Flow on-premises installation behind a load balancer

Tags: Flow on-prem

You can install Flow Enterprise behind a load balancer such as:

  • AWS Classic Load Balancer
  • Google load balancer
  • F5 load balancer
  • Azure load balancer.

Completing the installation requires technical understanding of SSL certificates, termination points, and networking details of the underlying infrastructure. The load balancer can be either internal or external to the network. Load balancer configuration, including the configuration or implementation of a reverse proxy or load balancer, will not be handled during the Flow installation.

Important: The load balancer must be able to support and forward SNI (Server Name Indication) extensions of the TLS protocol in the header and TLS handshake calls as per RFC 6066

Installation steps

If you are installing Flow behind a load balancer, follow these steps:

Procure the domain name and respective SSL certificate

Certificates can be for both internal and external domains. The certificate's SAN (subject alternative name) list must contain the fully qualified hostname that will be used as part of the URL for the application (i.e. FQDN/CNAME of the load balancer).

Configure the load balancer

At a minimum, the following ports should be open or in Listen mode at the load balancer:

  • Port 443 for the Flow main application
  • Port 8800 for the KOTS admin console

These ports should forward to the instance(s) where where the Flow application will be installed.

Upload and configure the certificate for the FQDN or the URL where you will access Flow. This will be the same as the DNS name. 

For health checks, ping to port 8800/TCP.

There are a few considerations for termination options:

  • If SSL is being terminated at the load balancer itself, point the forwarding of port 443 to port 80 of the instance where Flow was installed. Port 8800 should always be forwarded to port 8800 of the target server running the Flow application stack to successfully access the KOTS admin console.
  • We currently do not recommend setting up SSL in passthrough mode.

Verify that the DNS is working

Prior to attempting the installation, you should check to make sure the host's DNS system can resolve the FQDN.

Configure Flow via the KOTS console

Once the load balancer is configured, log in to the server where the Flow app is installed and proceed with the Install KOTS section of the Flow installation. Once KOTS is installed, the load balancer health check will usually show the state as Active or Healthy as the instance will be starting to listen on port 8800.

Open a browser and go to the URL listed at the end of the installation script. It should look like http://[ip-address]:8800. This is the KOTS admin console. 

Log in to the console with the password printed at the end of the installation log output. In the TLS screen, ensure the hostname field matches the DNS/FQDN. Click Upload & continue.

In the Flow URL field on the Configure Flow Enterprise, make sure the URL is https://FQDN of your DNS entry configured earlier.

Uncheck the Use TLS box.

Important: Unchecking the Use TLS box is specific to installing Flow behind a load-balancer. If you're following the Flow installation instructions and are installing Flow behind a load balancer, double-check that you've unchecked the box. 

Proceed with the next steps of the Flow installation to configure the KOTS app and deploy Flow.

Accessing the application via the load balancer

Once the Flow application pods are fully initialized, the application should be available via the URL entered in the Flow configuration screen. Open a browser and try https://FQDN without any ports specified.

back to top

If you need help, please email Support (opens email form) for 24/7 assistance.