Serverless App Engine:Bind an NLB instance to an application and generate a fixed endpoint

Background

By default, SAE applications cannot be accessed from the public network. Even within a virtual private cloud (VPC), accessing an application by its private IP address is not reliable because the IP address can change after an application update or restart. To solve these issues, you can bind a public or private NLB instance to your application. Binding an NLB instance lets you use a fixed domain name to access your application and provides efficient load balancing for traffic across different zones and SAE instances.

• Before you bind an NLB instance, learn about how NLB works and its performance metrics and limits.

• Using the NLB service in SAE incurs additional fees.

  Important

  If you delete an NLB instance from only the SAE console and not from the Server Load Balancer (SLB) console, the NLB instance continues to incur fees. For more information about how to delete an NLB instance from the SLB console, see Delete an NLB instance.

Overview

SAE applications support binding with public or private NLB instances. You can bind an NLB instance of a specific network type to your SAE application as needed.

• Bind a private NLB instance: A private NLB instance provides a fixed endpoint (DNS name) for the SAE application and distributes traffic to the instances of the SAE application using a load balancing algorithm, such as round-robin. Common scenarios include internal microservice communication, database access, and corporate intranet access.

• Bind a public NLB instance: By default, SAE applications do not support direct access from the public network. By binding a public NLB instance, you can provide a fixed public endpoint for your SAE application to handle Internet traffic. The public access process is shown in the following figure.

  

Step 1: Add an NLB instance to an application

1. On the SAE Application List page, select a region and namespace at the top, and click the ID of the target application to open the application details page.

2. On the Basic Information page of the target application, find the Application Access Settings section. On the NLB-based access tab, click Add NLB Access.

   

3. In the Add NLB Access panel, configure the following parameters, and then click OK.

   Note

   SAE supports creating a new NLB instance or binding an existing one. Select an option as needed.

   • Create a new NLB instance: The SAE system automatically purchases an NLB instance for you. You can view the details of the instance in the SLB console.

   • Bind an existing NLB instance: You must create an NLB instance on the Instances page of the SLB console in advance. If you want to create a private NLB instance, we recommend that the NLB instance and the SAE application use the same VPC. If they are not in the same VPC, you must configure the network to ensure that they can communicate with each other. For example, you can use Alibaba Cloud's Cloud Enterprise Network (CEN) or other network products to enable cross-VPC communication.

   Create a new NLB instance

   1. Set Instance Source to Create an instance.

   2. For Network Type, select Public Network or Private Network as needed.

      • If you select Public Network, the system automatically creates a public NLB instance and allocates an Elastic IP Address and a virtual IP address (VIP) to each zone.

      • If you select Private Network, the system automatically creates a private NLB instance and allocates a VIP to each zone.

   3. Select the zones where the virtual switches are located. To ensure high availability, select at least two zones.

      You cannot select a VPC. The VPC of the target application is used by default.

   4. Supported protocol types are TCP, UDP, and TCPSSL. Select a protocol type as needed.

      Protocol	Configuration item	Example
      TCP	Listener Port: The port that receives requests and forwards them to backend servers. Container Port: The port on which the process listens. This is defined by the application.	Listener Port: 80 Container Port: 8080 (default port for web services)
      UDP
      TCPSSL	Listener Port: The port that receives requests and forwards them to backend servers. Container Port: The port on which the process listens. This is defined by the application. Select SSL Certificate: The SSL certificate. Select an uploaded SSL certificate from the drop-down list. Important To access a custom domain name over HTTPS, it must have an ICP filing with Alibaba Cloud. For more information, see ICP filing process.	Listener Port: 80 Container Port: 8080 (default port for web services) Select SSL Certificate: Select a purchased SSL certificate from the drop-down list. If you have not purchased an SSL certificate, see Purchase a certificate.

