- Knowledge Base
- Amazon Web Services
- Elastic Load Balancing V2
- Enable Support for gRPC Protocol
Ensure that your Amazon Application Load Balancers (ALBs) are configured to send requests to targets using the gRPC protocol. gRPC uses HTTP/2 for the transfer protocol and is becoming the protocol of choice for inter-service communication for applications built on microservice-based architectures. It provides the inherent benefits of HTTP/2 such as lighter network footprint and compression, along with features like efficient binary serialization, support for numerous programming languages, and bidirectional streaming. Due its performance benefits, you can use gRPC for client to service communication as well.
efficiency
With support for gRPC protocol enabled, you can use your Application Load Balancer to route and load balance efficiently your gRPC traffic between microservices or between gRPC-enabled clients and services. This will allow you to seamlessly introduce gRPC traffic management in your cloud architecture without changing any of the underlying infrastructure on your clients or services.
Audit
To determine if the support for gRPC protocol is enabled for your Application Load Balancers (ALBs), perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.
05 Select the Application Load Balancer (ALB) that you want to examine.
06 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.
07 Click on the name (link) of the target group associated with the selected load balancer, listed in the Rules column.
08 Select the associated target group, choose the Details tab, and check the Protocol version attribute value. If the Protocol version attribute value is different than gRPC, the selected Application Load Balancer (ALB) is not configured to send requests to targets using the gRPC protocol.
09 Repeat steps no. 5 – 8 for each Application Load Balancer (ALB) available within the current AWS region.
10 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the Application Load Balancers (ALBs) available in the selected AWS region:
aws elbv2 describe-load-balancers --region us-east-1 --query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn'
02 The command output should return an array with the requested ALB ARN(s):
[ "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-web-alb/abcdabcdabcdabcd", "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-app-alb/abcd1234abcd1234" ]
03 Run describe-target-groups command (OSX/Linux/UNIX) using the ARN of the Application Load Balancer (ALB) that you want to examine as the identifier parameter and custom query filters to describe the protocol version used by the target group(s) associated with the selected load balancer:
aws elbv2 describe-target-groups --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-web-alb/abcdabcdabcdabcd --query 'TargetGroups[*].ProtocolVersion'
04 The command output should return the requested configuration information:
[ "HTTP2" ]
If the describe-target-groups command output does not return "GRPC"as the protocol version configured for the associated target group(s), the selected Application Load Balancer (ALB) is not configured to send requests to targets using the gRPC protocol.
05 Repeat steps no. 3 and 4 for each Application Load Balancer (ALB) available in the selected AWS region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To implement the gRPC protocol for your existing Amazon Application Load Balancers (ALBs), perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "ApplicationLoadBalancer": { "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Properties": { "Name": "cc-app-load-balancer", "Type": "application", "Scheme": "internet-facing", "IpAddressType": "ipv4", "Subnets": [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ], "SecurityGroups": [ "sg-0abcd1234abcd1234", "sg-01234abcd1234abcd" ] } }, "LoadBalancerTargetGroup": { "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", "Properties": { "Name": "cc-new-web-target-group", "VpcId": "vpc-01234abcd1234abcd", "Port": 443, "Protocol": "HTTPS", "ProtocolVersion": "GRPC" } }, "LoadBalancerListener": { "Type": "AWS::ElasticLoadBalancingV2::Listener", "Properties": { "Protocol": "HTTPS", "Port": 443, "LoadBalancerArn": { "Ref": "ApplicationLoadBalancer" }, "Certificates": [ { "CertificateArn": "arn:aws:iam::123412341234:server-certificate/domain.com" } ], "DefaultActions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "LoadBalancerTargetGroup" } } ] } } } }
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Resources: ApplicationLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: cc-app-load-balancer Type: application Scheme: internet-facing IpAddressType: ipv4 Subnets: - subnet-01234abcd1234abcd - subnet-0abcd1234abcd1234 SecurityGroups: - sg-0abcd1234abcd1234 - sg-01234abcd1234abcd LoadBalancerTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: cc-new-web-target-group VpcId: vpc-01234abcd1234abcd Port: 443 Protocol: HTTPS ProtocolVersion: GRPC LoadBalancerListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: Protocol: HTTPS Port: 443 LoadBalancerArn: !Ref 'ApplicationLoadBalancer' Certificates: - CertificateArn: arn:aws:iam::123412341234:server-certificate/domain.com DefaultActions: - Type: forward TargetGroupArn: !Ref 'LoadBalancerTargetGroup'
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.0" } } required_version = ">= 0.14.9" } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_lb" "application-load-balancer" { name = "cc-app-load-balancer" load_balancer_type = "application" internal = false ip_address_type = "ipv4" subnets = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"] security_groups = ["sg-0abcd1234abcd1234","sg-01234abcd1234abcd"] } resource "aws_lb_target_group" "load-balancer-target-group" { name = "cc-new-web-target-group" vpc_id = "vpc-01234abcd1234abcd" port = 443 protocol = "HTTPS" protocol_version = "GRPC" } resource "aws_lb_listener" "load-balancer-listener" { port = "443" protocol = "HTTPS" certificate_arn = "arn:aws:iam::123412341234:server-certificate/domain.com" load_balancer_arn = aws_lb.application-load-balancer.arn default_action { type = "forward" target_group_arn = aws_lb_target_group.load-balancer-target-group.arn } }
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Target Groups.
04 Click on the name (link) of the target group associated with your Application Load Balancer and collect all the configuration information available for the resource, including the information available for the registered targets.
05 Navigate back to the Target Groupslisting page,**and choose Create target group**to create a new target group for your load balancer.
