search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.65k stars 3.91k forks source link

(aws_elasticloadbalancingv2): Add support for TLS on NLB Listeners with ALB Targets #22245

Open lurnt opened 2 years ago

lurnt commented 2 years ago

Describe the feature

When trying to utilize NLB's feature of having ALB target types, I would like ALB Targets on NLB Listeners to have TLS termination.

const applicationLoadBalancer = new ApplicationLoadBalancer(...);
const listener = nlb.addListener("NLBListener", {
  port: listenerPort,
  protocol: ElbProtocol.TLS, // TLS Listeners on ALB Target Groups not supported. This will throw an error at deployment.
  sslPolicy: SslPolicy.RECOMMENDED,
  certificates: [{ certificateArn: props.acmCertificate.certificateArn }],
});
const albTarget = listener.addTargets("ALBTypeTargetGroup", {
  targets: [
    new AlbTarget(applicationLoadBalancer, listenerPort),
  ],
  port: listenerPort,
  healthCheck: {
    path: "/healthcheck",
    port: "traffic-port",
    protocol: ElbProtocol.HTTPS,
  },
});

Trying to synthesize and deploy the above will result in the following error:

Error: The stack named <stack name> failed to deploy: UPDATE_ROLLBACK_COMPLETE: Target type 'alb' is not supported for target groups with TLS protocol (Service: AmazonElasticLoadBalancing; Status Code: 400; Error Code: InvalidConfigurationRequest; Request ID: aca076e1-3d00-40ae-b12a-cf9b2c171cd2; Proxy: null)

Use Case

I'm building an ECS/Fargate service with the following requirements:

  1. Use PrivateLinks (So an NLB is absolutely necessary to front my service).
  2. Have weighted traffic between a "preproduction" and a "production" stage. In short, I have multiple target groups that I need to direct weighted traffic to. In this case the "preproduction" service will get 5% of traffic, while the "production" target gets 95%.
  3. I need TLS termination at the Network Load Balancer.

With all these requirements, I have ended up utilizing the NLB -> ALB solution provided by AWS recently. However, TLS termination is seemingly impossible. Even in the linked blog post, there is a caveat that NLB listeners on ALB targets cannot have TLS. Their workaround is to use HTTPS protocol, but even that does not work!! HTTPS is not a supported protocol on NLB Listeners!!!. So this feature release is misleading, TLS termination is not possible at all with this NLB -> ALB approach.

Proposed Solution

No response

Other Information

No response

Acknowledgements

CDK version used

2.14.0

Environment details (OS name and version, etc.)

AL2

neilkuan commented 2 years ago

hi @lurnt I think you need to read this docs. 👀 https://docs.aws.amazon.com/elasticloadbalancing/latest/network/application-load-balancer-target.html#register-application-load-balancer-target

For Protocol, only TCP is allowed. Select the Port for your target group. 
This target group port must match the listener port of the Application Load Balancer. Alternatively,
you can add or edit the listener port on the Application Load Balancer to match this port.

So you get that error message?!

lurnt commented 2 years ago

@neilkuan I understand that only TCP is allowed, I am not saying this bug is unexpected... This issue is to add support for other protocols, namely TLS termination

peterwoodworth commented 2 years ago

@lurnt it seems to me this is a feature that the service itself is lacking rather than the CDK. The error message you've provided is from CloudFormation, which is likely originating from the service. I don't think there's anything CDK or CloudFormation can do without this being specifically supported by AWS ELB

lurnt commented 2 years ago

@peterwoodworth Is there any way to route this request to their team?