0

In AWS, we deployed a backend service - API in the internal ALB. For frontend(Web UI), it call the API and also needs to be accessed from internal enterprise network. It should be bind to Route53.

We are using VPN in our enterprise. We use DirectConnect to connect AWS VPC. So we can use private IP to access internal ALB resource in AWS.

Now we want to bind the original internal ALB's DNS name to Route 53 with a domain. Is it possible to do if use the use the internal ALB only?

Maybe the current internal ALB can't realize the purpose. So we will add a second ALB - internet facing. Use it to bind the Route53.

If set both 2 kinds of ALB for it, deploy with ECS, how to do the blue/green deployment for 2 kinds of different target security groups?

8
  • Your question is quite confusing. Can you please edit your question to include a diagram, and ideally edit your question to be a bit more precise. Can your enterprise network access the system using public facing ALB? Do you have VPN / DirectConnect in place. We will need more information to help you
    – Tim
    Commented Feb 11, 2022 at 7:25
  • @Tim Thank you. I added a diagram link to the question. My enterprise network can access the system under public ALB. We are using DirectConnect between on-premise and AWS. Also, we have VPN, so we want to access the system under VPN. The green items are what I want to add this time. Do I need them? That's why I asked the best design. Commented Feb 11, 2022 at 11:49
  • You are stating what you think you need to do. A better way to write a question is to say current state in words, with a diagram, and your target state. You haven't done that, you've given a design without clearly explaining current / target states. I think Currently you have a system that you access over DirectConnect with a VPN, where you hit an ALB using private IPs. I think you want another set of servers behind another ALB that is public facing. Why would you want another target group? That would make this independent of the original solution. Please revise your question for clarity.
    – Tim
    Commented Feb 11, 2022 at 17:54
  • @Tim Thank you for your comment again. I edited the question above. In a short word, now we are using internal ALB, we want to bind to Route53, do we need to create a internet facing ALB to do? If necessary, we will use both 2. If the 2 ALBs can use the same target groups will be great. Commented Feb 12, 2022 at 1:12
  • The easiest option is probably a second ALB using the same target group. I suspect there's probably a way to use the same ALB for both public and private but I haven't tried to do that, maybe associating the ALB with both public and private subnets. I'd have to experiment a bit to work that out. How you do blue / green could be tricky with two ALBs.
    – Tim
    Commented Feb 12, 2022 at 3:48

1 Answer 1

0

My initial suggestion is to:

  • Create a new public facing ALB
  • Route enterprise traffic over DirectConnect using a public VIF to the ALB
  • Use the existing target group
  • Use standard green / blue techniques

There may be better ways to do this, I'd have to give it a bit of thought. Others might have better ideas.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .