Enterprise EC2Quick Start Guide

v1.2

Copyright © 2002 - 2010 Loadbalancer.org Ltd

1

Table of Contents

Introduction.................................................................................................................................................. 3Why Use Load balancer.org's EC2 Load balancer?...............................................................................3

Amazon EC2 terminology............................................................................................................................ 3Getting Started............................................................................................................................................. 3Signing Up to AWS...................................................................................................................................... 4Deploying the Load Balancer.......................................................................................................................4

Security Groups...................................................................................................................................... 4Launch Instance..................................................................................................................................... 6Elastic IP's............................................................................................................................................ 14

Accessing the console using SSH.............................................................................................................14Under Linux.......................................................................................................................................... 14Under Windows.................................................................................................................................... 15

Accessing the console using WinSCP.......................................................................................................18Accessing the WUI............................................................................................................................... 19

Using the WUI............................................................................................................................................ 19Overview............................................................................................................................................... 19Servers................................................................................................................................................. 20SSL Termination.................................................................................................................................... 21

Obtaining & using a VeriSign test Certificate...................................................................................21Using your Windows IIS Certificate..................................................................................................23

Security................................................................................................................................................. 24Account................................................................................................................................................. 25Maintenance......................................................................................................................................... 27Stats..................................................................................................................................................... 28

Loadbalancer.org technical support...........................................................................................................28

2

IntroductionAmazon AWS provides a cloud based platform to deploy web services. It allows services to be deployed as and when required. There are no upfront costs, and charges are only made for what is used making it an extremely flexible and cost effective solution.

Loadbalancer.org's new EC2 based load balancer allows customers to rapidly deploy and configure load balancing solution. The load balancer utilizes Haproxy & Pound, both well proven in our existing product range.

Why Use Load balancer.org's EC2 Load balancer?Amazon does already offer a load balancing solution which is great for some deployments but has the following limitation:

1. It is layer 4 only (round robin)

2. Doesn't support SSL termination

3. Doesn't support Cookies

4. Doesn't support WAN or SNAT load balancing (i.e. non-local servers)

5. Doesn't support URL matching rules or multiple back-end clusters

6. Doesn't support application maintenance modes

7. Doesn't support customized health checks

Our EC2 offering addresses these limitations.

Amazon EC2 terminology

Acronym TerminologyAmazon AWS Amazon Web ServicesAmazon S3 Amazon Simple Storage Service

Amazon EC2 Amazon Elastic Compute CloudAmazon VPC Amazon Virtual Private CloudAmazon AMI Amazon Machine Image

Getting StartedTo start using Amazon web Services (AWS), you'll first need to create an account, select which features you want to use and enter your payment details.

The following sections in this guide provide details on how to setup an Amazon account and how to get a basic load balancer up and running.

3

Signing Up to AWSTo create a new AWS account, go to http://aws.amazon.com/ and click Create an AWS Account in the top right corner. Fill in all the required details, then sign into AWS. When you first sign in, you'll then need to sign up for EC2:

• Sign into AWS

• Select the Amazon EC2 tab

• Click Sign Up for Amazon EC2

• Enter your credit card details

• Enter you telephone number - an automated call will be made, you must enter the displayed PIN number to create the account

• You can now return to the AWS home page and sign in

NB. Once you sign up for EC2, an S3 and VPC account will also be created automatically

Deploying the Load Balancer

Security GroupsSecurity groups allow ports to be opened for access to applications and also management purposes. Typically the following ports will be needed for the Loadbalancer.org AMI:

Port Purpose22 SSH – always useful for console access

80 HTTP based services

443 HTTPS based services

7777 load balancer reports

9443 load balancer management

To setup a new Security Group :

(N.B. Creating groups at this stage allows the group to be easily selected when the instance is created)

• Click Security Groups in the Navigation panel

• Click Create Security Group

4

• enter an appropriate name & description

• click Create

• To add the required ports, in the lower pane select Connection Method = SSH, Protocol = TCP, From Port = 22, To Port = 22, Source IP = 0.0.0.0/0 (or more restrictive as needed)

• Click Save

• Now repeat for the remaining ports in the list. For ports 7777 & 9443 use Connection Method = Custom

• Once complete the list will appear as follows:

To view each security group, select the relevant check-box and hit Refresh (top right)

5

Launch InstanceSelect Instances on the Navigation Pane, ensure that EU West is selected as the Region, then click Launch Instance. The following screen is displayed:

Click the Community AMIs tab, then refine the search criteria by typing “loadbalancer” into the filter field as shown below:

ENTERPRISE-EC2-V1.x-demo.manifest.xml – used for trialing the solution. This can be deployed immeadiately by clicking the appropriate Select button

ENTERPRISE-EC2-V1.x-PAY-AS-YOU-GO.manifest.xml – used for production deployments. This version must first be purchased via our buy-now page: http://www.loadbalancer.org/ec2.php Once payment is completed the production version can also be started in the same way as the demo version

To continue, click the appropriate Select button

6

Enter Instance Details:

Leave the default settings & click Continue

7

Enter Advanced Instance Details:

Leave the default settings & click Continue

8

Enter Instance Name:

Enter an appropriate name for the instance, click Continue

9

Configure Key Pairs:

Enter an appropriate name for the key pair, then click Create & Download your Key Pair. This file contains the private key so save the pem file in a safe place - this can be used later to secure your connections, e.g. with SSH for command line access to the load balancer.

