Installation

Install HAProxy Enterprise on AWS

This section describes how to deploy HAProxy Enterprise in Amazon Web Services.

Overview Jump to heading

HAProxy Enterprise is a Layer 7 load balancer that many people use to achieve high availability, security, and observability for their applications running in AWS EC2. You can use it as a replacement for other, cloud-based load balancers or in conjunction with Amazon Network Load Balancer for extra redundancy.

HAProxy Enterprise offers:

  • comprehensive load balancing algorithms
  • customizable routing logic
  • session persistence
  • device detection
  • geolocation
  • support for load balancer clustering and high availability
  • bot management
  • a Web Application Firewall
  • and more

Common deployment patterns Jump to heading

The table below lists several common ways to deploy HAProxy Enterprise in AWS.

Deployment pattern Description
A single HAProxy Enterprise load balancer A single HAProxy Enterprise instance distributing traffic to web applications. This design does not include redundancy at the load balancing tier, but is useful for non-production workloads or applications that do not require extra redundancy that you would get by deploying two load balancers.
Two HAProxy Enterprise load balancers and AWS NLB Two HAProxy Enterprise instances distributing traffic to web applications. An AWS Network Load Balancer load balances traffic to these two load balancers, giving you redundancy at the load balancing tier.

AWS supported regions Jump to heading

We support the following regions for deploying the HAProxy Enterprise AMI:

  • Africa (Cape Town)
  • Asia Pacific (Hong Kong)
  • Asia Pacific (Hyderabad)
  • Asia Pacific (Jakarta)
  • Asia Pacific (Melbourne)
  • Asia Pacific (Mumbai)
  • Asia Pacific (Seoul)
  • Asia Pacific (Singapore)
  • EU (Spain)
  • Asia Pacific (Sydney)
  • Asia Pacific (Tokyo)
  • Canada (Central)
  • EU (Frankfurt)
  • EU (Ireland)
  • EU (London)
  • EU (Milan)
  • EU (Stockholm)
  • EU (Zurich)
  • Middle East (Bahrain)
  • Middle East (UAE)
  • South America (Sao Paulo)
  • US East (N. Virginia)
  • US East (Ohio)
  • US West (N. California)
  • US West (Oregon)

Get support Jump to heading

To get the most out of HAProxy Enterprise in AWS, activate support.

You need to activate support to get access to some parts of the documentation, such as WAF.

Contact us:

Info Details
Email contact@haproxy.com
Hours of operation 4am - 6pm EST/EDT
Target response time for critical issues 8 hours

If you require 24x7 support, significantly shorter SLAs, and consultative support, please activate your support account. Visit the Amazon Support Activation page to sign up for a login to the customer portal.

For support terms and related information, see HAProxy Legal Policies.

Launch the HAProxy Enterprise AMI Jump to heading

In this section, you will create an HAProxy Enterprise server in AWS by launching it from the AWS Marketplace.

Launch the AMI from the marketplace Jump to heading

A VPC with at least one public subnet is required to complete the following procedure. If you do not yet have a VPC with a public subnet, see the full tutorial later on this page.

Create an HAProxy Enterprise server from the HAProxy Enterprise AMI:

  1. Open the AWS Marketplace.

    Info

    We recommend you create the server using the AWS Marketplace link above instead of by selecting Launch instance on the EC2 Dashboard. The AWS Marketplace process provides information and options not available from the EC2 Dashboard.

  2. Click the desired HAProxy Enterprise Amazon Machine Image (AMI) product. Options exist for Ubuntu Server edition and Red Hat Enterprise Linux edition.

    The versions shown are the latest versions. If needed, you can select an earlier version in the Configure this Software screen described below, once you have started your subscription.

    You can estimate costs by using the pricing calculator on the marketplace product page.

  3. Click Continue to Subscribe to start a subscription to the HAProxy Enterprise software.

  4. Review the pricing and license details, then click Continue to Configuration.

  5. On the Configure this Software screen, set the following fields:

    Field Description Example value
    Fulfillment option The type of procedure used for launching the AMI in your environment. 64-bit (x86) Amazon Machine Image (AMI)
    Software version The version of HAProxy Enterprise to launch. 2.7r1-20230215 (Feb 16, 2023)
    Region The AWS region where you created your VPC. US East (Ohio) / us-east-2
  6. Click Continue to launch.

  7. On the Launch this software screen, set the following fields:

    Field Description Example value
    Choose an action How to launch the AMI. Launch from Website
    EC2 instance type Choose an instance type with at least 4 CPUs and 4 GB RAM, but larger as needed. c5.xlarge
    VPC settings Choose the VPC ID from the VPC you created earlier. vpc-0146c0c368ac64143
    Subnet settings Choose one of the public subnets that was created inside the VPC. subnet-09f29a57cffa00e48
    Security group settings Use the security group settings provided by the seller. You may want to change the Source value for ports 9022 and 9023, which represent the Real-time Dashboard, and port 22, which represents SSH, to be your public IPv4 address instead of Anywhere, to allow connections only from your IP address for SSH access and accessing the dashboard. Create new based on seller settings
    Key pair settings Create an SSH key pair or use an existing key pair for connecting to EC2 instances. -
  8. Click Launch.

