I have a web application that consists of a web server managed by a web hosting firm, a set of EC2 instances in amazons cloud and a MySQL database (hosted on the webserver). MySQL is behind a firewall and is set to allow access from Localhost and from a single IP address which is an Amazon Elastic IP address that is attached to the EC2 instance I have been running up to now.
The problem is that I want to look at my scaling up and load balancing strategy for my EC2 instance. To this end I have been investigating the Elastic Load Balancers and Autoscaling tools that Amazon provides and have managed to set this up fine but for one thing - connecting to the MySQL database running on my webserver. I realised (thanks to answers on Serverfault) that I needed to check firewall settings and add the IP address for the load balancer, however Elastic Load Balancers provide you with a DNS name, not an IP address and infact the IP addresses change over time so this will not work. I have been told by the company hosting the database that the way the firewall works is to look up the IP address of the DNS name and store the IP rather than the DNS name. so basically this will not work and the only way to allow access would be to open up the SQL port to allow access from anyone!
Is this a viable idea? Should I look at moving my database into the cloud? Is there another firewall that the server company can use? Should I find another way of load balancing (if so what?)
tricky one eh? any help appreciated!
EC2 instances gets their own IP, it doesn't matter if they are behind Elastic Load balancer or not. You can't add your Elastic Load Balancer IP to your firewall to allow access from EC2 instances, because the outgoing IP of EC2 is not the IP of Load Balancer but it is the IP of the instance it self.
If you are planning to have multiple EC2 instances then you surely need a way to allow more then 1 IP on your MySQL server firewall. Because every EC2 instance gets its own outgoing IP.
DON'T EVER open your MySQL port for everyone.
Your problem is not the load balancer but the MySQL server. If you can move your db to the cloud that would be the best approach.
There are a few ways around this:
Set up a script to just check every ~30 seconds or so and make sure the firewall rules are set properly, and code some error handling for failed connections into your app (undesirable).
Use an apache server as a load balancer (or several with DNS round robin pointing, so only a few IP addresses to monitor). Apache has fairly mature load balancing capabilities that you can leverage instead of an ELB.
This is one of the issues with EC2, an option around this is to create an automatic VPN tunnel from the EC2 instances to your DB server (using stunnel, or ssh or ipsec, your choice), if you have enough bandwidth it should solve your problem fine. I would personally go with stunnel.
The problem with a reactive firewall is that it'll always cause some disruption at some level.