AWS ELB into Rancher HAProxy

Hey,

I’ve got a situation where I’m running AWS ELB’s in front of my App Servers. I’m using the Rancher HAProxy to LB between the containers (based on hostname/port).

ELB -> HAProxy -> Containers

Though I can’t figure out how to make the App Servers pass the ELB health check. I’ve tried a few things, but I can’t seem to figure it out. Any ideas?

I hope that makes sense!

So tabling the discussion of the odd reason for ELB -> HAProxy

This seems to be an AWS networking issue.
Does security group for Rancher servers allow the ELB security group / network to hit it?

I assume that you can

  1. Hit your own HAPRoxy
  2. Hit the ELB

from your work station or network, the next question I would ask is, can the ELB hit Rancher

Next up,
isolating the HAProxy Loadbalancer, can your ELB hit any arbitrary Rancher Service thats not behind a Rancher Managed Load balancer?

My thinking for having ELB -> HAProxy was so I’m not exposing the app servers directly to the outside world. And I could let the ELB do the SSL termination. I feel like that is a little bit more secure, vs using a DNS service to update the zone record with IP’s for the LB’s. I’m running a single HAProxy container on each of the app servers.

Is that a stupid idea then?

Its just that chaining LoadBalancers across ELB network to Rancher HAProxy looks like setting up for some ops pain. I wouldn’t want to debug this if I got paged at 2am for a server down.

For your use case it may be the best solution I don’t know.

@nma How else would you run multiple apps on the same port. For example you have two apps running port 80 on a server. The way @chrisneal is setting it up so you could run app1 on port 81 and app2 on port 82. The AWS ELB’s would both run on port 80 and send it to port 81 and 82.

@chrisneal Try running your container without the HAProxy and make sure your ELB health checks pass. This way you can easily see access logs. You might be able to see access logs with HAProxy but I am not sure about that. Also you might have already read this but this is what your trying to do. http://x-team.com/2016/02/socket-io-haproxy-aws/

Hope this helps and good luck!

@Jlaird so this is standard operating procedures for AWS ELB -> Container Clustering computing? Okay, I work with a more traditional setup at my work place. Just ELBs -> AMIs for low moving parts since we only have 2 people on Pager Rotation and no dedicated infrastructure team, we only do changes when we are sure we can operate it properly.

Though back to the original topic, it also looks external ELB is a feature in the roadmap.

Worth taking a look, would be interesting to see how the Rancher team addresses the connectivity issues with this.

@chrisneal I would think that in order for your ELB to health check your App Servers you will need to check that your ELB can access the App Server’s exposed public ports directly. So for example if your App servers have exposed port 8090:8080 then your ELB should check for 8090, make sure that your security group/network ALC allows for that.

I don’t think you need to do it this way though. I have a very similar setup and what i do is my ELB (actually i am using ALB now) do health check on the HAProxy’s listening port, HAProxy itself will route to healthy App Services only.