AP Application Load Balancer (AP-ALB). Sophisticated monolithic Ansible role to manage standalone and clusters of cross-platform and multicloud load balancers. Abstract HAProxy + OpenResty + On-the-fly auto HTTPS. Dedicated to Public Domain.
Most big cloud load balancers assume health checks to not require any validation at all. They not even have option to basic auth. They assume the path between the health checker and the destiny is already on a private network, and if is not the case, I think very likely the end user would eventually just create a semi-secret public URL that will be reused for years
The big issue on AP-ALB is what is somewhat exception on cloud LBs, are very likely to be common on our users. So our defaults should assume this context of either heterogenic datacenters of allow work without VPN.
This actually is a very, very complicated topic to make it work both with low overhead (a strong requirement for health checks) and acceptable secure, even if the MVP implementation maybe not require much more code of what already exist.
Most big cloud load balancers assume health checks to not require any validation at all. They not even have option to basic auth. They assume the path between the health checker and the destiny is already on a private network, and if is not the case, I think very likely the end user would eventually just create a semi-secret public URL that will be reused for years
At templates/alb/strategy/partials/alb_health_check.conf.j2 at this moment we have a draft that allow the user to customize the prefixes (so, this somewhat would be equivalent of other cloud LBs would give to the user).
The big issue on AP-ALB is what is somewhat exception on cloud LBs, are very likely to be common on our users. So our defaults should assume this context of either heterogenic datacenters of allow work without VPN.
This actually is a very, very complicated topic to make it work both with low overhead (a strong requirement for health checks) and acceptable secure, even if the MVP implementation maybe not require much more code of what already exist.
Security considerations