AWS Elastic Loadbalancer best practices (ALB vs. NLB vs. ELB)
Objective
GitLab has many different installation methods on AWS (Omnibus, Scaled Architecture, Cloud Native Helm Charts, etc.). The AWS Install recommends using Classic Load Balancer, however there are many choices and some have pros and cons (i.e. TLS termination and certificate management). GitLab should document the pros and cons of each feasible option.
Current Summary of Solution
This needs to be tested to validate.
AWS' Comparison of Load Balancer Options
AWS ELB Types and capabilities with GitLab Cluster SSL certificate
| Needed Capability | Classic *1 | NLB | ALB | Non-Caching CloudFront (HTTPS Only) + NLB |
|---|---|---|---|---|
| ACM for SSL Termination on End Point | Yes | Yes | Yes | Yes |
| SSH Support | Yes | Yes | No | No |
| 80->443 Redirect | No | No | Yes | No |
| AWS Global Accelerator (Global Back Hauling on AWS Network for Latency Management) | No | Yes | Yes | No (Non-Caching Cloud Front Provides This) |
| Security Groups | Yes | Yes as of 2023-08-10 | Yes | Yes |
| WAF*2 (Web Application Firewall) | No | No | Yes | Yes |
| Web Sockets Support for Runner Web Terminals | No | Yes | Yes | Yes |
*1 Classic Load Balancers have been deprecated when they're in EC2 Classic Networking (they're not deprecated when in a VPC)
*2 WAF rules must generally be tailored per-organization because the systems each organization wants to initiate conversations with GitLab from may not be compliant with OWASP Top 10 WAF or with other general WAF security best practices.
The following assumes SSL termination on GitLab nginx ingress.
Classic
graph TD;
AWS_NLB("AWS Classic ELB CNAME gitlab.example.com")-->P443("TCP/443");
AWS_NLB-->P80("TCP/80");
AWS_NLB-->P22("TCP/22");
P443-->GL443("GitLab TCP/443");
P22-->GL22("GitLab TCP/22");
P80-->GL80("GitLab TCP/80");
GL80("GitLab 302 Redirect to https://gitlab.example.com")-->AWS_NLB;NLB
graph TD;
AWS_NLB("AWS NLB CNAME gitlab.example.com")-->P443("TCP/443");
AWS_NLB-->P80("TCP/80");
AWS_NLB-->P22("TCP/22");
P443-->GL443("GitLab TCP/443");
P22-->GL22("GitLab TCP/22");
P80-->GL80("GitLab TCP/80");
GL80("GitLab 302 Redirect to https://gitlab.example.com")-->AWS_NLB;ALB (May not have a valid use case if certificate is managed on the cluster)
graph TD;
AWS_NLB("AWS ALB CNAME gitlab.example.com")-->P443("HTTPS/443");
AWS_NLB-->P80("TCP/80");
P80("HTTP/80 Redirect to HTTPS/443")-->AWS_NLB;
P443-->GL443("GitLab HTTPS/443");
AWS_NLB_SSH("AWS NLB CNAME gitlab-ssh.example.com")-->P22("TCP/22");
P22-->GL22("GitLab TCP/22");