By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Does AWS Network load balancer support intra-VM traffic?

0

I hope this message finds you well.

I am trying to load balance a .NET application with multiple services hosted under the same website, which run on the same VM. I've tried achieving this with Azure's Gateway V1 (NLB) but it can't handle loopback traffic (from one service to another when both are running on the same VM). The following passage was extracted from Azure's documentation:

Cause 3: Access of the internal load balancer from the same VM and network interface If your application hosted in the backend VM of an internal load balancer is trying to access another application hosted in the same backend VM over the same network interface, it's an unsupported scenario and will fail.

Resolution

You can resolve this issue via one of the following methods:

Configure separate backend pool VMs per application.

Configure the application in dual NIC VMs so each application was using its own network interface and IP address.

The potential fixes don't work/are not worth it in my case because two of the services barely use any computing power and therefore having a separate back-end pool for them would be a waste of money. Configuring another NIC and IP for each VM is too much configuration work in our case.

Our application is authenticated via NTLM and therefore needs a persistent TCP connection - not supported by ALB, so that is no solution at the moment. I have to use an NLB

I was wondering if the AWS NLB supports intra-VM/loopback traffic by default/with minimal additional configuration. Any resource that I can reference would be greatly appreciated.

Thank you, Paul

Topics
Networking & Content Delivery.NET on AWS
Tags
Networking & Content DeliveryNetwork Load Balancer.NET on AWS
Language
English
PaulB
asked 2 months ago412 views
1 Answer
0
Accepted Answer

It will work fine with an AWS NLB, as long as you don't need the original source IP to be retained and are okay accessing the site with the DNS name pointing to the NLB and not directly with the VM's own DNS name.

Simply disable the preserve_client_ip.enabled target group attribute (https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_TargetGroupAttribute.html), which is shown in the console by the title, "Preserve client IP addresses." Then access the site with a DNS name that is an alias for the NLB's DNS name or IP address(es) (https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html).

With client IP preservation disabled, connections from the VM to the NLB will work in the normal manner, but when the NLB connects back to the VM, the source IP of the connection will be one of the NLB's IP addresses and not the VM's own IP. This will cause the VM to see both its outbound connections to the NLB going to and incoming connections from the NLB coming from the NLB, and the VM will have no perception of talking to itself.

One usually inconsequential side effect is that the logs for your website will show all request having come from the NLB's IP address(es), so you won't see if they came from your VM or from someone else who could potentially connect to the NLB. You can restrict access to the NLB by attaching a security group to the NLB when you create it (one cannot be added afterwards).

EXPERT
Leo K
answered 2 months ago

Relevant content