elbv2: NetworkLoadBalancer can't be fully configured

[jd-carroll]

This is a continuation of #4268 (I am not able to re-open that issue)

@rix0rrr - The issue #1490 is probably a better location for the discussion around security groups. However, I still feel there are discrepancies with the current NetworkLoadBalancer.

In the cases where there are missing attributes reported, it is still possible to add them through a generic addAttribute function on the shared object. However, they are highlighted because the equivalent on the application-load-balancer side has specific support for the same attribute.

If you still feel like the workarounds are acceptable, please close this issue. 🔐

Again, the point of this issue is to highlight the discrepancies between the ApplicationLoadBalancer and NetworkLoadBalancer families.

NetworkLoadBalancer

Missing Attributes

• access_logs.s3.enabled - Indicates whether access logs are enabled. The value is true or false. The default is false.
• access_logs.s3.bucket - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.
• access_logs.s3.prefix - The prefix for the location in the S3 bucket for the access logs.
  [From: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-loadbalancer-loadbalancerattributes.html]

NetworkListener

• Only 1 certificate is supported, and it does not use the same resource construct (CfnListenerCertificate) as the application listener
  [From: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html]

NetworkTargetGroup

• No support for adding metrics

Missing Attributes:

• deregistration_delay.timeout_seconds - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.
  [From: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-targetgroup-targetgroupattribute.html]

Additionally, the number and types of metrics offered on each side of the network / application load balancer seem to be duplicative and inconsistent.

[SomayaB]

@jd-carroll #4268 has been reopened.

[rix0rrr]

You are right about all of these. ALB for sure has gotten more love than the NLB.

Yes, there are inconsistencies, but I'm still going to classify this as a feature request (things could be better) rather than a bug (things are outright broken).

Unfortunately the reality of the enormous surface area of AWS is that we don't have the capacity to get to everything as quickly as we would. If someone would be willing to contribute here in the mean time though, we will gladly accept it.

[davidsteed]

Atthe very least you should be able to configure a non public network load balancer. At the moment if you have a non public network load balanced fargate service it will not start as the health check fails.

[davidsteed]

I disagree that this is not a bug - it is outright broken. You can't use NetworkLoadBalancedFargateService for anything other than a public facing service. I has an option publicLoadBalancer and when set to false it does not work and cannot be made to work. It is hard to argue that this is a feature request.

[goranopacic]

Is there a way to assign existing elastic IP address to NLB via CDK? subnetMappings is not available via construct.

[njlynch]

Apologies for the low traction on this issue.

In the meantime, all of the originally listed gaps have been addressed:

• NetworkLoadBalancer access logs - NetworkLoadBalancer.logAccessLogs was created in fix(elbv2): access logging for NLB #6197 and fixed in fix(elbv2): missing permission to write NLB access logs to S3 bucket #8114
• NetworkListener certificates - addressed in refactor(elbv2): introduce ListenerCertificate #5405
• NetworkTargetGroup deregistration delay - fix(elasticloadbalancingv2): fix to be able to set deregistrationDelay #3075
• private NLB - NLB: Can't make a private NLB #5928

The only gap not addressed already is supporting subnetMappings. I've created #10242 to track that.