Integrate AWS Application Load Balancer with gRPC Application

Devashish Chand Gupta
codelogicx
Published in
12 min readApr 6, 2023

Hello Guys, Today I’m going to show how to setup Load Balancer with your gRPC based application using AWS Application Load Balancer.

But before that let me tell you some terminology,

gRPC: gRPC is a popular choice for microservice integrations and client-server communications. gRPC is a high-performance remote procedure call (RPC) framework using HTTP/2 for transport and Protocol Buffers to describe the interface. Thanks to its efficiency and support for numerous programming languages.

AWS Application Load Balancer: Application Load Balancer operates at the request level (layer 7), routing traffic to targets (EC2 instances, containers, IP addresses, and Lambda functions) based on the content of the request. Ideal for advanced load balancing of HTTP and HTTPS traffic, Application Load Balancer provides advanced request routing targeted at delivery of modern application architectures, including microservices and container-based applications. Application Load Balancer simplifies and improves the security of your application, by ensuring that the latest SSL/TLS ciphers and protocols are used at all times.

So Why ALB?

ALB can route and load balance gRPC traffic between microservices or between gRPC enabled clients and services. This allows seamless introduction of gRPC traffic management in the architectures without changing any of the underlying infrastructure on the customers’ clients or services. gRPC uses HTTP/2 for transport and is becoming the protocol of choice for inter-service communications in microservices architectures. It has features like efficient binary serialization and support for numerous languages in addition to the inherent benefits of HTTP/2 like lighter network footprint, compression, and bi-directional streaming making it better than the legacy protocols like REST.

How to Use gRPC with Application Load Balancer:

For this we’re going to launch two AWS EC2 Instances where we’re going to host our sample GO-lang application which has gRPC based API.

Sample App Link: https://github.com/dcgmechanics/grpc-go-sampleapp

We’ll start with setting up EC2 servers on AWS which we will integrate with AWS Application Load Balancer eventually.

Setting Up EC2 Servers:

For this we’re going to launch 2 t3a.nano instances which I believe will be enough for this Demo purpose. I’ll be using Ubuntu 22.04 LTS OS Image on these EC2 servers.

As you can see, Both the EC2 servers are running, now we need to setup the application on the server. For this we’re going to use this Sample App Link which we mentioned earlier.

Let’s SSH into our servers and setup the application. Since this is written in GO Lang we need to install GO Language dependencies.

Installing Go Lang Dependencies:

# sudo apt install golang

This will take some time so wait for the installation, When Installation done, we can setup our Sample App repo on the servers.

Cloning Sample App GitHub Repo:

For cloning we can use git clone command,

As you can see, we’ve successfully cloned the repo on the server, we can check the app by using command,

Running The Sample App:

# go run main.go

As you can see, when we ran that command, it asked me to update the GO mod which we can update by running command
# go mod tidy
and after that one more time
# go run main.go

After that you can see the application ran successfully and showing the text Go gRPC Beginners Tutorial!

We can test the server by using any gRPC client application, I’m going to use BloomRPC.

Using BloomRPC To Test The Sample Application:

First we need to Import the proto file which is provided in the repo with name chat.proto.

Click on Import protos and choose the chat.proto file. After that you’ll get something similar BloomRPC window shared below,

Select SayHello file, it will open window similar to shown in right side of BloomRPC

For testing we need to change the IP Address and Port number in which IP address you can get from the EC2 console, & Port number is fixed for this application which is 9000.

After that, Enter the IP Address & Port number in the Address box, Change the Editor body message and click on Green Play button.

Check the following image for reference,

As you can see that we created a request and the server responded accordingly. By this we can verify that our gRPC Application is working fine.

Now we can move to the Application Load Balancer integration part. But before that we need to learn some stuffs which will come handy while setting up ALB with gRPC.