06 On the Create target group setup page, perform the following actions:
- For Step 1 Specify group details, provide a unique name for the new target group, select the required target type, choose the VPC network with the instances that you want to include in the target group, and configure the health checks. For Protocol version choose gRPC to enable support for the gRPC protocol. This will allow the associated load balancer to send requests to targets using the gRPC protocol. Choose Next to continue.
- For Step 2 Register targets, register the group targets identified at step no. 4, and choose Create target group to create your new, compliant target group.
07 In the main navigation panel, under Load Balancing, choose Load Balancers.
08 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.
09 Select the Application Load Balancer (ALB) that you want to examine.
10 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.
11 Select the listener that you want to reconfigure and choose Edit.
12 On the Edit listener configuration page, under Default actions, update the listener's default action to route requests to the new target group created at step no. 6. Choose Save changes to apply the changes. If required, repeat this step for each listener defined for your Application Load Balancer (ALB).
13 Repeat steps no. 3 – 12 for each Application Load Balancer (ALB) available within the current AWS region.
14 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Run describe-target-groups command (OSX/Linux/UNIX) using the ARN of the Application Load Balancer (ALB) that you want to reconfigure as the identifier parameter, to describe the configuration of the associated target group(s):
aws elbv2 describe-target-groups --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-web-alb/abcdabcdabcdabcd
02 The command output should return the requested configuration information:
{ "TargetGroups": [ { "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-web-target-group/1234abcd1234abcd", "TargetGroupName": "cc-web-target-group", "Protocol": "HTTPS", "Port": 443, "VpcId": "vpc-abcd1234", "HealthCheckProtocol": "HTTPS", "HealthCheckPort": "traffic-port", "HealthCheckEnabled": true, "HealthCheckIntervalSeconds": 30, "HealthCheckTimeoutSeconds": 5, "HealthyThresholdCount": 5, "UnhealthyThresholdCount": 2, "HealthCheckPath": "/", "Matcher": { "HttpCode": "200" }, "LoadBalancerArns": [ "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-web-alb/abcdabcdabcdabcd" ], "TargetType": "instance", "ProtocolVersion": "HTTP2" } ] }
03 Run create-target-group command (OSX/Linux/UNIX) to create a new target group that supports the gRPC protocol, using the configuration information returned at the previous step:
aws elbv2 create-target-group --region us-east-1 --name cc-new-web-target-group --protocol HTTPS --protocol-version GRPC --port 443 --target-type instance --vpc-id vpc-abcd1234 --health-check-enabled --health-check-protocol HTTPS --health-check-port "traffic-port" --health-check-path "/" --health-check-interval-seconds 30 --health-check-timeout-seconds 5 --healthy-threshold-count 5 --unhealthy-threshold-count 2
04 The command output should return the configuration information available for the new target group:
{ "TargetGroups": [ { "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-new-web-target-group/1234abcd1234abcd", "TargetGroupName": "cc-new-web-target-group", "Protocol": "HTTPS", "Port": 443, "VpcId": "vpc-abcd1234", "HealthCheckProtocol": "HTTPS", "HealthCheckPort": "traffic-port", "HealthCheckEnabled": true, "HealthCheckIntervalSeconds": 30, "HealthCheckTimeoutSeconds": 5, "HealthyThresholdCount": 5, "UnhealthyThresholdCount": 2, "HealthCheckPath": "/", "Matcher": { "GrpcCode": "12" }, "TargetType": "instance", "ProtocolVersion": "GRPC" } ] }
05 Run register-targets command (OSX/Linux/UNIX) to register the specified targets with the newly created target group (the command does not produce an output):
aws elbv2 register-targets --region us-east-1 --target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-new-web-target-group/1234abcd1234abcd --targets Id=i-01234abcd1234abcd Id=i-0abcd1234abcd1234
06 Run describe-listeners command (OSX/Linux/UNIX) to describe the Amazon Resource Name (ARN) of each listener configured for your Application Load Balancer (ALB):
aws elbv2 describe-listeners --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-web-alb/abcdabcdabcdabcd --query 'Listeners[*].ListenerArn'
07 The command output should return the requested listener ARN(s):
[ "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-frontend-web-alb/abcdabcdabcdabcd/1234123412341234" ]
08 Run modify-listener command (OSX/Linux/UNIX) to associate the new target group with your Application Load Balancer (ALB) by updating the default action for the specified listener:
aws elbv2 modify-listener --region us-east-1 --listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-frontend-web-alb/abcdabcdabcdabcd/1234123412341234 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-new-web-target-group/1234abcd1234abcd
09 The command output should return the information available for the modified listener:
{ "Listeners": [ { "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-frontend-web-alb/abcdabcdabcdabcd/1234123412341234", "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-web-alb/abcdabcdabcdabcd", "Port": 443, "Protocol": "HTTPS", "Certificates": [ { "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234" } ], "SslPolicy": "ELBSecurityPolicy-2016-08", "DefaultActions": [ { "Type": "forward", "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-new-web-target-group/1234abcd1234abcd", "ForwardConfig": { "TargetGroups": [ { "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-new-web-target-group/1234abcd1234abcd", "Weight": 1 } ], "TargetGroupStickinessConfig": { "Enabled": false } } } ] } ] }
10 Repeat steps no. 1 – 9 for each Application Load Balancer (ALB) available in the selected AWS region.
11 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 10 to perform the Remediation process for other regions.
References
- AWS Documentation
- Elastic Load Balancing FAQs
- Elastic Load Balancing features
- Application Load Balancers
- Listeners for your Application Load Balancers
- AWS Command Line Interface (CLI) Documentation
- describe-load-balancers
- describe-target-groups
- create-target-group
- register-targets
- hdescribe-listeners
- modify-listener