Connecting to a Dedicated Load Balancer

(Optional) Preparing a Self-signed Certificate

If the target ELB listener uses the HTTP protocol, skip this step.

Prepare and upload a self-signed certificate.

You are advised to use a certificate purchased in Cloud Certificate Manager (CCM) or issued by an authoritative organization.

1. Log in to a Linux client where the OpenSSL tool and JDK are installed.
2. Run the following commands to create a self-signed certificate:

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73

   mkdir ca mkdir server mkdir client #Use OpenSSL to create a CA certificate. cd ca #Create the OpenSSL configuration file ca_cert.conf for the CA certificate. cat >ca_cert.conf <<EOF [ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] O = ELB EOF #Create private key file ca.key for the CA certificate. openssl genrsa -out ca.key 2048 #Create the CSR file ca.csr for the CA certificate. openssl req -out ca.csr -key ca.key -new -config ./ca_cert.conf #Create a self-signed CA certificate ca.crt. openssl x509 -req -in ca.csr -out ca.crt -sha1 -days 5000 -signkey ca.key #Convert the CA certificate format to p12. openssl pkcs12 -export -clcerts -in ca.crt -inkey ca.key -out ca.p12 #Convert the CA certificate format to JKS. keytool -importkeystore -srckeystore ca.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore ca.jks #Use the CA certificate to issue a server certificate. cd ../server #Create the OpenSSL configuration file server_cert.conf for the server certificate. Change the CN field to the domain name or IP address of the server as required. cat >server_cert.conf <<EOF [ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] O = ELB CN = 127.0.0.1 EOF #Create the private key file server.key for the server certificate. openssl genrsa -out server.key 2048 #Create the CSR request file server.csr for the server certificate. openssl req -out server.csr -key server.key -new -config ./server_cert.conf #Use the CA certificate to issue the server certificate server.crt. openssl x509 -req -in server.csr -out server.crt -sha1 -CAcreateserial -days 5000 -CA ../ca/ca.crt -CAkey ../ca/ca.key #Convert the server certificate format to p12. openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12 #Convert the service certificate format to JKS. keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore server.jks #Use the CA certificate to issue a client certificate. cd ../client #Create the OpenSSL configuration file client_cert.conf for the client certificate. Change the CN field to the domain name or IP address of the server as required. cat >client_cert.conf <<EOF [ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] O = ELB CN = 127.0.0.1 EOF #Create private key client.key for the client certificate. openssl genrsa -out client.key 2048 #Create the CSR file client.csr for the client certificate. openssl req -out client.csr -key client.key -new -config ./client_cert.conf #Use the CA certificate to issue the client certificate client.crt. openssl x509 -req -in client.csr -out client.crt -sha1 -CAcreateserial -days 5000 -CA ../ca/ca.crt -CAkey ../ca/ca.key #Convert the client certificate to a p12 file that can be identified by the browser. openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 #Convert the client certificate format to JKS. keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore client.jks

3. Upload the self-signed certificate. For details, see the section "Configuring the Server Certificate and Private Key" in Elastic Load Balance User GuideConfiguring the Server Certificate and Private Key.

Creating a Dedicated Load Balancer

1. Log in to the ELB management console.
2. Create a dedicated load balancer. For details, see Creating a Dedicated Load Balancer. Table 1 describes the parameters required for connecting a CSS cluster with a dedicated load balancer.

   Table 1 Parameters for interconnecting a CSS cluster with a dedicated load balancer

   Parameter	Description	Example
   Type	Load balancer type. Select Dedicated.	Dedicated
   Billing Mode	Billing mode of the dedicated load balancer.	Pay-per-use
   Region	Region where the CSS cluster is located.	-
   IP as Backend Servers	A CSS cluster can be connected only after the cross-VPC backend is enabled.	Enabled
   Network Type	Type of the network used by the load balancer to provide services for external systems.	Private IPv4 network
   VPC	VPC where the load balancer works. This parameter is mandatory no matter which network type is selected. Select the VPC of the CSS cluster	-
   Subnet	Subnet where the load balancer is to be created. This parameter is mandatory no matter which network type is selected. Select the subnet of the CSS cluster	-
   Specifications	You are advised to select Application load balancing (HTTP/HTTPS), which provides better functions and performance.	Application load balancing (HTTP/HTTPS) Small I

Interconnecting with a Load Balancer

A cluster in security mode with HTTPS access enabled does not support HTTP protocol authentication. If you need to enable HTTP protocol authentication, disable the security mode of the cluster.

Before changing the security mode, disable load balancing. After the security mode is changed, enable load balancing.

1. Log in to the CSS management console.
2. On the Clusters page, select the cluster you want to connect to the load balancer and click the cluster name. The cluster basic information page is displayed.
3. In the navigation pane, choose Load Balancing. Toggle on the load balancing switch and configure basic load balancing information.
   • Load Balancer: Select a created load balancer. You can also click Create Load Balancer to create one.
   • Agency: Select an agency name. If no agency is available, click Create Agency to create one. The selected agency must have the ELB Administrator and ELB FullAccess permissions.
     Figure 1 Enabling load balancing
     
4. Click OK. The listener configuration page is displayed.
   Figure 2 Creating a listener
   
5. In the Listener Configuration area, click to configure listener information.
   Figure 3 Configuring a listener
   

   Table 2 Listener configuration information

   Parameter	Description
   Frontend Protocol	The protocol used by the client and listener to distribute traffic. Select a protocol as required.
   Frontend Port	The port used by the client and listener to distribute traffic. For example, 9200. You need to specify this parameter as required.
   SSL Authentication	Authentication mode for the client to access the server. Select a parsing mode as required.
   Server Certificate	The server certificate is used for SSL handshake negotiation. The certificate content and private key must be provided. When SSL Authentication is set to Two-way authentication, this parameter is mandatory.
   CA Certificate	Also called client CA public key certificate. It is used to verify the issuer of a client certificate. When the HTTPS two-way authentication is enabled, an HTTPS connection can be established only when the client can provide the certificate issued by a specified CA. This parameter is mandatory only when the Frontend Protocol is set to HTTPS.

6. (Optional) In the Connection Mode area, you can click Settings next to Access Control to configure the IP addresses or network segments that are allowed to access the system. If you do not set the IP addresses or network segments, all IP addresses are allowed to access the system by default.
   Figure 4 Configuring access control
   

Accessing a Cluster Using the Curl Command

Run the following commands to check whether the dedicated load balancer can be connected to a cluster.

curl  http://IP:9200

curl -k --cert ./client.crt --key ./client.key https://IP:9200

curl --cacert ./ca.crt --cert ./client.crt --key ./client.key https://IP:9200

curl  http://IP:9200 -u user:pwd

curl -k --cert ./client.crt --key ./client.key https://IP:9200 -u user:pwd

curl --cacert ./ca.crt --cert ./client.crt --key ./client.key https://IP:9200 -u user:pwd

curl -k --cert ./client.crt --key ./client.key https://IP:9200 -u user:pwd

curl --cacert ./ca.crt --cert ./client.crt --key ./client.key https://IP:9200 -u user:pwd

If the Elasticsearch cluster information is returned, the connection is successful. For example, if a security cluster using the HTTPS protocol is connected to a load balancer using two-way authentication, the information shown in Figure 5 is returned.

Figure 5 Accessing a cluster