   

   Bind an existing NLB instance

   1. Set Instance Source to Use Existing.

   2. From the NLB Instance drop-down list, select the NLB instance that you created.

      If you have not created an NLB instance, click Create NLB Instance, and then create an NLB instance on the Instances

   3. Supported protocol types are TCP, UDP, and TCPSSL. Select a protocol type as needed.

      Protocol Type	Configuration item	Example value
      TCP	Listener Port: The port that receives requests and forwards them to backend servers. Container Port: The port on which the process listens. This is defined by the application.	Listener Port: 80 Container Port: 8080 (default port for web services)
      UDP
      TCPSSL	Listener Port: The port that receives requests and forwards them to backend servers. Container Port: The port on which the process listens. This is defined by the application. Select SSL Certificate: The SSL certificate. Select an uploaded SSL certificate from the drop-down list. Important To access a custom domain name over HTTPS, it must have an ICP filing with Alibaba Cloud. For more information, see ICP filing process.	Listener Port: 80 Container Port: 8080 (default port for web services) Select SSL Certificate: Select a purchased SSL certificate from the drop-down list. If you have not purchased an SSL certificate, see Purchase a commercial certificate.

   

4. After the NLB instance is created, you can view its status on the NLB-based Access tab in the Application Access Settings section.

   To add multiple NLB instances, click Add NLB Access and repeat the preceding steps.

   

   Important

   If you configure listener rules for an NLB instance in the SLB console and then configure listener rules for the same NLB instance in the SAE console, the configuration in the SAE console may overwrite the configuration in the SLB console, and vice versa. To prevent configuration conflicts, we recommend that you configure listener rules for NLB instances only in the SAE console.

   You can perform the following operations on the NLB instance:

   • Add a listener: Click Add Listener. In the Add Listener dialog box, select a Protocol Type and configure the parameters.

   • Modify the container port: In the Actions column of the NLB instance, click Edit. In the Edit NLB Access panel, you can modify the Container Port.

   • Delete a listener or an NLB instance: In the Actions column of the NLB instance, click Delete. In the Confirm Deletion dialog box, click OK to delete the listener rule or the NLB instance.

     If you add multiple listener rules for the same NLB instance, the delete operation removes only the corresponding listener rule. If you delete the last listener rule, the system automatically deletes the NLB instance because no listener rules are available for the instance.

   • View the NLB instance: Click the NLB instance name to open the NLB Instance Details page in the SLB console. On this page, you can view details of the NLB instance, such as the Elastic IP Address and VIP allocated to each zone, and the automatically generated DNS Name of the NLB instance.

     

     You can use the DNS Name provided by the NLB instance or the Elastic IP Address provided for the zone to run an access test.

Step 2: Configure DNS records

You can use the DNS name of the NLB instance for access tests. However, in production environments, we recommend that you use a custom domain name and add a CNAME record to map the custom domain name to the DNS name of the NLB instance.

1. In the Application Access Settings section, click the name of the NLB instance to open its details page in the SLB console.

   

2. On the NLB Instance Details page in the SLB console, copy the DNS Name.

   The DNS name of the NLB instance is used as the record value when you configure DNS records.

   

3. Log on to the Alibaba Cloud DNS console and add a CNAME record.

   Note

   If your domain name is not registered with Alibaba Cloud, you must first add the domain name to the Alibaba Cloud DNS console before you can perform domain name resolution. If your domain name is registered with Alibaba Cloud, proceed with the following steps.

   1. On the Authoritative Domain Names page, find the target domain name and click DNS Settings in the Actions column.

   2. On the DNS Settings page, click Add Record.

   3. In the Add Record panel, configure the parameters to add a CNAME record, and then click OK.

      

      Configuration item	Example	Description
      Type	CNAME	Select CNAME from the drop-down list. A CNAME record maps your custom domain name to the DNS name of the NLB instance.
      Host	www	Enter the prefix of the subdomain. For more information about host records, see the description of Host in the console.
      Request Source Parsing	Default	Select Default. Alibaba Cloud DNS can identify the region and carrier of the source IP address of a DNS request, which is usually the IP address of the carrier's local DNS. When you add a DNS record, you can return different record values for requests from different regions and carriers.
      Value	nlb-****.com	Enter the DNS name of the NLB instance. The value is the domain name to which the CNAME record points.
      TTL	10	Select the default value provided in the console. TTL stands for Time to Live. It specifies the amount of time that the DNS record is cached on a DNS server.

Step 3: Run an access test

Enter your custom domain name in your browser to test access to the application. For example, http://your_domain_name.

Clean up resources (optional)