Once this is done, click Continue

10

Select Security Group for the Instance:

Select the Security Group created previously and click Continue

11

Confirm Selected Options:

Click Launch

12

Close the Wizard:

Click Close

Your new instance is now up and running. You'll now need to assign a public IP address and then configure the Load balancer for your environment as detailed in the following sections.

13

Elastic IP'sTo assign a public IP address to the instance, select Elastic IPs in the navigation pane, then click Allocate New Address at the top of the screen.

You'll now need to associate this with the instance. To do this, click the check-box to select the IP, then click Associate and confirm your selection.

Now when you view your Instance, you'll see that the IP has been allocated. You can now access the management Interface via this IP address.

Accessing the console using SSHTo connect to the load balancer using SSH, the private key must be downloaded when the Key Pair is created. The key can then be used with SSH.

Under Linux

# First change the permission of the private key file to allow only the owner read accesschmod 400 <ec2-key-name>.pem

# Now start SSH specifying the private key filessh -i <ec2-key-name>.pem root@dns-name or IP

14

Under WindowsFor putty, the private key must be converted into an appropriate format. To do this the Puttygen utility (included with Putty) must be used.

Start Puttygen:

Click Load, change the filetype to all files and select the pem file saved earlier when creating your Key Pair.

You should see the following message:

15

Click OK

Now Click Save private key – this can then be used with putty

NB. You can also choose to enter an additional passphrase for improved security, if you don't, the following message wil be displayed:

Click Yes & save the file with the default .ppk extension

16

Now start Putty and expand the SSH section

Click Browse and select the new .ppk file just created

When you open the SSH session, login as root – no password will be required.

17

Accessing the console using WinSCP

With WinSCP, enter the relevant IP address and username root, then browse to the private key file created previously using PuttyGen

Click Login

18

Accessing the WUIIn a browser, navigate to the Elastic IP as follows:

https://<Elastic IP>:9443

9443 is the default secure management port

You'll receive an warning about the certificate as its a self signed cert not related to a Internet based CA. Confirm you want to continue and a login prompt will be displayed. Use the following credentials:

Username: loadbalancer

Password: loadbalancer

The following screen is displayed:

Using the WUI

OverviewThis tab shows the basic performance stats for the instance as well as the XML and HAPoxy config files. It is possible to modify these files directly, but it's recommended to allow the interface to handle the config file changes to ensure syntax rules are followed.

19

ServersThis is where you specify the front-end and back-end servers. Front end-servers are Internet facing and distribute connections to the back-end servers.

• Servers can be specified using their DNS name or by IP address

20

SSL TerminationSSL can be terminated at the load balancer. The default certificate can be used or your own certificate can be uploaded.

Obtaining & using a VeriSign test Certificate

1) Connect to the Console of the load balancer – see previous section on how to do this with Linux and Windows.

2) Generate the Private Key & set permissions

mkdir certsopenssl genrsa -out /certs/lb.key 1024chmod 400 /certs/lb.key

3) Generate the CSRopenssl req -new -nodes -key /certs/lb.key -out /certs/lb.csr

the following shows the prompts and sample answers:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:GB

State or Province Name (full name) [Berkshire]:hampshire

Locality Name (eg, city) [Newbury]:portsmouth

Organization Name (eg, company) [My Company Ltd]:loadbalancer.org

Organizational Unit Name (eg, section) []:support

Common Name (eg, your name or your server's hostname) []:www.loadbalancer.org

Email Address []:support@loadbalancer.org

21

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:.

An optional company name []:.

===> The csr is now created as /certs/lb.csr

N.B. When prompted for the x509 common name, make sure you enter the fully qualified hostname the certificate will be used with. e.g. www.loadbalancer.org

4) Copy the Private Key & CSR to your workstation

Under Linux:scp -i LBkeypair1.pem root@<IP address>:/certs/lb.key /local path/lb.keyscp -i LBkeypair1.pem root@<IP address>:/certs/lb.csr /local path/lb.csr

Under Windows:

- Connect to the load balancer using WinSCP as described earlier in this guide

- Copy the files /certs/lb.key & /certs/lb.csr to your workstation

5) Create your Verisign test certificate

Open the following page and click FREE TRIAL:

http://ww w.verisign.com/ssl/buy-ssl-certificates/free-ssl-certificate-trial/

• Copy the contents of lb.csr to the first CSR screen, select Server not listed and click Continue

• When prompted for a challenge phrase and reminder question use only simple letters and numbers