  • gRPC requires TLS between Client-ALB-Server/Target
  • We can use direct gRPC endpoint or nginx reverse proxy as target for ALB
  • We need to use TLS certificate in order to establish a connection between Server & ALB

In this demo I’m going to use Nginx reverse proxy setup with http2 & ssl.

Setting Up HTTP/2 SSL NGINX Reverse Proxy:

For this, first we need to create self-signed certificates which will be used with NGINX reverse proxy TLS connection,

We can create the certificate by using openssl tool.

# openssl req -newkey rsa:2048 -nodes -keyout grpc.key -x509 -days 365 -out grpc.cert

This command will ask for some more details like Country Name, State etc. After that you’ll get your Private Key File & Certificate File which will be used with NGINX Configuration File or Server Block.

So, Let’s move to setting up NGINX server block.

Installing & Setting Up NGINX Reverse Proxy Server Block:

For this, We’re going to install NGINX, run the following command to install nginx on your gRPC application servers,

# sudo apt install nginx

After installing this, we can modify the current NGINX default server block or create a new one as per your requirements. I’m going to modify the current default server block,

I’m using the following server block configuration,

As we can see, the NGINX is listening on port 8081 and SSL & http2 is enabled.

Also, I’ve used grpc.track-progress.com as server_name. Remember, this will be same as the certificate Common Name which you created earlier using openssl command.

We’ve defined the SSL certificate & Key file which we generated in earlier. The nginx will pass the gRPC traffic to port 9000.

We can also verify if the nginx server block is configured correctly by using following command,

# nginx -t

After that we can restart the service NGINX.

Now we can test the NGINX Reverse Proxy gRPC Application using BloomRPC. Remember to open the port on which NGINX is listening.

Using BloomRPC To Test NGINX Reverse Proxy gRPC TLS Application:

For using TLS in BloomRPC, you need 3 files,

  1. Root Certificate — This we created earlier using openssl command
  2. Private Key — This we also created earlier using openssl command
  3. Cert Chain — This we can create using the following method:
  • Create a CSR = openssl req -new -key grpc.key -out grpc.csr
  • Sign It = openssl x509 -req -days 365 -in grpc.csr -CA grpc.cert -CAkey grpc.key -set_serial 01 -out grpc-ca.crt

4. SSL Target Host — This will be same as the Common Name or server_name.

You need to define these files in BloomRPC, refer to the following screenshot,

  1. Click on the TLS box,

2. Click on Add Root Certificate,

3. After that choose the certificate file grpc.cert which you created earlier, with that also import Key as well as Cert Chain file by clicking on Import options respectively. You also need to define ssl target host.

After that click on Done button & you’ll see Green Lock icon beside the TLS box.

Refer to the following screenshot,

As you can see the gRPC requests are serving over TLS connection with NGINX Reverse Proxy & it’s working great.

So, our Servers are ready to Integrate with AWS Application Load Balancer.

There is an Official Blog by AWS on gRPC and HTTP/2 support on ALB which you can read from here: https://exampleloadbalancer.com/albgrpc_demo.html. This has explained in-depth working of AWS ALB with your gRPC application.

Setting Up TLS Certificate To Use With AWS Application Load Balancer:

Since the gRPC needs HTTP/2 in order to work, we need to use HTTPS for ALB as listening port. We also need a TLS certificate in order to work with the gRPC Server-Client connection over HTTP/2.

So, let’s upload the self-signed certificate you created earlier to the ACM i.e., AWS Certificate Manager,

Click on Import a certificate, after that you’ll see something similar option which is shown below,

Open the certificate file (grpc.cert), key file (grpc.key) and certificate chain file (grpc-ca.crt) using notepad and paste the content in their respective box, after that click on Next.

After that It will ask for adding Tag, click on Next again and then you’ll get something similar window,

You’ll see the Common Name or server_name which you used earlier, also you’ll see the validity of the certificate. Click on Import & you’re ready to create ALB.

