Re: [keycloak-user] Best Practice AWS+ECS implementation

Hi Jonathan, Sticky sessions are also possible with AWS ALB. I have a ECS/ALB setup running as a sandbox system for nearly a year without any problems. Setting this up was quite straightforward. In the long run, I am not sure ECS is the way to go since Amazon is offering EKS now. We also switched to Kubernetes for production. Whether you want to roll your own really depends on your requirements. For example we have to go for TLS from LB to Keycloak in production as well, that’s not supported by ALB AFAIK. Best regards, Sebastian Mit freundlichen Grüßen / Best regards Dr.-Ing. Sebastian Schuster Engineering and Support (INST/ESY1) Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org&gt; On Behalf Of Dmitry Telegin Sent: Freitag, 7. September 2018 04:55 To: Carrasco, Jonathan J (173F) <jonathan.j.carrasco(a)jpl.nasa.gov>; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Best Practice AWS+ECS implementation Hello Jonathan, On Thu, 2018-09-06 at 23:58 +0000, Carrasco, Jonathan J (173F) wrote: Before we move on to the LB topic: please remember that AWS (incl. ECS) doesn't allow for IP multicast between the nodes/containers, and IP multicast is what Keycloak clustering relies upon (at least in default configuration). In more detail, you'll have to configure alternate node discovery mechanism for JGroups, like JDBC_PING or S3_PING. See the doc for more details, especially the "Troubleshooting AWS specifics" section at the end: https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-in-aws... Or google for "Keycloak AWS", there have been a lot of postings on this ML on that topic. In addition to nginx, I'd also recommend that you take a look at HAProxy: http://www.haproxy.org/ Nginx is a web server first and foremost, and reverse proxying / load balancing are kinda secondary functions for Nginx. On the other hand, haproxy implements a lot of LB-specific stuff, like e.g throttling based on HTTP headers, which might be topical (depends on your architecture of course). This is pretty reasonable. The main points here are: - you can have something more powerful and feature-rich than ALB; - you can take full control of it. For example, Keycloak recommends using sticky sessions for performance purposes: https://www.keycloak.org/docs/4.4/server_installation/#sticky-sessions This is absolutely doable with nginx/HAproxy, but I'm not sure if it is possible with ALB. Could you please elaborate on what do you mean by "credential collector"? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user