Post AHgLvTHIjJs5kNwxCC by riking@social.wxcafe.net
 (DIR) More posts by riking@social.wxcafe.net
 (DIR) Post #AHgFtx20XNYlimgkDo by feld@bikeshed.party
       2022-03-22T19:24:28.702861Z
       
       0 likes, 1 repeats
       
       Do I understand correctly that AWS Load Balancer requires you manually figure out how to issue and upload/apply TLS certificates from e.g., LetsEncrypt instead of uhhh i don't know, maybe just supporting it in their platform?
       
 (DIR) Post #AHgKxgktUbuOAgHkA4 by riking@social.wxcafe.net
       2022-03-22T20:11:45Z
       
       0 likes, 0 repeats
       
       @feld depends on if you use the TCP or HTTPS load balancer product
       
 (DIR) Post #AHgKxhJHQlPjtKNCl6 by riking@social.wxcafe.net
       2022-03-22T20:15:02Z
       
       0 likes, 0 repeats
       
       @feld there are benefits to high-assurance environments to terminate TLS on VMs you control and that uses TCP LBsif you just want something that works, try API Gateway + Lambda
       
 (DIR) Post #AHgKxhkDoaxtEsyiki by feld@bikeshed.party
       2022-03-22T20:21:11.577110Z
       
       0 likes, 0 repeats
       
       No they're both icky and introduce entire stacks of software Into the network path which causes severe headaches when you need to debug odd behavior. I would much rather have real Cisco or Juniper routers and just use BGP for the load-balancing. You can use sticky sessions with BGP and that simplifies your network architecture significantly. You just run a daemon on the server with a custom script / tool of your choosing that validates the health of the application and chooses whether or not to announce the route to your routers
       
 (DIR) Post #AHgLYceLihLq9WpqtM by riking@social.wxcafe.net
       2022-03-22T20:24:04Z
       
       0 likes, 0 repeats
       
       @feld sure, you're welcome to do your own DNS roundrobin to public-IP EC2 VMs and run your own iBGP-based loadbalancing from therein fact, this is the recommended thing to do for some kubernetes setups. dodges a bunch of $$$ charges in exchange for your time & maintenance effortI was approaching this assuming that working on AWS was a mandate and you were looking for solutions, was that wrong?
       
 (DIR) Post #AHgLYd8ptLjng56CPY by feld@bikeshed.party
       2022-03-22T20:27:53.092713Z
       
       0 likes, 0 repeats
       
       AWS is where things are currently at but rather be on our real bare metal. I think it's separated for accounting reasons and to not mix finances between different companies. (Our different projects are all under separate companies)
       
 (DIR) Post #AHgLvTHIjJs5kNwxCC by riking@social.wxcafe.net
       2022-03-22T20:29:59Z
       
       0 likes, 0 repeats
       
       @feld hang on, I don't understand how you expect AWS to be able to terminate TLS for you and then route the result over BGP?"custom health check decides whether to announce the route" is the exact workflow that the cloud LBs popularized and made easy----anyways are you looking for listen-mode or fix-mode
       
 (DIR) Post #AHgLvTmqq16nKEi9NA by feld@bikeshed.party
       2022-03-22T20:32:00.840219Z
       
       0 likes, 0 repeats
       
       @riking AWS would not terminate TLS. The TCP terminates on the nodes themselves. A watchdog runs on each node to choose whether or not advertise a route so it can accept traffic
       
 (DIR) Post #AHgMTDix491FLwyZjk by riking@social.wxcafe.net
       2022-03-22T20:35:04Z
       
       0 likes, 0 repeats
       
       @feld the AWS way to do that is to configure https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-health-checks.htmlthe watchdog listens on a port (NOT the client traffic port, unless managed HTTP) you choose and returns success/fail to the LB
       
 (DIR) Post #AHgMTEAFQeqyibkNHc by feld@bikeshed.party
       2022-03-22T20:38:05.558750Z
       
       0 likes, 0 repeats
       
       @riking yeah I'd skip that and just deploy two Vyatta VMs in active/standby and put the public IPs, NAT, and iBGP on thatI bet performance would be balls though 😩
       
 (DIR) Post #AHgOABhYYqqJUENM6C by riking@social.wxcafe.net
       2022-03-22T20:40:57Z
       
       0 likes, 0 repeats
       
       @feld my experience at google has made me distrust classical cisco/juniper routers to do anything remotely complicatedActive/Standby makes you maintain 2*Peak hardwareFull-on hyperscaler load balancing means you maintain 2+Peak hardwarePerformance is probably fine but costs are high compared to the more advanced solutions
       
 (DIR) Post #AHgOACDocueB6HT7Ng by feld@bikeshed.party
       2022-03-22T20:57:04.315213Z
       
       0 likes, 0 repeats
       
       > experience at googleFunny tho as this setup worked beautifully for us over at Talos (Cisco). Never an outage on our critical resources like the ClamAV or Snort master servers Also we demanded Juniper routers. It made management so mad lol
       
 (DIR) Post #AHgOp9n2ZaS9QmTbHs by riking@social.wxcafe.net
       2022-03-22T20:43:56Z
       
       0 likes, 0 repeats
       
       @feld Their actual edge load balancers look something like[2x Expensive Name Brand Routers] --> ECMP iBGP --> [(6+2)x Maglev-style TCP Reassemblers] --> RPC --> [Nx High level load balancers]
       
 (DIR) Post #AHgOpAJecKXb3vje7c by feld@bikeshed.party
       2022-03-22T21:04:29.054307Z
       
       0 likes, 0 repeats
       
       Expensive name brand routers? Yeah these cost us about $1M each 🤭
       
 (DIR) Post #AHgecbTXvTBanYOUme by feld@bikeshed.party
       2022-03-23T00:01:28.620084Z
       
       0 likes, 0 repeats
       
       It's enough to push some horny posting across the web
       
 (DIR) Post #AHgmDJoXFkb6PqfLFo by tevruden@nonexiste.net
       2022-03-23T01:25:55Z
       
       1 likes, 0 repeats
       
       @feld @riking I STILL wish someone made VyOS that sits on top of FreeBSD but that needs someone who has a LOT more focus than I.