2

We are looking into setting up our application on AWS. This will run on 3 load balanced web servers. We have been looking into how to prevent DDOS attacks and how to serve a static page during maintenance and are looking at going with Nginx. So the setup would be Nginx in front of an elastic load balancer.

As with our setup when there is an upgrade to the application we update Nginx to serve a static maintenance page while a whole new stack comes online with its own elastic load balancer and to switch to the new application stack we will update the Nginx config to point to the new elastic load balancer.

Does this make any sense? the reason i am asking is that I cannot find anything on this type of setup online.

Thanks,

Colin.

Improve this question
1
  • Nginx load balancing facility is more functional than any black box within any kind of cloud provider services. In case of custom requirements it worth to try replace AWS ELB with Nginx entirely. Commented May 10, 2015 at 7:42

2 Answers 2

Reset to default
1

The elastic load balancer works by using many ip-addresses. If you do dig amazon.com you can see how it's distributed with a low ttl. Once your nginx-server runs out of open ports it will go down.

It's however a very good idéa to use balancers in-front of your app-server. This scales very well with auto-scaling groups.

When you do the transition, just lower your CNAME ttl and point it to a new load balancer.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for your response. But how will the elastic load balancer deal with a DDOS attack, just scale out till it is over? How do we try and prevent a DDOS attack?
You can't. Only way to prevent at large scale attack is to work directly with network carriers and have them do a large scale network isolation.
1

I see zero value going in this path- Putting a single instance of nginx will just increase the complexity of the setup, cost more and most important will introduce a new single point of failure and performance/latency bottleneck (and will make your env much more vulnerable to DDOS).

AWS infrastructure is 100% programmable - learn how to control the ELB programatically : how to direct the traffic to a static site during maintenance (could be nginx hosted on one of your instances), and how to support your upgrade workflows.

Improve this answer

3 Comments

I have to say, though I ultimately agree with your conclusion, Nginx has a pretty damn good rate limiter for DDOS, and (I hear) since ELB has a bit of ramp up time for traffic spikes, it will literally just stop working. Though his solution is not good this person is trying to solve a very real problem.
Thanks for your response, do you think a ELB would deal with a possible DDOS attack or is there anything else we could use in the setup?
ELB will not solve the issue- will probably not 'break' but, pass the problem to your servers (that will break). You should take a look at dedicated DDOS mitigation services. Cloudflare.com for example can act as your frontend and Dome9.com can make sure no one passes them and connect to your servers directly. (I'm a proud dome9'er btw)

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.