Updated on 2024-09-06 GMT+08:00

Connecting to a Dedicated Load Balancer

This section describes how to connect a CSS cluster to a dedicated load balancer.

(Optional) Preparing a Self-signed Certificate

If the target ELB listener uses the HTTP protocol, skip this step.

Prepare and upload a self-signed certificate.

You are advised to use a certificate purchased in Cloud Certificate Manager (CCM) or issued by an authoritative organization.

  1. Log in to a Linux client where the OpenSSL tool and JDK are installed.
  2. Run the following commands to create a self-signed certificate:
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    mkdir ca
    mkdir server
    mkdir client
    
    #Use OpenSSL to create a CA certificate.
    cd ca
    #Create the OpenSSL configuration file ca_cert.conf for the CA certificate.
    cat >ca_cert.conf <<EOF
    [ req ]
    distinguished_name     = req_distinguished_name
    prompt                 = no
    
    [ req_distinguished_name ]
     O                      = ELB
    EOF
    #Create private key file ca.key for the CA certificate.
    openssl genrsa -out ca.key 2048
    #Create the CSR file ca.csr for the CA certificate.
    openssl req -out ca.csr -key ca.key -new -config ./ca_cert.conf
    #Create a self-signed CA certificate ca.crt.
    openssl x509 -req -in ca.csr -out ca.crt -sha1 -days 5000 -signkey ca.key
    #Convert the CA certificate format to p12.
    openssl pkcs12 -export -clcerts -in ca.crt -inkey ca.key -out ca.p12
    #Convert the CA certificate format to JKS.
    keytool -importkeystore -srckeystore ca.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore ca.jks
    
    
    #Use the CA certificate to issue a server certificate.
    cd ../server
    #Create the OpenSSL configuration file server_cert.conf for the server certificate. Change the CN field to the domain name or IP address of the server as required.
    cat >server_cert.conf <<EOF
    [ req ]
    distinguished_name     = req_distinguished_name
    prompt                 = no
    
    [ req_distinguished_name ]
     O                      = ELB
     CN                     = 127.0.0.1
    EOF
    #Create the private key file server.key for the server certificate.
    openssl genrsa -out server.key 2048
    #Create the CSR request file server.csr for the server certificate.
    openssl req -out server.csr -key server.key -new -config ./server_cert.conf
    #Use the CA certificate to issue the server certificate server.crt.
    openssl x509 -req -in server.csr -out server.crt -sha1 -CAcreateserial -days 5000 -CA ../ca/ca.crt -CAkey ../ca/ca.key
    #Convert the server certificate format to p12.
    openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12
    #Convert the service certificate format to JKS.
    keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore server.jks
    
    
    #Use the CA certificate to issue a client certificate.
    cd ../client
    #Create the OpenSSL configuration file client_cert.conf for the client certificate. Change the CN field to the domain name or IP address of the server as required.
    cat >client_cert.conf <<EOF
    [ req ]
    distinguished_name     = req_distinguished_name
    prompt                 = no
    
    [ req_distinguished_name ]
    O                      = ELB
    CN                     = 127.0.0.1
    EOF
    #Create private key client.key for the client certificate.
    openssl genrsa -out client.key 2048
    #Create the CSR file client.csr for the client certificate.
    openssl req -out client.csr -key client.key -new -config ./client_cert.conf
    #Use the CA certificate to issue the client certificate client.crt.
    openssl x509 -req -in client.csr -out client.crt -sha1 -CAcreateserial -days 5000 -CA ../ca/ca.crt -CAkey ../ca/ca.key
    #Convert the client certificate to a p12 file that can be identified by the browser.
    openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
    #Convert the client certificate format to JKS.
    keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore client.jks
    
  3. Upload the self-signed certificate. For details, see .

Creating a Dedicated Load Balancer

  1. Log in to the ELB management console.
  2. Create a dedicated load balancer. For details, see . Table 1 describes the parameters required for connecting a CSS cluster with a dedicated load balancer.
    Table 1 Parameters for interconnecting a CSS cluster with a dedicated load balancer

    Parameter

    Description

    Example

    Type

    Load balancer type. Select Dedicated.

    Dedicated

    Billed By

    Billing mode of the dedicated load balancer.

    Pay-per-use

    Region

    Region where the CSS cluster is located.

    -

    IP as Backend Servers

    A CSS cluster can be connected only after the cross-VPC backend is enabled.

    Enabled

    Network Type

    Type of the network used by the load balancer to provide services for external systems.

    Private IPv4 network

    VPC

    VPC where the load balancer works. This parameter is mandatory no matter which network type is selected.

    Select the VPC of the CSS cluster

    -

    Subnet

    Subnet where the load balancer is to be created. This parameter is mandatory no matter which network type is selected.

