ELB Access Logs
- Logs are off by default
- Logs can be written every 5 minutes or 60 minutes to S3
- If the site is high traffic the ELB may deliver multiple logs for the same time period.
Access Log Entries
- HTTP Listener - total time in seconds it took from the load balancer receiving the request to when it sent it to the backend
- TCP Listener - total time in seconds from when the load balancer accepted a TCP/SSL connection from a client to when it sen the first byte of data to an instance
- The value can be -1 if there is no backend instance or the client sends a bad request
- HTTP - time in seconds from when the request was sent to when the backend sent a response
- TCP - time in seconds for the load balance to establish a connection to an instance
- HTTP - total time from when the load balancer received a response header from a backend instance until it started to send a response to the client
- TCP - total time from when the load balancer received the first byte from the instance to when it started sending a response to the client
2015-05-13T23:39:43.945958Z my-loadbalancer 192.168.131.39:2817 10.0.0.1:80 0.000073 0.001048 0.000057 200 200 0 29 "GET http://www.example.com:80/ HTTP/1.1" "curl/7.38.0" - -
Getting Information From The Logs
If you have millions of records you can use Amazon EMR or third party tools to aggregate data
API Call Logs
- You can log ELB API calls using CloudTrail logs
- Logs are stored in JSON format and include the request and response
Listener are process that check for connection requests
- Layer 7 - Application Layer
- Can analyze headers from requests
- To get the client’s IP address we can use the X-Forwarded-For header
- Supports sticky sessions
- Layer 4 - Transport Layer
- Proxy Protocol can be used to receive the client’s IP address. It adds a header that is sent to the backend instances.
- Sticky sessions are not supported (no cookies)
HTTPS and SSL require a X.509 SSL certificate and a security policy to be defined. Security policies define the SSL negotiation configuration.
You can deploy the SSL certificate on the backend instances and use a TCP connection from the load balancer to the instances. (TCP passthrough)
If your load balancer uses an encrypted connection to communicate with the instances (i.e. you use HTTPS/SSL on the back-end connection), you can optionally enable authentication of the instances. This ensures that the load balancer communicates with an instance only if its public key matches the key that you specified to the load balancer for this purpose.
You enter one or more public key certificates. ELB will then only communicate with instances that have matching public key certificates.
You can do this via the CLI
$ aws elb create-load-balancer-policy on in the console using the “Enable backend authentication” option.