description | keywords | title |
---|---|---|
Load Balancer |
aws load balancer elb |
Configure the Docker for AWS load balancer |
{% include d4a_buttons.md %}
When you create a service, any ports that are exposed with -p
are automatically exposed through the platform load balancer:
$ docker service create --name nginx --publish published=80,target=80 nginx
This opens up port 80 on the Elastic Load Balancer (ELB) and direct any traffic on that port, to your swarm service.
Docker uses Amazons' ACM service, which provides free SSL/TLS certificates, and can be used with ELBs. You need to create a new certificate for your domain, and get the ARN for that certificate.
You add a label to your service to tell swarm that you want to use a given ACM cert for SSL connections to your service.
Start a service and listen on the ELB with ports 80
and 443
. Port 443
is
served using a SSL certificate from ACM, which is referenced by the ARN that is
described in the service label com.docker.aws.lb.arn
$ docker service create \
--name demo \
--detach=true \
--publish published=80,target=80 \
--publish published=443,target=80 \
--label com.docker.aws.lb.arn="arn:aws:acm:us-east-1:0123456789:certificate/c02117b6-2b5f-4507-8115-87726f4ab963" \
yourname/your-image:latest
By default when you add an ACM ARN as a label, it listens on port 443
. If you want to change which port to listen too you append an @
symbol and a list of ports you want to expose.
com.docker.aws.lb.arn="arn:..."
com.docker.aws.lb.arn="arn:...@444"
com.docker.aws.lb.arn="arn:...@444,8080"
Listen for HTTP on ports 80 and HTTPS on 444
$ docker service create \
--name demo \
--detach=true \
--publish published=80,target=80 \
--publish published=444,target=80 \
--label com.docker.aws.lb.arn="arn:aws:acm:us-east-1:0123456789:certificate/c02117b6-2b5f-4507-8115-87726f4ab963@444" \
yourname/your-image:latest
$ docker service create \
--name demo \
--detach=true \
--publish published=80,target=80 \
--publish published=444,target=80 \
--label com.docker.aws.lb.arn="arn:aws:acm:us-east-1:0123456789:certificate/c02117b6-2b5f-4507-8115-87726f4ab963@443,444" \
yourname/your-image:latest
$ docker service create \
--name demo \
--detach=true \
--publish published=8080,target=80 \
--label com.docker.aws.lb.arn="arn:aws:acm:us-east-1:0123456789:certificate/c02117b6-2b5f-4507-8115-87726f4ab963@8080" \
yourname/your-image:latest
Docker for AWS version 17.07.0 and later also support the HTTPS
listener protocol when using ACM certificates.
Use the HTTPS
protocol if your app relies on checking the X-Forwarded-For header for resolving the client IP address. The client IP is also available with SSL
by using the Proxy Protocol, but many apps and app frameworks don't support this.
The only valid options are HTTPS
and SSL
. Specifying any other value causes SSL
to be selected. For backwards compatibility the default protocol is SSL
.
com.docker.aws.lb.arn="arn:...@HTTPS:443"
com.docker.aws.lb.arn="arn:...@443"
com.docker.aws.lb.arn="arn:...@SSL:443"
com.docker.aws.lb.arn="arn:...@HTTPS:443,8080"
Since BAD isn't a valid option, it reverts back to a SSL (TCP) port for 443.
com.docker.aws.lb.arn="arn:...@BAD:443,8080"
Once you have your ELB setup, with the correct listeners and certificates, you need to add a DNS CNAME that points to your ELB at your DNS provider.
- If you remove the service that has the
com.docker.aws.lb.arn
label, that listener and certificate is removed from the ELB. - If you edit the ELB config directly from the dashboard, the changes are removed after the next update.
No. If you make any manual changes to the ELB, they are removed the next time we update the ELB configuration based on any swarm changes. This is because the swarm service configuration is the source of record for service ports. If you add listeners to the ELB manually, they could conflict with what is in swarm, and cause issues.