Managed Load Balancers¶
3 load balancers are created by default:
- Public network load balancer
- Public application load balancer
- Private network load balancer
The public NLB is the primary public endpoint for the cluster, DNS records point to this resource. It has the following listeners:
| Port | Destination | Description |
|---|---|---|
| 22 | Rails nodes | GitLab-SSH traffic |
| 80 | ALB | HTTP traffic |
| 443 | ALB | HTTPS traffic |
| 9090 | Monitoring | Prometheus federation endpoint |
The public ALB handles TLS offloading and exists because a Web Application Firewall can only be placed in front of an ALB. It has the following listeners:
| Port | Destination | Description |
|---|---|---|
| 80 | ALB:443 | Redirect HTTP traffic to HTTPS |
| 443 | Rails:80 | Offloads TLS and forward to GitLab Rails nodes |
The private NLB is used for internal communication to GitLab Rails and Praefect nodes. It also proxies the internal Docker Hub pull-through proxy when enabled.
TLS certificate management and DNS validation¶
A TLS certificate is generated for a set of domain names. To validate these records, DNS entries for validation
of the <prefix>.glhc.nl domain are automatically added to the managed DNS zone.
The following domain names are included in the certificate. The first 3 are also the terraform variables which are available.
| Domain | Description |
|---|---|
var.domain_name |
The primary external URL of the instance |
var.registry_domain_name |
Optional, the external URL of the registry endpoint |
var.pages_domain_name |
Optional, the external URL of the pages endpoint |
git.<prefix>.glhc.nl |
Alternative primary external URL |
registry.<prefix>.glhc.nl |
Alternative registry endpoint |
pages.<prefix>.glhc.nl |
Alternative pages endpoint |
The pages.<prefix>.glhc.nl domain is only added if pages nodes are created.