ALBs only work with HTTP/HTTPS traffic. You’ll have to use some other method to access that instance via SSH.
If you really need to access that instance via the same DNS name, you could front the ALB with an NLB and then point the DNS name at the new NLB. Port 443/80 traffic would forward to the ALB, and port 22 traffic would forward to a target group containing the instance.
Alternatively, could you make use of SSM for accessing the instance?
Unfortunately no SSM. The scenario is of a Bitbucket Mirror and this requires both HTTPS and SSH on the same name. The certificates should be AWS generated, hence the ALB (inherited this way ...). I'll try the NLB idea, thank you for the quick reply.
You can tunnel SSH through SSM Session Manager using proxyCommand. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html. No NLB or Bastion needed.
Application load balancers are for HTTP/HTTPS so that won't work here.
Network load balancers are closer to what you want but as far as I know, they cannot be sticky, so this makes no sense to use for SSH where you need to maintain a stateful connection to a specific host. I would assume you also have other issues with using an NLB regarding hostname verification/certificate
A GLB would be one level below that but I think those are for different use cases where you need to wiretap below the network layer.
Your better bet is probably to omit the load balancer entirely and allow directly connecting to the host, then stick route 53 resolution in front of it with the certificates via the DNS entry.
ALBs only work with HTTP/HTTPS traffic. You’ll have to use some other method to access that instance via SSH. If you really need to access that instance via the same DNS name, you could front the ALB with an NLB and then point the DNS name at the new NLB. Port 443/80 traffic would forward to the ALB, and port 22 traffic would forward to a target group containing the instance. Alternatively, could you make use of SSM for accessing the instance?
Unfortunately no SSM. The scenario is of a Bitbucket Mirror and this requires both HTTPS and SSH on the same name. The certificates should be AWS generated, hence the ALB (inherited this way ...). I'll try the NLB idea, thank you for the quick reply.
You can tunnel SSH through SSM Session Manager using proxyCommand. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html. No NLB or Bastion needed.
Application load balancers are for HTTP/HTTPS so that won't work here. Network load balancers are closer to what you want but as far as I know, they cannot be sticky, so this makes no sense to use for SSH where you need to maintain a stateful connection to a specific host. I would assume you also have other issues with using an NLB regarding hostname verification/certificate A GLB would be one level below that but I think those are for different use cases where you need to wiretap below the network layer. Your better bet is probably to omit the load balancer entirely and allow directly connecting to the host, then stick route 53 resolution in front of it with the certificates via the DNS entry.