I have a MERN Stack application hosted on AWS Elastic Beanstalk. I have a static IP address and 2 listeners ( load balancer ) for ports 80 and 443 to make my app work on https only and not http.
So far everything works perfectly fine but I was wondering is there a way I can remove the load balancer but behavior remains the same? It's not a high demand app and I don't want to spend 16$ a month just for a balancer.
I am open to make any changes to the app itself or my AWS configs.
Not sure if I need to provide more information, so please let me know if I missed anything.
Thank you
If you want to remove the load balancer and going to have single instance. You can follow the below documentation from AWS to allow HTTPS in Single instance
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance.html
Related
I setup a load balancer following these instructions. The network endpoint group points to an AppEngine app and everything runs smooth.
Now, I ported that same AppEngine app to a Cloud Run service. It deploys and works perfectly using the xxxx.run.app URL. Then I updated the network endpoint group to use the Cloud Run instead of AppEngine, and after a few minutes when calling the load balancer I get this error:
404. That’s an error.
The requested URL was not found on this server. That’s all we know.
(and the little broken robot :) )
I don't see logs in the cloud run so it means it doesn't even get to to the cloud run instance. I changed it back to AppEngine and after a couple of minutes works fine.
Is there anything else or different I need to setup for Google Cloud Run?
Thanks!
Try not to use europe-west1 region. I was facing the exact same problem, and got the LB in front of a serverless cloud run NEG working when I switched everything to europe-west4 or us-central1, for example.
I have just experienced the same problem. Wanted to have separate load balancers for two separate serverless services. When both where set up in the same region it did not work. Setting up everything on the load balancer side (neg, be-service) in a separate region it worked as expected.
I did not change regions for the actual service which the be-service points towards.
Try to access your load balancer external ip address with "https" or "http":
For example:
https://33.149.231.37/
http://33.149.231.37/
Maybe this is a really basic question, but how do you architect your system such that your single page application is hosted on premise with some hostname, say mydogs.com but you want to host your application services code in the cloud (as well as database). For example, let's say you spin up an Amazon EC2 Container Service using docker and it is running NodeJS server. The hostnames will all have ec2_some_id.amazon.com. What system sits in from of the Amazon EC2 instance where my angularjs app connects to? What architecture facilitate this type of app? Especially AWS based services.
One of the important aspects setting up the web application and the backend is to server it using a single domain avoiding cross origin requests (CORS). To do this, you can use AWS CloudFront as a proxy, where the routing happens based on URL paths.
For example, you can point the root domain to index.html while /api/* requests to the backend endpoint running in EC2. Sample diagram of the architecture is shown below.
Also its important for your angular application to have full url paths. One of the challenges having these are, for routes such as /home /about and etc., it will reload a page from the backend for that particular path. Since its a single page application you won't be having server pages for /home and /about & etc. This is where you can setup error pages in CloudFront so that, all the not found routes also can be forwarded to the index.html (Which serves the AngularJS app).
The only thing you need to care about is the CORS on whatever server you use to host your backend in AWS.
More Doc on CORS:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Hope it helps.
A good approach is to have two separated instances. It is, an instance to serve your API (Application Program Interface) and another one to serve your SPA (Single Page Application).
For the API server you may want more robust service because it's the one that will suffer the most receiving tons of requests from all client instances, so this one needs to have more performance, band, etc. In addition, you probably want your API server to be scalable when needed (depends on the load over it); maybe not, but is something to keep in mind if your application is supposed to grow fast. So you may invest a little bit more on this one.
The SPA server in the other hand, is the one that will only serve static resources (if you're not using server side rendering), so this one is supposed to be cheaper (if not free). Furthermore, all it does is to serve the application resources once and the application actually runs on client and most files will end up being cached by the browser. So you don't need to invest much on this one.
Anyhow, you question about which service will fit better for this type of application can't be answered because it doesn't define much about that you may find the one that sits for the requisites you want in terms of how your application will be consumed by the clients like: how many requests, downloads, or storage your app needs.
Amazon EC2 instance types
How to host my dynamic angular web app in AWS EC2 instance and access it through browser. Adding custom inbound rules didn't worked for me. May be I have done it wrong. Can someone explain the process to be followed.
Assuming that you have configured a webserver(Nginx/Apache etc..) correctly on your EC2 on a certain port(eg: Port 80), check your EC2 security group configurations.
In the above picture, You might set SSH to access only from your IP rather than from Anywhere.
I have many microservices in app engine only for internal use. But, by default, app engine opens service-project.appspot.com domain to public, and anyone can access them via http or https.
Is there a way to restrict access only for certain IP address?
The trivial way i can think of is checking source IP address in application code.
Or, I can create custom docker image with nginx configuration which checks source ip address. But, these are not quite clean solutions because access control is actually independent from application, and I don't want to hard code static IP address inside the container.
I assumed there is a way to setup firewall rule for app engine, but I could not find it. Identity-Aware Proxy seems like another option, but it is not available for app engine flex.
I know this is cold comfort, but we're working on re-enabling App Engine flex support for IAP. It's going to be more than just a few days, though.
https://cloud.google.com/appengine/docs/flexible/java/migrating#users has some options that might be more palatable than hardcoding IPs. You won't be able to use GCE firewall rules because the appspot.com traffic is coming through Cloud HTTP Load Balancer, so the GCE instance firewall only sees the IP of the load balancer. If you do want to verify IPs within your app, use X-Forwarded-For as described at https://cloud.google.com/compute/docs/load-balancing/http/#components .
Hope this helps! --Matthew, Cloud IAP engineer
I know the Google App Engine docs say you can only have HTTPS on your foo.appspot.com domain, not with a custom domain.
But is it possible (and safe) to host a custom domain somewhere else, and set it up to proxy all HTTPS requests to https://foo.appspot.com?
If so, how would you recommend setting it up? And would it be much slower, compared to using https://foo.appspot.com directly?
Yes, it's possible to do this. It's secure if you trust your proxy and you use SSL from the proxy to the app. It will be noticeably slower, since there's a longer path between your user and your app. In addition, unless you get multiple proxies, all your traffic will have to go via a single global location, whereas the appspot domain is served from frontends all round the globe.