Create an elastic IP address Jump to heading

To associate a public, elastic IP address with your HAProxy Enterprise instance:

  1. Open the Amazon EC2 console.

  2. From the EC2 Dashboard, click Elastic IPs, then Allocate Elastic IP address.

  3. On the Allocate Elastic IP address screen, click Allocate.

  4. From the EC2 Dashboard, go to Elastic IPs, select the elastic IP from the list and open its settings.

  5. Click Associate Elastic IP address.

  6. Choose your HAProxy Enterprise instance from the list.

  7. Click Associate.

Connect to the HAProxy Enterprise instance Jump to heading

During installation, you configured an SSH key pair that you can use to connect to the EC2 instance.

  1. If necessary, change the permissions of your private key:

    nix
    chmod 600 my-private-key.pem
    nix
    chmod 600 my-private-key.pem
  2. To get the public IPv4 address of the instance, open the Amazon EC2 console.

  3. From the EC2 Dashboard, go to Instances and select the HAProxy Enterprise instance from the list. Copy its public IPv4 address.

  4. Connect to the HAProxy Enterprise instance through its public IP address:

    nix
    ssh -i my-private-key.pem ubuntu@35.181.155.36
    nix
    ssh -i my-private-key.pem ubuntu@35.181.155.36
    nix
    ssh -i my-private-key.pem ec2-user@35.181.155.36
    nix
    ssh -i my-private-key.pem ec2-user@35.181.155.36

Manage the HAProxy Enterprise service Jump to heading

The HAProxy Enterprise service runs at startup. You can manage the process with systemctl.

  1. Connect to the HAProxy Enterprise instance through its public IP address.

  2. Use systemctl status to check that the service is running:

    nix
    systemctl status hapee-<VERSION>-lb
    nix
    systemctl status hapee-<VERSION>-lb
    output
    text
    hapee-VERSION-lb.service - HAPEE Load Balancer
    Loaded: loaded (/usr/lib/systemd/system/hapee-VERSION-lb.service; enabled; vendor preset: disabled)
    Drop-In: /etc/systemd/system/hapee-VERSION-lb.service.d
    └─override.conf
    Active: active (running) since Wed 2020-12-09 14:07:46 UTC; 14min ago
    Main PID: 918 (hapee-lb)
    CGroup: /system.slice/hapee-VERSION-lb.service
    ├─918 /opt/hapee-VERSION/sbin/hapee-lb -Ws -f /etc/hapee-VERSION/hapee-lb.cfg -p /run/hapee-VERSION-lb.pid -m 5212 -f /etc/hapee-VERSION/dashboard-module.cfg
    └─920 /opt/hapee-VERSION/sbin/hapee-lb -Ws -f /etc/hapee-VERSION/hapee-lb.cfg -p /run/hapee-VERSION-lb.pid -m 5212 -f /etc/hapee-VERSION/dashboard-module.cfg
    output
    text
    hapee-VERSION-lb.service - HAPEE Load Balancer
    Loaded: loaded (/usr/lib/systemd/system/hapee-VERSION-lb.service; enabled; vendor preset: disabled)
    Drop-In: /etc/systemd/system/hapee-VERSION-lb.service.d
    └─override.conf
    Active: active (running) since Wed 2020-12-09 14:07:46 UTC; 14min ago
    Main PID: 918 (hapee-lb)
    CGroup: /system.slice/hapee-VERSION-lb.service
    ├─918 /opt/hapee-VERSION/sbin/hapee-lb -Ws -f /etc/hapee-VERSION/hapee-lb.cfg -p /run/hapee-VERSION-lb.pid -m 5212 -f /etc/hapee-VERSION/dashboard-module.cfg
    └─920 /opt/hapee-VERSION/sbin/hapee-lb -Ws -f /etc/hapee-VERSION/hapee-lb.cfg -p /run/hapee-VERSION-lb.pid -m 5212 -f /etc/hapee-VERSION/dashboard-module.cfg
  3. If you edit your configuration file, use systemctl reload to reload the load balancer configuration after making changes:

    nix
    sudo systemctl reload hapee-<VERSION>-lb
    nix
    sudo systemctl reload hapee-<VERSION>-lb

Access the Real-time Dashboard Jump to heading

Deprecation notice

The Real-time Dashboard has been marked as deprecated and is scheduled for removal. HAProxy Enterprise 2.8 will be the last version to support it.

The Real-time Dashboard gives you insights into the health and performance of your load balanced application servers. You can connect multiple instances of HAProxy Enterprise into a cluster to see a combined view. You can also start and stop the flow of traffic to servers during maintenance windows.

To access the Real-time Dashboard:

  1. Display the HAProxy Enterprise Real-time Dashboard credentials, which are stored in the file /README.txt.

    For example:

    nix
    sudo cat /README.txt
    nix
    sudo cat /README.txt
    output
    text
    username: dashboard
    password: 091l/Bw2
    output
    text
    username: dashboard
    password: 091l/Bw2
  2. Connect to the dashboard through either HTTP (port 9022) or HTTPS (port 9023). The URLs are http://<Public IPv4 address>:9022/ and https://<Public IPv4 address>:9023/.

    Real-time Dashboard

Tutorial: Deploy HAProxy Enterprise in an Amazon VPC Jump to heading

During this procedure, you will deploy a single HAProxy Enterprise load balancer in an Amazon Virtual Private Cloud (VPC) to load balance traffic to web applications.

This design does not include redundancy at the load balancing tier, but is useful for non-production workloads or applications that do not require extra redundancy that you would get by deploying two HAProxy Enterprise load balancers.

Prerequisites Jump to heading

Before getting started:

What you will accomplish Jump to heading

In this tutorial, you will:

  • Create an Amazon VPC with public and private subnets, and NAT gateways.
  • Create the HAProxy Enterprise instance.
  • Create an EC2 instance to act as a web server.
  • Optionally, add a second HAProxy Enterprise instance and a Network Load Balancer.

This tutorial should take approximately 30 minutes.

Create a VPC Jump to heading

The VPC will contain your load balancer on a public subnet, while your web servers will be on a private subnet accessible only through the load balancer.

To create the Amazon VPC:

  1. Open the Amazon VPC console.

  2. Click Create VPC.

  3. On the Create VPC screen, choose the following values:

    Field Description Example value
    Resources to create Whether to create additional resources such as subnets and availability zones with your VPC. VPC and more
    Name tag The name to attach to resources being created. example
    IPv4 CIDR block The IP range to assign to the VPC. 10.0.0.0/16
    IPv6 CIDR block Whether to enable IPv6 addresses. No IPv6 CIDR block
    Tenancy Whether to use single-tenant (default) or dedicated hardware for your VPC. Default
    Number of availability zones Choose the number of availability zones for high availability. 2
    Number of public subnets We will deploy the HAProxy Enterprise server into one public subnet so that internet traffic can access it. 2
    Number of private subnets Create a private subnet for your web servers. Traffic will go through your load balancers to reach these servers. 2
    NAT gateway Create a NAT gateway so that servers in the private subnet can reach the internet for software updates. 1 per AZ
    VPC endpoints Whether to create an S3 Gateway. None
    Enable DNS hostnames Whether to enable DNS hostnames for your public IP addresses. checked
    Enable DNS resolution Whether to enable DNS resolution using the Amazon DNS server. checked

    For more information about VPCs, review AWS’s Virtual Private Clouds documentation.

Launch the HAProxy Enterprise AMI Jump to heading

Launch the HAProxy Enterprise AMI and connect to the instance.

Create a web servers security group Jump to heading

Create a security group that will allow the HAProxy Enterprise load balancer to communicate with the web servers over ports 22 (SSH) and 80 (HTTP):

  1. Open the Amazon EC2 console.

  2. From the EC2 Dashboard, click Security Groups, then Create security group.

  3. On the Create security group screen, set the following fields:

    Field Description Example value
    Security group name The name to assign to the security group. webservers-security-group
    Description A description for the security group. Security group rules for web servers
    VPC Choose the VPC ID from the VPC you created earlier. vpc-0146c0c368ac64143
  4. Add the following inbound rules:

    Type Source Source value
    HTTP Custom Choose the security group you assigned to the load balancer
    SSH Custom Choose the security group you assigned to the load balancer
  5. Click Create security group.

Launch a web server Jump to heading

For example purposes, create a web server that handles web requests. We will configure HAProxy Enterprise to route traffic to it.

  1. From the EC2 Dashboard, click Launch instance.

    Choose a server AMI, such as Amazon Linux.

  2. Choose the SSH key pair used to connect to the EC2 instance.

  3. Under Network settings, click Edit.

  4. Set the following fields:

    Field Description Example value
    VPC Select the VPC you created. vpc-0146c0c368ac64143
    Subnet Select one of the private subnets. subnet-0700b54c5c1e471664
    Auto-assign public IP Whether to assign a public IP address to this instance. Disable
    Firewall The web servers security group that you created. Select existing security group, sg-0671c2f614fbf7d1e
  5. Click Launch instance.

  6. Connect to the web server via SSH. Because the web server is on the private subnet, you will need to connect to it via the HAProxy Enterprise server, which is on the public subnet.

    • Copy your private SSH key to the HAProxy Enterprise server.

      nix
      scp -i my-private-key.pem ./my-private-key.pem ubuntu@35.181.155.36:~/
      nix
      scp -i my-private-key.pem ./my-private-key.pem ubuntu@35.181.155.36:~/
    • Connect to the HAProxy Enterprise server through its public IP address.

    • If necessary, change the permissions of your private key that has been copied to the HAProxy Enterprise server:

      nix
      chmod 600 my-private-key.pem
      nix
      chmod 600 my-private-key.pem
    • Connect to the web server through its private IP address.

      nix
      ssh -i ~/my-private-key.pem ec2-user@10.0.148.139
      nix
      ssh -i ~/my-private-key.pem ec2-user@10.0.148.139
    • Install the NGINX web server.

      nix
      sudo amazon-linux-extras install nginx1
      sudo systemctl enable nginx
      sudo systemctl start nginx
      nix
      sudo amazon-linux-extras install nginx1
      sudo systemctl enable nginx
      sudo systemctl start nginx

Add the web server to the HAProxy Enterprise configuration Jump to heading

To register the web server with the load balancer:

  1. Connect to the HAProxy Enterprise instance through its public IP address.

  2. Edit the file /etc/hapee-<VERSION>/hapee-lb.cfg.

  3. Change the backend be_app section to include the private IP address of your web server.

    haproxy
    backend be_app
    balance roundrobin
    server app1 10.0.148.139:80 check
    haproxy
    backend be_app
    balance roundrobin
    server app1 10.0.148.139:80 check
  4. Save the file.

  5. Reload the HAProxy Enterprise configuration:

    nix
    sudo systemctl reload hapee-<VERSION>-lb
    nix
    sudo systemctl reload hapee-<VERSION>-lb
  6. When browsing to the public IP address of the HAProxy Enterprise load balancer, you should see the web server’s web page.

Optional: Deploy a second HAProxy Enterprise instance Jump to heading

You can achieve high availability for your load balancing tier by adding a second HAProxy Enterprise instance. Each subnet in a VPC resides in an availability zone. By launching HAProxy Enterprise instances in separate subnets, you gain protection from failure of a zone.

During this procedure, you will create an Amazon Network Load Balancer (NLB) to route traffic to both HAProxy Enterprise instances, doubling your load balancer capacity.

To create a second load balancer:

  1. Repeat the steps in the Launch the HAProxy Enterprise AMI procedure, but assign the second instance to the other public subnet. Use the security group you already created for the first instance.

  2. Copy the load balancer configuration, /etc/hapee-<VERSION>/hapee-lb.cfg, to the new load balancer and reload the hapee-<VERSION>-lb service.

  3. Create a target group that the AWS NLB will use to send traffic to your HAProxy Enterprise instances:

    • Open the Amazon EC2 console.

    • From the EC2 Dashboard, click Target groups under Load Balancing, then Create target group.

    • On the Specify group details screen, set the following fields:

      Field Description Example value
      Target type Choose how AWS NLB determines which instances to route traffic to. Instances
      Target group name A name for the group of HAProxy Enterprise instances being targeted. load-balancers
      Protocol The protocol by which the HAProxy Enterprise instances listen for incoming traffic. TCP
      Port The TCP port at which the HAProxy Enterprise instances listen for incoming traffic. 80
      VPC The VPC where you created your HAProxy Enterprise instances. vpc-0146c0c368ac64143
      Health check protocol The protocol by which the AWS NLB will send periodic health check probes. TCP
    • Click Next.

    • On the Register targets screen, select the HAProxy Enterprise instances to include in the target group. Then click Include as pending below.

    • Click Create target group.

  4. Create an AWS NLB to route traffic to both HAProxy Enterprise instances:

    • From the EC2 Dashboard, click Load Balancers, then Create load balancer.

    • Choose to create a Network Load Balancer.

    • On the Create Network Load Balancer screen, set the following fields:

      Field Description Example value
      Load balancer name A name for the AWS NLB my-nlb
      Scheme Whether the Network Load Balancer will be internet facing. Internet-facing
      IP address type Whether your subnet uses IPv4 and IPv6 addresses, or only IPv4. IPv4
      VPC Choose the VPC where you launched your HAProxy Enterprise instances. vpc-0146c0c368ac64143
      Mappings Select the availability zones of your targets. Since you launched HAProxy Enterprise instances in both availability zones, select both. Then choose the public subnets. us-east-2a, us-east-2b
      Lisenter Choose the protocol and port at which the AWS NLB will receive traffic. Set the Default action to the target group you created before. TCP / 80
    • Click Create load balancer.

      Once the AWS NLB has been provisioned, you will be able to reach your web application at the new DNS name shown in the AWS NLB load balancer’s details.

Do you have any suggestions on how we can improve the content of this page?