premises Resources」。

ip – Targets are registered as IP addresses. You can use any IPv4 address from the load balancer’s VPC CIDR for targets within load balancer’s VPC and any IPv4 address from the RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) or the RFC 6598 range (100.64.0.0/10) for targets located outside the load balancer’s VPC (this includes Peered VPC, EC2-Classic, and on-premises targets reachable over Direct Connect or VPN).

這樣就能拿 ALB 當 load balancer 把部份內容接到自己機房內的伺服器群了,一種隨便串的概念... (可以透過 AWS Direct Connect 或是 VPN 直接串,所以對外的部份就直接是 AWS 端,對內要怎麼接就隨便接...)

CodeDeploy 跟 ELB/ALB 整合了...

看到 CodeDeployELB/ALB 整合的消息:「AWS CodeDeploy now integrates with Elastic Load Balancer」。

不過看同事在「AWS 替 CodeDeploy 加入 Load balancer 的功能」這邊提到的效能問題,看起來頗慘...

至少是個整合後的方法... 也許之後會改善吧。

ALB (Application Load Balancer) 支援對 Host 的分流了

大概是有時候 cluster 太小,ELB 或是 ALB 的費用反而比 cluster 還貴,再加上 ALB 提供起來算方便,所以就推出這樣的功能了:「New – Host-Based Routing Support for AWS Application Load Balancers」。

現在可以針對 Host 欄位決定導到不同的 cluster 上了:

然後讓 ALB 可以設的 rule 數量增加:

As part of today’s launch we are raising the maximum number of rules per Application Load Balancer from 10 to 75, and also introducing a new rule editor.

這個功能有種微妙的感覺 XDDD

AWS 正式進入 IPv6 的世界

AWS 總算是進入全面支援 IPv6 了:「AWS IPv6 Update – Global Support Spanning 15 Regions & Multiple AWS Services」。

之前不少服務都支援了,主要是差 EC2 與新出的 ALB,這一次大量服務都上了 IPv6 (但還不是全部),算是讓 AWS 正式進入 IPv6 的世界:

Today I am happy to share the news that IPv6 support for EC2 instances in VPCs is now available in a total of fifteen regions, along with Application Load Balancer support for IPv6 in nine of those regions.

AWS 的 ALB (Application Load Balancer)

前幾天跟 AWS 的人開會的時候得知 ALB 的 beta program,今天就看到正式公開的消息了:「New – AWS Application Load Balancer」。

最主要的是對 WebSockets 與 HTTP/2 的支援,這個需求都喊很久了:

WebSocket allows you to set up long-standing TCP connections between your client and your server. This is a more efficient alternative to the old-school method which involved HTTP connections that were held open with a “heartbeat” for very long periods of time. WebSocket is great for mobile devices and can be used to deliver stock quotes, sports scores, and other dynamic data while minimizing power consumption. ALB provides native support for WebSocket via the ws:// and wss:// protocols.

HTTP/2 is a significant enhancement of the original HTTP 1.1 protocol. The newer protocol feature supports multiplexed requests across a single connection. This reduces network traffic, as does the binary nature of the protocol.

另外是 url routing,不過目前看起來只能設 10 條,我猜可以問問能不能加吧:

An Application Load Balancer has access to HTTP headers and allows you to route requests to different backend services accordingly. For example, you might want to send requests that include /api in the URL path to one group of servers (we call these target groups) and requests that include /mobile to another. Routing requests in this fashion allows you to build applications that are composed of multiple microservices that can run and be scaled independently.

As you will see in a moment, each Application Load Balancer allows you to define up to 10 URL-based rules to route requests to target groups. Over time, we plan to give you access to other routing methods.

再來是改善了之前抱怨很多的 health check:

Application Load Balancers can perform and report on health checks on a per-port basis. The health checks can specify a range of acceptable HTTP responses, and are accompanied by detailed error codes.

改進了不少東西...

AWS 也推出免費的 SSL Certificate 給 ELB 與 CloudFront 用了

AWS 推出免費的 SSL Certificate 服務 AWS Certificate Manager:「New – AWS Certificate Manager – Deploy SSL/TLS-Based Apps on AWS」。

目前宣佈只有在 us-east-1 可以用,不過實際測試會發現包括 CloudFront

AWS Certificate Manager (ACM) is available now in the US East (Northern Virginia) region, with additional regions in the works. You can provision, deploy, and renew certificates at no charge.

可以看到是 Amazon 是找 Starfield 搞定的:

$ openssl s_client -servername i.kfs.io -connect d2c884gdd5bajy.cloudfront.net:443
CONNECTED(00000003)
depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = *.kfs.io
verify return:1

使用的是傳統的 e-mail 認證:

連買憑證的成本都可以省下來了,而且比起以前要自己用 aws-cli 在 command line 裡上傳 key & certificate 來的簡單多了。

EC2 與 ELB 將會有更長的 Resource ID

EC2ELB 將會有更長的 Resource ID:「Heads-Up – Longer EC2 & EBS Resource IDs Coming in 2016」。

重點在這段:

The new IDs will be the same format as existing IDs, but longer. The current ID format is a resource identifier followed by an 8-character string, and the new format will be the same resource identifier followed by a 17-character string.

本來是 8 chars,之後會變成 17 chars。而用 SDK 的人只要更新到新版就可以了:

The SDKs are already compatible with longer IDs and don’t require any updates.

預定在 2016 年發生:

My colleague Angela Chapman wrote the guest post below to make you aware of longer instance, reservation, volume, and snapshot IDs that we will be rolling out in 2016.