Installation
Install HAProxy Enterprise on AWS
This section describes how to deploy HAProxy Enterprise in Amazon Web Services.
Overview Jump to heading
HAProxy Enterprise is a Layer 7 load balancer that many people use to achieve high availability, security, and observability for their applications running in AWS EC2. You can use it as a replacement for other, cloud-based load balancers or in conjunction with Amazon Network Load Balancer for extra redundancy.
HAProxy Enterprise offers:
- comprehensive load balancing algorithms
- customizable routing logic
- session persistence
- device detection
- geolocation
- support for load balancer clustering and high availability
- bot management
- a Web Application Firewall
- and more
Common deployment patterns Jump to heading
The table below lists several common ways to deploy HAProxy Enterprise in AWS.
Deployment pattern | Description |
---|---|
A single HAProxy Enterprise load balancer | A single HAProxy Enterprise instance distributing traffic to web applications. This design does not include redundancy at the load balancing tier, but is useful for non-production workloads or applications that do not require extra redundancy that you would get by deploying two load balancers. |
Two HAProxy Enterprise load balancers and AWS NLB | Two HAProxy Enterprise instances distributing traffic to web applications. An AWS Network Load Balancer load balances traffic to these two load balancers, giving you redundancy at the load balancing tier. |
AWS supported regions Jump to heading
We support the following regions for deploying the HAProxy Enterprise AMI:
- Africa (Cape Town)
- Asia Pacific (Hong Kong)
- Asia Pacific (Hyderabad)
- Asia Pacific (Jakarta)
- Asia Pacific (Melbourne)
- Asia Pacific (Mumbai)
- Asia Pacific (Seoul)
- Asia Pacific (Singapore)
- EU (Spain)
- Asia Pacific (Sydney)
- Asia Pacific (Tokyo)
- Canada (Central)
- EU (Frankfurt)
- EU (Ireland)
- EU (London)
- EU (Milan)
- EU (Stockholm)
- EU (Zurich)
- Middle East (Bahrain)
- Middle East (UAE)
- South America (Sao Paulo)
- US East (N. Virginia)
- US East (Ohio)
- US West (N. California)
- US West (Oregon)
Get support Jump to heading
To get the most out of HAProxy Enterprise in AWS, activate support.
You need to activate support to get access to some parts of the documentation, such as WAF.
Contact us:
Info | Details |
---|---|
contact@haproxy.com | |
Hours of operation | 4am - 6pm EST/EDT |
Target response time for critical issues | 8 hours |
If you require 24x7 support, significantly shorter SLAs, and consultative support, please activate your support account. Visit the Amazon Support Activation page to sign up for a login to the customer portal.
For support terms and related information, see HAProxy Legal Policies.
Launch the HAProxy Enterprise AMI Jump to heading
In this section, you will create an HAProxy Enterprise server in AWS by launching it from the AWS Marketplace.
Launch the AMI from the marketplace Jump to heading
A VPC with at least one public subnet is required to complete the following procedure. If you do not yet have a VPC with a public subnet, see the full tutorial later on this page.
Create an HAProxy Enterprise server from the HAProxy Enterprise AMI:
-
Open the AWS Marketplace.
Info
We recommend you create the server using the AWS Marketplace link above instead of by selecting Launch instance on the EC2 Dashboard. The AWS Marketplace process provides information and options not available from the EC2 Dashboard.
-
Click the desired HAProxy Enterprise Amazon Machine Image (AMI) product. Options exist for Ubuntu Server edition and Red Hat Enterprise Linux edition.
The versions shown are the latest versions. If needed, you can select an earlier version in the Configure this Software screen described below, once you have started your subscription.
You can estimate costs by using the pricing calculator on the marketplace product page.
-
Click Continue to Subscribe to start a subscription to the HAProxy Enterprise software.
-
Review the pricing and license details, then click Continue to Configuration.
-
On the Configure this Software screen, set the following fields:
Field Description Example value Fulfillment option The type of procedure used for launching the AMI in your environment. 64-bit (x86) Amazon Machine Image (AMI) Software version The version of HAProxy Enterprise to launch. 2.7r1-20230215 (Feb 16, 2023) Region The AWS region where you created your VPC. US East (Ohio) / us-east-2 -
Click Continue to launch.
-
On the Launch this software screen, set the following fields:
Field Description Example value Choose an action How to launch the AMI. Launch from Website EC2 instance type Choose an instance type with at least 4 CPUs and 4 GB RAM, but larger as needed. c5.xlarge VPC settings Choose the VPC ID from the VPC you created earlier. vpc-0146c0c368ac64143 Subnet settings Choose one of the public subnets that was created inside the VPC. subnet-09f29a57cffa00e48 Security group settings Use the security group settings provided by the seller. You may want to change the Source value for ports 9022 and 9023, which represent the Real-time Dashboard, and port 22, which represents SSH, to be your public IPv4 address instead of Anywhere, to allow connections only from your IP address for SSH access and accessing the dashboard. Create new based on seller settings Key pair settings Create an SSH key pair or use an existing key pair for connecting to EC2 instances. - -
Click Launch.
Create an elastic IP address Jump to heading
To associate a public, elastic IP address with your HAProxy Enterprise instance:
-
Open the Amazon EC2 console.
-
From the EC2 Dashboard, click Elastic IPs, then Allocate Elastic IP address.
-
On the Allocate Elastic IP address screen, click Allocate.
-
From the EC2 Dashboard, go to Elastic IPs, select the elastic IP from the list and open its settings.
-
Click Associate Elastic IP address.
-
Choose your HAProxy Enterprise instance from the list.
-
Click Associate.
Connect to the HAProxy Enterprise instance Jump to heading
During installation, you configured an SSH key pair that you can use to connect to the EC2 instance.
-
If necessary, change the permissions of your private key:
nixchmod 600 my-private-key.pemnixchmod 600 my-private-key.pem -
To get the public IPv4 address of the instance, open the Amazon EC2 console.
-
From the EC2 Dashboard, go to Instances and select the HAProxy Enterprise instance from the list. Copy its public IPv4 address.
-
Connect to the HAProxy Enterprise instance through its public IP address:
nixssh -i my-private-key.pem ubuntu@35.181.155.36nixssh -i my-private-key.pem ubuntu@35.181.155.36nixssh -i my-private-key.pem ec2-user@35.181.155.36nixssh -i my-private-key.pem ec2-user@35.181.155.36
Manage the HAProxy Enterprise service Jump to heading
The HAProxy Enterprise service runs at startup. You can manage the process with systemctl
.
-
Connect to the HAProxy Enterprise instance through its public IP address.
-
Use
systemctl status
to check that the service is running:nixsystemctl status hapee-<VERSION>-lbnixsystemctl status hapee-<VERSION>-lboutputtexthapee-VERSION-lb.service - HAPEE Load BalancerLoaded: loaded (/usr/lib/systemd/system/hapee-VERSION-lb.service; enabled; vendor preset: disabled)Drop-In: /etc/systemd/system/hapee-VERSION-lb.service.d└─override.confActive: active (running) since Wed 2020-12-09 14:07:46 UTC; 14min agoMain PID: 918 (hapee-lb)CGroup: /system.slice/hapee-VERSION-lb.service├─918 /opt/hapee-VERSION/sbin/hapee-lb -Ws -f /etc/hapee-VERSION/hapee-lb.cfg -p /run/hapee-VERSION-lb.pid -m 5212 -f /etc/hapee-VERSION/dashboard-module.cfg└─920 /opt/hapee-VERSION/sbin/hapee-lb -Ws -f /etc/hapee-VERSION/hapee-lb.cfg -p /run/hapee-VERSION-lb.pid -m 5212 -f /etc/hapee-VERSION/dashboard-module.cfgoutputtexthapee-VERSION-lb.service - HAPEE Load BalancerLoaded: loaded (/usr/lib/systemd/system/hapee-VERSION-lb.service; enabled; vendor preset: disabled)Drop-In: /etc/systemd/system/hapee-VERSION-lb.service.d└─override.confActive: active (running) since Wed 2020-12-09 14:07:46 UTC; 14min agoMain PID: 918 (hapee-lb)CGroup: /system.slice/hapee-VERSION-lb.service├─918 /opt/hapee-VERSION/sbin/hapee-lb -Ws -f /etc/hapee-VERSION/hapee-lb.cfg -p /run/hapee-VERSION-lb.pid -m 5212 -f /etc/hapee-VERSION/dashboard-module.cfg└─920 /opt/hapee-VERSION/sbin/hapee-lb -Ws -f /etc/hapee-VERSION/hapee-lb.cfg -p /run/hapee-VERSION-lb.pid -m 5212 -f /etc/hapee-VERSION/dashboard-module.cfg -
If you edit your configuration file, use
systemctl reload
to reload the load balancer configuration after making changes:nixsudo systemctl reload hapee-<VERSION>-lbnixsudo systemctl reload hapee-<VERSION>-lb
Access the Real-time Dashboard Jump to heading
Deprecation notice
The Real-time Dashboard has been marked as deprecated and is scheduled for removal. HAProxy Enterprise 2.8 will be the last version to support it.
The Real-time Dashboard gives you insights into the health and performance of your load balanced application servers. You can connect multiple instances of HAProxy Enterprise into a cluster to see a combined view. You can also start and stop the flow of traffic to servers during maintenance windows.
To access the Real-time Dashboard:
-
Display the HAProxy Enterprise Real-time Dashboard credentials, which are stored in the file
/README.txt
.For example:
nixsudo cat /README.txtnixsudo cat /README.txtoutputtextusername: dashboardpassword: 091l/Bw2outputtextusername: dashboardpassword: 091l/Bw2 -
Connect to the dashboard through either HTTP (port 9022) or HTTPS (port 9023). The URLs are
http://<Public IPv4 address>:9022/
andhttps://<Public IPv4 address>:9023/
.
Tutorial: Deploy HAProxy Enterprise in an Amazon VPC Jump to heading
During this procedure, you will deploy a single HAProxy Enterprise load balancer in an Amazon Virtual Private Cloud (VPC) to load balance traffic to web applications.
This design does not include redundancy at the load balancing tier, but is useful for non-production workloads or applications that do not require extra redundancy that you would get by deploying two HAProxy Enterprise load balancers.
Prerequisites Jump to heading
Before getting started:
- Set up an AWS account if you have not already.
- Learn about common deployment patterns.
What you will accomplish Jump to heading
In this tutorial, you will:
- Create an Amazon VPC with public and private subnets, and NAT gateways.
- Create the HAProxy Enterprise instance.
- Create an EC2 instance to act as a web server.
- Optionally, add a second HAProxy Enterprise instance and a Network Load Balancer.
This tutorial should take approximately 30 minutes.
Create a VPC Jump to heading
The VPC will contain your load balancer on a public subnet, while your web servers will be on a private subnet accessible only through the load balancer.
To create the Amazon VPC:
-
Open the Amazon VPC console.
-
Click Create VPC.
-
On the Create VPC screen, choose the following values:
Field Description Example value Resources to create Whether to create additional resources such as subnets and availability zones with your VPC. VPC and more Name tag The name to attach to resources being created. example IPv4 CIDR block The IP range to assign to the VPC. 10.0.0.0/16 IPv6 CIDR block Whether to enable IPv6 addresses. No IPv6 CIDR block Tenancy Whether to use single-tenant (default) or dedicated hardware for your VPC. Default Number of availability zones Choose the number of availability zones for high availability. 2 Number of public subnets We will deploy the HAProxy Enterprise server into one public subnet so that internet traffic can access it. 2 Number of private subnets Create a private subnet for your web servers. Traffic will go through your load balancers to reach these servers. 2 NAT gateway Create a NAT gateway so that servers in the private subnet can reach the internet for software updates. 1 per AZ VPC endpoints Whether to create an S3 Gateway. None Enable DNS hostnames Whether to enable DNS hostnames for your public IP addresses. checked Enable DNS resolution Whether to enable DNS resolution using the Amazon DNS server. checked For more information about VPCs, review AWS’s Virtual Private Clouds documentation.
Launch the HAProxy Enterprise AMI Jump to heading
Launch the HAProxy Enterprise AMI and connect to the instance.
Create a web servers security group Jump to heading
Create a security group that will allow the HAProxy Enterprise load balancer to communicate with the web servers over ports 22 (SSH) and 80 (HTTP):
-
Open the Amazon EC2 console.
-
From the EC2 Dashboard, click Security Groups, then Create security group.
-
On the Create security group screen, set the following fields:
Field Description Example value Security group name The name to assign to the security group. webservers-security-group Description A description for the security group. Security group rules for web servers VPC Choose the VPC ID from the VPC you created earlier. vpc-0146c0c368ac64143 -
Add the following inbound rules:
Type Source Source value HTTP Custom Choose the security group you assigned to the load balancer SSH Custom Choose the security group you assigned to the load balancer -
Click Create security group.
Launch a web server Jump to heading
For example purposes, create a web server that handles web requests. We will configure HAProxy Enterprise to route traffic to it.
-
From the EC2 Dashboard, click Launch instance.
Choose a server AMI, such as Amazon Linux.
-
Choose the SSH key pair used to connect to the EC2 instance.
-
Under Network settings, click Edit.
-
Set the following fields:
Field Description Example value VPC Select the VPC you created. vpc-0146c0c368ac64143 Subnet Select one of the private subnets. subnet-0700b54c5c1e471664 Auto-assign public IP Whether to assign a public IP address to this instance. Disable Firewall The web servers security group that you created. Select existing security group, sg-0671c2f614fbf7d1e -
Click Launch instance.
-
Connect to the web server via SSH. Because the web server is on the private subnet, you will need to connect to it via the HAProxy Enterprise server, which is on the public subnet.
-
Copy your private SSH key to the HAProxy Enterprise server.
nixscp -i my-private-key.pem ./my-private-key.pem ubuntu@35.181.155.36:~/nixscp -i my-private-key.pem ./my-private-key.pem ubuntu@35.181.155.36:~/ -
Connect to the HAProxy Enterprise server through its public IP address.
-
If necessary, change the permissions of your private key that has been copied to the HAProxy Enterprise server:
nixchmod 600 my-private-key.pemnixchmod 600 my-private-key.pem -
Connect to the web server through its private IP address.
nixssh -i ~/my-private-key.pem ec2-user@10.0.148.139nixssh -i ~/my-private-key.pem ec2-user@10.0.148.139 -
Install the NGINX web server.
nixsudo amazon-linux-extras install nginx1sudo systemctl enable nginxsudo systemctl start nginxnixsudo amazon-linux-extras install nginx1sudo systemctl enable nginxsudo systemctl start nginx
-
Add the web server to the HAProxy Enterprise configuration Jump to heading
To register the web server with the load balancer:
-
Connect to the HAProxy Enterprise instance through its public IP address.
-
Edit the file
/etc/hapee-<VERSION>/hapee-lb.cfg
. -
Change the
backend be_app
section to include the private IP address of your web server.haproxybackend be_appbalance roundrobinserver app1 10.0.148.139:80 checkhaproxybackend be_appbalance roundrobinserver app1 10.0.148.139:80 check -
Save the file.
-
Reload the HAProxy Enterprise configuration:
nixsudo systemctl reload hapee-<VERSION>-lbnixsudo systemctl reload hapee-<VERSION>-lb -
When browsing to the public IP address of the HAProxy Enterprise load balancer, you should see the web server’s web page.
Optional: Deploy a second HAProxy Enterprise instance Jump to heading
You can achieve high availability for your load balancing tier by adding a second HAProxy Enterprise instance. Each subnet in a VPC resides in an availability zone. By launching HAProxy Enterprise instances in separate subnets, you gain protection from failure of a zone.
During this procedure, you will create an Amazon Network Load Balancer (NLB) to route traffic to both HAProxy Enterprise instances, doubling your load balancer capacity.
To create a second load balancer:
-
Repeat the steps in the Launch the HAProxy Enterprise AMI procedure, but assign the second instance to the other public subnet. Use the security group you already created for the first instance.
-
Copy the load balancer configuration,
/etc/hapee-<VERSION>/hapee-lb.cfg
, to the new load balancer and reload thehapee-<VERSION>-lb
service. -
Create a target group that the AWS NLB will use to send traffic to your HAProxy Enterprise instances:
-
Open the Amazon EC2 console.
-
From the EC2 Dashboard, click Target groups under Load Balancing, then Create target group.
-
On the Specify group details screen, set the following fields:
Field Description Example value Target type Choose how AWS NLB determines which instances to route traffic to. Instances Target group name A name for the group of HAProxy Enterprise instances being targeted. load-balancers Protocol The protocol by which the HAProxy Enterprise instances listen for incoming traffic. TCP Port The TCP port at which the HAProxy Enterprise instances listen for incoming traffic. 80 VPC The VPC where you created your HAProxy Enterprise instances. vpc-0146c0c368ac64143 Health check protocol The protocol by which the AWS NLB will send periodic health check probes. TCP -
Click Next.
-
On the Register targets screen, select the HAProxy Enterprise instances to include in the target group. Then click Include as pending below.
-
Click Create target group.
-
-
Create an AWS NLB to route traffic to both HAProxy Enterprise instances:
-
From the EC2 Dashboard, click Load Balancers, then Create load balancer.
-
Choose to create a Network Load Balancer.
-
On the Create Network Load Balancer screen, set the following fields:
Field Description Example value Load balancer name A name for the AWS NLB my-nlb Scheme Whether the Network Load Balancer will be internet facing. Internet-facing IP address type Whether your subnet uses IPv4 and IPv6 addresses, or only IPv4. IPv4 VPC Choose the VPC where you launched your HAProxy Enterprise instances. vpc-0146c0c368ac64143 Mappings Select the availability zones of your targets. Since you launched HAProxy Enterprise instances in both availability zones, select both. Then choose the public subnets. us-east-2a, us-east-2b Lisenter Choose the protocol and port at which the AWS NLB will receive traffic. Set the Default action to the target group you created before. TCP / 80 -
Click Create load balancer.
Once the AWS NLB has been provisioned, you will be able to reach your web application at the new DNS name shown in the AWS NLB load balancer’s details.
-
Do you have any suggestions on how we can improve the content of this page?