Pivotal Knowledge Base

Follow

How to set up your AWS ALB (application load balancer) to connect to Diego cells without exposing port 4443

Environment

Pivotal Cloud Foundry® (PCF) AWS Only

Purpose

The purpose of this KB is to set up an Application Load Balancer (ALB) in order to access Diego Cells via WebSocket on port 443 (wss://) or 80 (ws://). Using an ALB eliminates the need to expose port 4443 external to your PCF installation. 

NOTE: Currently ALBs are not managed by Ops Manager and are outside the control of PCF; therefore setting up and maintaining the ALB, including updating the Diego cell targets when necessary (such as after an upgrade), is the customer's responsibility.

Procedure

Follow these steps to resolve this issue:

  1. Switched Loggregator Port to 443 from 4443 in ERT Networking tab

    Screen_Shot_2017-12-26_at_12.11.59_PM.png

  2. Removed ELB's from ERT Resource page - the load balancer names are in the column labeled "Load Balancers" on the right.

    Screen_Shot_2017-12-26_at_12.10.32_PM.png

  3. Apply Changes. Instances now removed from the Load Balancer.

  4. In AWS EC2 Dashboard, Load Balancers, click Create Load Balancer.

    Screen_Shot_2017-10-23_at_5.23.58_PM.png

  5. Select load balancer type, click Create under Application Load Balancer.

    Screen_Shot_2017-10-23_at_5.25.16_PM.png

  6. Configure ALB

    Screen_Shot_2017-12-26_at_12.21.23_PM.png

    Do not use your ERT subnets as below. You'll get a warning and nothing will work correctly.

    Screen_Shot_2017-12-26_at_12.22.54_PM.png

    Networks were added based on my existing HTTP ELB.

    Screen_Shot_2017-12-26_at_12.24.30_PM.png

    Re-use existing SSL cert.

  7. Configure security settings

    Screen_Shot_2017-12-26_at_1.26.05_PM.png

    Re-use existing security group from ELB.

  8. Configure security groups

    Screen_Shot_2017-12-26_at_1.28.21_PM.png

  9. Configure routing

    Screen_Shot_2017-12-26_at_1.29.11_PM.png

    Target instances (routers)

  10. For target group, select your Diego cells.

    Screen_Shot_2017-12-26_at_1.30.51_PM.png

  11. Update DNS - replace sk-v19-Pcf-Http-Elb-1233709967.us-west-2.elb.amazonaws.com with sk-alb- cutover-test-1773759508.us-west-2.elb.amazonaws.com

    Screen_Shot_2017-12-26_at_1.32.18_PM.png

    Targets are healthy.

    Screen_Shot_2017-12-26_at_1.33.14_PM.png 

Comments

Powered by Zendesk