Cross Region Internal Load Balancing  in AWS with VPC Peering

Load Balancing is a method of addressing High Availability in any Cloud deployment. Load Balancers note the health of backend resources, thereby not sending traffic to servers that are not able to fulfill requests. The main aim of load balancing is to prevent any single server from getting overloaded and possibly breaking down.

In this blog, we are talking about internal load balancing with Network Load Balancer and Application Load Balancer. Network Load Balancer automatically provides a static IP per Availability Zone (subnet) to be used by applications as the front-end IP of the Load Balancer.

The idea of writing this blog came from a task that I got which is as follows:

• Put 2 servers in private subnets in one region(N. Virginia) and one server in a private subnet of  another region(Oregon)
• Use network load balancer and keep it internal and put these  3 servers in the target group of the load balancer
• Check internal load balancer is working or not

However, AWS does not support cross-region load balancing in AWS. I fixed it with cross-region VPC peering and then went with target type IP addresses in the load balancer target group. Lastly, I added steps for internal load balancing with the application load balancer as well.

Setup Overview:

2 VPC: 1 in N.Virginia and 1 in Oregon

2 public Subnet: one in each VPC

3 private Subnet: 2 in N.Virginia and 1 in Oregon

3 Ec2 instances: 1 in each private Subnet

1 network load balancer : In N.Virginia region 

The following steps were performed in the N.Virginia region :

Step-1: Create a vpc (VPC-NV) in N.Virginia region with 10.0.0.0/26 CIDR

Step-2: Create 3 subnets with the following CIDR in N.Virginia region

NV-PUB-A(10.0.0.0/28)

NV-PRIV-A(10.0.0.16/28)

NV-PRIV-B (10.0.0.48/28)

Step -3: Create an internet gateway(NV-IGW) and attach it with VPC-NV

Step-4: Create 2 route table named NV-PUB-RT and NV-PRIV-RT

Step-5: Associate NV-PUB-A public subnet with NV-PUB-RT route table and add NV-IGW Internet gateway with it which was created in step 3

Step-6: Create an (NV-NAT) Nat gateway in the public subnet and add this Nat gateway in the NV-PRIV-RT route table.

Step-7: We can see two private subnet are associated with the NV-PRIV-RT route table and one public subnet associated with NV-PUB-RT

The following steps were performed in the Oregon region:

Step-8: Like N.Virginia, Create a VPC in the Oregon region with 10.0.1.0/26 CIDR

Step-9: Create one public and one private subnet

OREG-PUB-A(10.0.1.0/28)

OREG-PRIV-A(10.0.1.32/28)

Step-10: Create 2 route tables (OREG-PUB-RT), (OREG-PRIV-RT ), one Internat gateway(OREG-IGW), One Nat gateway (OREG-NAT) and associate public and private subnet to the route tables

Step-11: Now go to N.virginia region and go for vpc and in vpc search for peering connection, Create a new peering connection

Name (NV-to-OREG)–> Select a local VPC to peer with (NV-VPC)–>Select another VPC to peer with (my account)–> Region (another region) choose region from drop down list (US West Oregon)–> VPC ID (Accepter) (vpc-0414bfe109d9c3459) copy your another region VPC-ID and paste here–> Create peering connection

Step-12: Go for peering connection in Oregon region, you see it is in pending acceptance state. Now go to actions and accept it, you see how it is in the provisioning state and after refreshing, it comes into the Active state. 

Step-13: Go for the N.virginia region and refresh the peering connection now it should be in an active state 

Step-14: Now go for route table NV-PUB-RT and edit the route for peering connection, final route table look like this

Step-15: Go for Oregon region and edit OREG-PRIV-RT route table and add peering connection to it

Note: we can add Peering connection entry in NV-PUB-RT in N.Virginia and OREG-PRIV-RT in Oregon region

Step-16: We are doing Internal load balancing so this step is important

Go for vpc in both region and choose vpc and in actions select edit DNS hostnames(by default disable) and Enable it 

Step-17: Go for EC2 services  in N.virginia and launch 3 instances one in NV-PUB-A subnet (with public IP) and the other two in NV-PRIV-A and NV-PRIV-B subnet respectively without public IP (Keep them private instances) 

Step-18: Go for the Oregon region and launch 2 instances, one in the public subnet (OREG-PUB-A) and one in the private subnet (OREG-PRIV-A)

Step-19: Security group (NV-SG) and (OREG-SG) attached with instances respectively

Step-20: Access any server with ssh(bastion) and try to telnet private IP of another region instance, if it is giving below output our cross region vpc peering works properly.

Before doing further steps Go for private instances (through bastion hosts) and install Nginx and customize the index.html default page on all three instances (two in N.virginia and one in Oregon private subnets) 

Steps for Internal load balancing:

Step-21:  Go for N.virginia region and in EC2 services choose load balancing, Go for target groups and create a new target group

Basic configuration (IP addresses)–> Target group name (NW-TG)–> VPC(NV-VPC)–> Next –> Register targets–> Choose a network (NV-VPC)–> Specify IPs and define ports (paste private ip of instances launched in private subnets in NV-VPC)–> Click on include as pending below –> create target group

Step-22: Go for register targets again, Choose another private IP address in the network section and paste Oregon region instance (OREG-PRIV-A) private IP and click on include as pending below and create target group

Step-23: These targets are in an unused state until we not associate this target group with any load balancer 

Step-24: Go for the load balancer and create a network load balancer 

• Basic configuration–> Load balancer name (NW-LB)–> Scheme (Internal)

• Network mapping–> VPC (NV-VPC)–> Mappings [ (us-east-1a), (us-east-1b)]

Note: choose both private subnets in this step. If you are making an internet-facing load balancer then choose at least one public subnet

• Listeners and routing–> Choose target group (NW-TG)–> Create a load balancer

Step-25: G o to target groups and check the health status of all instances 

Step-26: Copy load balancer DNS and check load balancer DNS resolving or not

nslookup <DNS of network load balancer>

Step-27: Now hit the below command from any instance and check for Internal load balancing is working or not(when we are hitting with the below command, we get customized HTML page of 3 servers), I am pasting one screenshot of customized page

curl <DNS of network load balancer>

Steps for Application load balancer: Now we test our internal load balancing with an Application load balancer

Step-28: Go to actions and delete NW-LB load balancer and Target group, And create a Target Group same as above and an application load balancer

Step-29: All steps are the same but in the application load balancer we see security groups, we choose the same security group(NV-SG) which is for our Ec2 instances

Step-30: After the creation of load balancer curl <DNS > from any server in N.Virginia, We get customized HTML pages

Conclusion:

A cross-region load balancer ensures service is available globally across multiple AWS regions. If one region fails, the traffic is routed to the next closest healthy regional servers. But cross-region load balancing is not supported in AWS.

I tried searching for a solution to this scenario and I decided to explore the possible solutions and find how to achieve this by using cross-region VPC peering and find that Network Load Balancers now support connections from clients to IP-based targets in peered VPCs across different AWS Regions.

I also tried it with the Application load balancer and see that it works with both load balancers.

The above solution will help to achieve internal load balancing using cross-region VPC peering.

Happy learning…….

Blog Pundit: Naveen Verma and Sandeep Rawat

Opstree is an End to End DevOps solution provider

Connect Us

• LinkedIn
• YouTube
• GitHub
• Facebook
• Medium