• Verisign will then email your new test certificate - normally within a few minutes

6) Installing the certificate

• Login to the console and access the SSL Termination tab

• Click add new SSL port

• Update the default settings if needed and click save

• Click upload certificate

• Delete the contents of the top & bottom pane (these are for the default self signed cert)

• Copy/paste the private key to the top pane & the certificate obtained from Verisign to the bottom pane. You can also add Verisign's trial intermediate certificate (a link is provided in the email from Verisign) in the bottom pane after the certificate as follows:

22

-----BEGIN CERTIFICATE----- certificate contents goes here-----END CERTIFICATE----------BEGIN CERTIFICATE----- intermediate certificate contents go here-----END CERTIFICATE-----

e.g.-----BEGIN CERTIFICATE-----MIICJTCCAY4CAQAwgaoxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlIYW1wc2hpcmUxEzARBgNVBAcTClBvcnRzbW91dGgxGTAXBgNVBAoTEExvYWRiYWxhbmNlci5vcmcxMSYwJAYJKoZIhvcNAQkBFhdyb2JlcnRAbG9hZGJhbGFuY2VyLm9yZzCBnzANBgkq-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIICJTCCAY4CAQAwgaoxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlIYW1wc2hpcmUxEzARBgNVBAcTClBvcnRzbW91dGgxGTAXBgNVBAoTEExvYWRiYWxhbmNlci5vcmcxEDAOBgNVBAsTB1N1cHBvcnQxHTAbBgNVBAMTFHd3dy5sb2FkYmFsYW5jZXIub3Jn-----END CERTIFICATE-----

• Click Save

• Now restart Pound using the pop-out or Maintenance > Restart Pound

Using your Windows IIS Certificate

For Windows, its often easiest to get the certificate working on the server first. The certificate can then be exported from Windows in .pfx format, then converted to .pem format then copied to the load balancer. The steps for this process are:

1) Export the certificate from IIS - once the certificate is working correctly on your Windows server, export the certificate from Windows – including the private key. Make sure you select the option for all certs in the chain, the format must be .pfx

For the common name, make sure you enter to fully qualified domain name for your web server, e.g. www.loadbalancer.org

2) Download & install openssl - download openssl using the following link & install on your PC: http://www.slproweb.com/download/Win32OpenSSL-1_0_0a.exe

3) Extract the private key – in a command window, type the following:\openssl\bin\openssl pkcs12 -in drive:\path\cert.pfx -nocerts -out drive:\path\cert.pk(You'll be prompted for the password used to create the pfx file, and a passphrase to write the output file)

4) Unencrypt the private key – in a command window, type the following:openssl rsa -in drive:\path\cert.pk -out drive:\path\cert.pkun(You'll be prompted for the passphrase entered in the previous step)

23

5) Extract the certificate – in a command window type the following:openssl pkcs12 -in drive:\path\cert.pfx -clcerts -nokeys -out drive:\path\cert.cer(You'll be prompted for the password used to create the pfx file)

6) Copy the private key and certificate to the load balancer

- go to SSL Termination

- click upload certificate

- paste the contents of the private key into the top pane and the certificate into the lower pane

- click save

7) Now restart Pound - (Maintenance > Restart Pound)

SecurityThis section offers another way to configure access to the load balancer. Changes made here also reflected in the Security Groups section of the AWS management console & vice-a-verse

N.B.Your Access Key ID & Secret Access Key must be entered in section 1) of the Account Tab for the to work. Both can be obtained from the Access Credentials section available under Account in the AWS Management Console.

Once entered, the various Security Groups and related port settings are displayed:

24

AccountSection 1

Enter your Amazon Credentials here to enable the Security Tab. You can obtain your credentials from the AWS Management Console, under Account > Security Credentials > Access Credentials. Once entered, the Security Tab can be used to modify the port settings of your Security Groups.

Section 2

Enter the relevant Amazon credentials here to enable auto-scaling. The Certificate can be downloaded in the AWS Management Console under Account > Security Credentials > Access Credentials > X.509 Certificates then click Download under the relevant certificate. You can also select Create a new Certificate, the will enable you to download both the certificate and the private key. The AWS account number is displayed under the Sign-Out option on the AWS console.

Once entered, click the Save button to validate & save these details.

25

Section 3

Use this section to create a backup of you instance. This backup can then be used to re-deploy your instance if it goes down or fails for any reason.

Section 4

This allows auto-scaling to be used. Enter the relevant Elastic IP, Key Pair name & Security Group. This will enable an exact copy of the instance to be automatically started if the instance fails for any reason.

26

MaintenanceThis section allows logs to be viewed, services to be restated, the WUI password to be changed and global settings to be modified - for most applications the global settings can be left at their default values.

27

StatsThis displays Haproxy statistics A separate section is created for each Front-end & each Back-end server.

Loadbalancer.org technical support

If you have any questions don't hesitate to contact the support team: support@loadbalancer.org

28