Implementing Target Group To Use With Application Load Balancer:

We can start setting up ALB, for that we need to create a Target Group first. For this Go to EC2 Dashboard & Search for Target Groups which will be under Load Balancing menu,

Click on Create target group,

After clicking on it, you’ll get something similar to below image,

Choose Instances in target type and use any name in Target group name box.

Then we can proceed with Protocol and other settings, scroll down below and fill the value for Protocol and select gRPC in Protocol version.

Here you need to select HTTPS and Port no you can choose any, this port number defines on which port the Target Group will listen from ALB. In the protocol version select gRPC.

Remember to check the VPC also, here you need to select the same VPC in which your gRPC App Instances are running.

Under Health checks, choose HTTP as protocol and in path use /ChatService.SayHello. (This parameter is based on the repo I provided; different application might have different parameters)

Choose 9000 port on Override and Success code should be 12. Here we’re using HTTP cause the gRPC core application is not using TLS certificate by default. Only NGINX is using.

After that click on Next.

In the next step you need to choose Instances which will be target to the ALB. Here I’m choosing the instances which we created earlier, remember to use port 8081 on which our NGINX is listening.

After selecting Instances and Ports as 8081, click on Include as pending below.

Then click on Create target group & we’re done.

Our gRPC-TG is ready to be connected with an ALB. Now we can finally create our ALB.

Implementing AWS Application Load Balancer:

Click on Load Balancers from left side menu, after that click on Create load balancer.

After that, choose Create under Application Load Balancer,

You’ll get something similar to below,

Use any name in Load balancer name, choose Internet-facing in Scheme and IPv4 in IP address type.

Then scroll down to Network mapping section, there you need to choose the VPC in which the Instances and Target group is deployed. You also need to choose at least 2 of the subnets.

I’m choosing all three which are available in eu-west-2 region.

Then you need to choose some more options which you can see in the below screenshot.

For Security groups choose the one in which your Instances are running.

Remember to add an extra rule in Security group Inbound rule which allows all the traffic from same security group or you can say Internal traffic, check following image for reference purpose,

Source should be same as the current Security Group for which you’re adding the Inbound rule. For better protection you can remove the port 9000 listening rule so that nobody can access the gRPC application directly. Also, if needed remove other port rules like 22 if not in use.

For Listeners and routing choose HTTPS as protocol and for port you can choose any, I’m choosing 8081. For Default action choose the Target group we created earlier. In my case it’s gRPC-TG which is listening on HTTPS. We also need to select the SSL/TLS certificate. We need to choose that one which we imported earlier in ACM.

Then again scroll down and you’ll see a Summary box where you can see something similar as below screenshot,

After verifying it, click on Create load balancer.

Remember, Before clicking on Create, run the gRPC Application on both the server because as soon as you click on Create, it will create the ALB and the Target group will start checking the Health status of the targets. If the gRPC application is not running the health check will fail.

You can see our gRPC-ALB is under provisioning. Wait for sometime and the status will be changed to Active.

In the meanwhile, you can check the status of the Registered targets under the Target Group which we created. The health status should be healthy.

Now let’s go back to the Load balancer menu,

We can see the Status has been changed to Active and it’s Listening on HTTPS:8081.

Now we can use the ALB DNS name to test the Load Balancing with BloomRPC. For this just copy the DNS URL and use 8081 as port number. Enable TLS also. Use same chat.proto file and create some requests.

You’ll see that the requests are being served from one server at a time. We can verify that our Application Load Balancing working perfect!!!

Now either you can use the ALB DNS URL or create a CNAME record for that to use it anywhere.

I hope you followed me till here and successfully implemented AWS ALB with your gRPC Apps.

This is my first time working with gRPC application as well as integrating with AWS ALB, I believe there are many areas which needs improvement in this setup. If there is any feedback you can share, It will be great for me to improve and work further on this setup.

Thanks!
remember, #SharingIsCaring ;)

--

--