英文:

Using On-Premise Server for AWS Load Balancer

问题

I have a Elastic Beanstalk application on AWS.
我在AWS上有一个Elastic Beanstalk应用程序。

I want to use my on-premise server to share the load of my EC2 instance such that my on-premise server is the primary server and the EC2 instance(s) launched by Elastic LoadBalancer (ELB) are backups.
我想要使用我的本地服务器来分担EC2实例的负载，以便我的本地服务器是主服务器，由Elastic LoadBalancer（ELB）启动的EC2实例是备份。

I have successfully created a client VPN endpoint (cvpn) with 10.0.0.34 ip. When I add this ip to load balancer as Registered Target, Health Status says Request Timed Out. I notice that there is no route table entry to my 10.0.0.0/24 CVPN ip's. In short, ELB cannot reach the subnet of my CVPN. The CVPN resource ID cannot be added in route table to provide access to the CVPN subnet.
我已成功创建了一个带有10.0.0.34 IP的客户端VPN端点（cvpn）。当我将此IP添加到负载均衡器作为注册目标时，健康状态显示请求超时。我注意到没有路由表条目指向我的10.0.0.0/24 CVPN IP地址。简而言之，ELB无法访问我的CVPN子网。CVPN资源ID无法添加到路由表中以提供对CVPN子网的访问。

Questions:

1. Is it true that ELB cannot access computers on CVPN subnet?

2. ELB无法访问CVPN子网上的计算机，这是真的吗？

3. Is Site-to-Site VPN and DirectConnect the only options for my intended use case (other than leaving AWS ecosystem)?

4. 对于我的预期用例，除了离开AWS生态系统之外，Site-to-Site VPN和DirectConnect是唯一的选项吗？

5. For Site-to-Site VPN, is it true that it will require a monthly cost of US$400 just for the Private CA? Plus any traffic data it costs

6. 对于Site-to-Site VPN，是否真的需要每月400美元的费用仅用于私有CA？还有任何流量数据的费用吗？

Follow-up
Following nickdoesstuff's comment, I successfully setup and connected a site-to-site VPN on AWS.
根据nickdoesstuff的评论，我成功地设置并连接了AWS上的站点到站点VPN。

After entering IP and choosing static routing, it no longer prompts me for a private CA cert.
在输入IP并选择静态路由之后，它不再提示我提供私有CA证书。

I briefly experimented with Azure and here is a comparison with AWS.
我简要地尝试了Azure，并与AWS进行了比较。

Azure Pros:

1. More well-defined pricing structure (6 or 7 tiers) with clear spec - BUT basic tier is very limited

2. 更明确的价格结构（6或7个层次）具有清晰的规格 - 但基本层非常有限

3. on-premise site can use DDNS because you can enter fully qualified domain name FQDN as location of client gateway address

4. 本地站点可以使用DDNS，因为您可以将完全合格的域名FQDN输入为客户端网关地址的位置

AWS Pros:
0. client gateway must have a static ip. if it changes you have to re-do the entire setup on AWS side, you cannot just edit the client gateway setting.
0. 客户网关必须具有静态IP。如果IP地址更改，您必须在AWS端重新进行整个设置，不能仅仅编辑客户端网关设置。

1. Much faster creation of gateway (wait 1 minute vs wait 30+ minutes on Azure)

2. 网关的创建速度更快（等待1分钟 vs 等待30+分钟在Azure上）

3. full feature, low-cost basic tier

4. 完整的功能，低成本的基本层

5. by default, AWS gives you two ip's to connect to, which provides redundancy. However, it may be difficult to setup (and is not supported by Ubiquiti dream machine)

6. 默认情况下，AWS为您提供了两个IP地址进行连接，这提供了冗余性。然而，设置可能会很困难（并且不受Ubiquiti梦想机的支持）

7. More "Downloadable Configuration" to choose from. AWS has pfSense and strongSwan configuration "files" which are more like a guide than an actual file you can download and overwrite system file with.

8. 有更多的“可下载配置”可供选择。AWS具有pfSense和strongSwan配置“文件”，更像是指南而不是实际可以下载并覆盖系统文件的文件。

It is still miles better than Azure, which lets you do the hard work of finding out the precise wording of dozens of parameters...
它仍然比Azure好得多，Azure要让您费心去找出几十个参数的精确措辞...

英文:

I have a Elastic Beanstalk application on AWS.

I want to use my on-premise server to share the load of my EC2 instance such that my on-premise server is the primary server and the EC2 instance(s) launched by Elastic LoadBalancer (ELB) are backups.

I have successfully created a client VPN endpoint (cvpn) with 10.0.0.34 ip. When I add this ip to load balancer as Registered Target, Health Status says Request Timed Out. I notice that there is no route table entry to my 10.0.0.0/24 CVPN ip's. In short, ELB cannot reach the subnet of my CVPN. The CVPN resource ID cannot be added in route table to provide access to the CVPN subnet.

Questions:

1. Is it true that ELB cannot access computers on CVPN subnet?
2. Is Site-to-Site VPN and DirectConnect the only options for my intended use case (other than leaving AWS ecosystem)?
3. For Site-to-Site VPN, is it true that it will require a monthly cost of US$400 just for the Private CA? Plus any traffic data it costs

Cheers

Follow-up
Following nickdoesstuff's comment, I successfully setup and connected a site-to-site VPN on AWS

After entering IP and choosing static routing, it no longer prompts me for a private CA cert.

I briefly experimented with Azure and here is a comparison with AWS

Azure Pros:

1. More well-defined pricing structure (6 or 7 tiers) with clear spec - BUT basic tier is very limited
2. on-premise site can use DDNS because you can enter fully qualified domain name FQDN as location of client gateway address

AWS Pros:
0. client gateway must have a static ip. if it changes you have to re-do the entire setup on AWS side, you cannot just edit the client gateway setting.

1. Much faster creation of gateway (wait 1 minute vs wait 30+ minutes on Azure)
2. full feature, low-cost basic tier
3. by default, AWS gives you two ip's to connect to, which provides redundancy. However, it may be difficult to setup (and is not supported by Ubiquiti dream machine)
4. More "Downloadable Configuration" to choose from. AWS has pfSense and strongSwan configuration "files" which are more like a guide than an actual file you can download and overwrite system file with.

It is still miles better than Azure, which lets you do the hardwork of finding out the precise wording of dozens of parameters...

答案1

得分: 1

1. 无法与CVPN一起使用ELB。

2. 您可以与Site-2-Site和Direct Connect一起使用它们。

3. 对于S2S VPN，您不一定需要基于证书的身份验证。您可以使用预共享密钥进行设置，从而免除了对CA的需求。

   3.a. 如果必须使用基于证书的身份验证，您可以使用本地CA（例如在Microsoft域控制器上运行的CA）来签署证书。

英文:

1. You cannot use ELB with CVPN

2. You can use them with Site-2-Site and Direct Connect

3. You do not necessarily need certificate-based authentication for S2S VPN. You could set it up with pre-shared keys, which alleviates the need for CA.

   3.a. If using a cert-based authentication is non-negotiable you could use an on-premises CA (like CA running on Microsoft Domain
   Controller) to sign the certificates.

Hope this helps.