    Select the subnet of the CSS cluster

    -

    Specifications

    You are advised to select Application load balancing (HTTP/HTTPS), which provides better functions and performance.

    Application load balancing (HTTP/HTTPS)

    Small I

Adding a Listener

  1. Log in to the ELB management console.
  2. Add an HTTPS listener for a dedicated load balancer. For details, see . Table 2, Table 3, Table 4, and Table 5 describe the parameters required for interconnecting a CSS cluster with a dedicated load balancer.
    Table 2 Listener parameters

    Parameter

    Description

    Example

    Name

    Listener name

    listener-9200

    Frontend Protocol

    The protocol used by the client and listener to distribute traffic.

    Select a protocol as required.

    HTTPS

    Frontend Port

    The port used by the client and listener to distribute traffic.

    For example, 9200. You need to specify this parameter as required.

    9200

    SSL Authentication

    Authentication mode for the client to access the server.

    Select a parsing mode as required.

    Two-way authentication

    Server Certificate

    The server certificate is used for SSL handshake negotiation. The certificate content and private key must be provided.

    When SSL Authentication is set to Two-way authentication, this parameter is mandatory.

    -

    CA Certificate

    Also called client CA public key certificate. It is used to verify the issuer of a client certificate.

    When the HTTPS two-way authentication is enabled, an HTTPS connection can be established only when the client can provide the certificate issued by a specified CA.

    This parameter is mandatory only when the Frontend Protocol is set to HTTPS.

    -

    Table 3 Parameters for backend allocation policies

    Parameter

    Description

    Example

    Backend Server Group

    A group of backend servers with the same features

    New

    Name

    Backend server group name

    server_group_css

    Backend Protocol

    The protocol used by backend servers to receive requests

    HTTPS

    Load Balancing Algorithm

    The algorithm used by the load balancer to distribute traffic Select an appropriate algorithm to allocate access traffic and improve load balancing capabilities.

    Weighted Round Robin

    Before adding a backend server, choose IP as Backend Servers and click Add IP as Backend Servers on the Add Listener page.

    Table 4 Parameters for adding a backend server

    Parameter

    Description

    Example

    IP as Backend Servers

    Private network address provided on the CSS console for accessing a cluster.

    After a cluster is scaled in or out, or a client node is added, you need to update the cross-VPC backend server IP address in a timely manner.

    192.168.xxx.xxx

    Backend Port

    Port used by CSS to provide services for external systems. Set the value to 9200.

    9200

    Weight

    Weight of the weighted round robin algorithm

    1

    Table 5 Health check parameters

    Parameter

    Description

    Example

    Enable Health Check

    Whether to enable health checks. You are advised to enable them.

    Yes

    Protocol

    Protocol used by the load balancer to perform health checks on backend servers. You can select HTTP, TCP, or HTTPS. Once selected, the protocol cannot be changed.

    Only HTTP and HTTPS are available for CSS clusters.

    HTTPS

    Check Path

    Health check URL.

    • For a CSS cluster in non-security mode, enter /.
    • For a CSS cluster in security mode, enter /_opendistro/_security/health.

    /_opendistro/_security/health

  3. After setting the parameters, wait for 30 seconds and check the cross-VPC backend servers in the backend server group. If the health check result is Healthy, the listener is added successfully.

Accessing a Cluster

Run the following commands to check whether the dedicated load balancer can be connected to a cluster.

Table 6 Commands for accessing different clusters

Security Mode

Service Form Provided by ELB for External Systems

Curl Command for Accessing a Cluster

Non-security

No authentication

curl  http://IP:9200

One-way authentication

curl -k --cert ./client.crt --key ./client.key https://IP:9200

Two-way authentication

curl --cacert ./ca.crt --cert ./client.crt --key ./client.key https://IP:9200

Security mode + HTTP

Password authentication

curl  http://IP:9200 -u user:pwd

One-way authentication + Password authentication

curl -k --cert ./client.crt --key ./client.key https://IP:9200 -u user:pwd

Two-way authentication + Password authentication

curl --cacert ./ca.crt --cert ./client.crt --key ./client.key https://IP:9200 -u user:pwd

Security mode + HTTPS

One-way authentication + Password authentication

curl -k --cert ./client.crt --key ./client.key https://IP:9200 -u user:pwd

Two-way authentication + Password authentication

curl --cacert ./ca.crt --cert ./client.crt --key ./client.key https://IP:9200 -u user:pwd
Table 7 Variables

Variable

Description

IP

ELB IP address

user

Username for accessing the CSS cluster

pwd

Password of the user

If the Elasticserach cluster information is returned, the connection is successful. For example, if a security cluster using the HTTPS protocol is connected to a load balancer using two-way authentication, the information shown in Figure 1 is returned.

Figure 1 Accessing a cluster