Flow Enterprise Server installation behind a load balancer

Tags: Flow on-prem

You can install Flow Enterprise behind a load balancer such as:

  • AWS Classic Load Balancer
  • Google load balancer
  • F5 load balancer
  • Azure load balancer

Completing the installation requires technical understanding of SSL certificates, termination points, and networking details of the underlying infrastructure. The load balancer can be either internal or external to the network. Load balancer configuration, including the configuration or implementation of a reverse proxy or load balancer, is not handled during the Flow installation.

Important: The load balancer must be able to support and forward SNI (Server Name Indication) extensions of the TLS protocol in the header and TLS handshake calls as per RFC 6066 (opens in new tab).


Procure the domain name and respective SSL certificate

Certificates can be for both internal and external domains. The certificate's SAN (subject alternative name) list must contain the fully qualified hostname that will be used as part of the URL for the application (i.e. FQDN/CNAME of the load balancer).

back to top


Configure the load balancer

At a minimum, the following ports should be open or in Listen mode at the load balancer:

  • Port 443 for the Flow main application
  • Port 8800 for the KOTS admin console

These ports should forward to the instance(s) where you plan to install the Flow application.

Upload and configure the certificate for the FQDN or the URL where you will access Flow. This is the same as the DNS name.

For health checks, ping to port 8800/TCP.

There are a few considerations for termination options:

  • If SSL is being terminated at the load balancer itself, point the forwarding of port 443 to port 80 of the instance where Flow was installed. Port 8800 should always be forwarded to port 8800 of the target server running the Flow application stack to successfully access the KOTS admin console.
  • We currently do not recommend setting up SSL in passthrough mode.

back to top


Verify that the DNS is working

Prior to attempting the installation, you should check to make sure the host's DNS system can resolve the FQDN.

back to top


Configure Flow via the KOTS console

Once the load balancer is configured, log in to the server where the Flow app is installed and install KOTS. Once KOTS is installed, the load balancer health check usually shows the state as Active or Healthy as the instance starts to listen on port 8800.

Open a browser and go to the URL listed at the end of the installation script. It looks like http://[ip-address]:8800. This is the KOTS admin console.

Log in to the console with the password printed at the end of the installation log output. In the TLS screen, ensure the hostname field matches the DNS/FQDN. Click Upload & continue.

In the Flow URL field on the Configure Flow Enterprise, make sure the URL is https://FQDN of your DNS entry configured earlier.

Uncheck the Use TLS box.

Important: Unchecking the Use TLS box is specific to installing Flow behind a load-balancer. If you're following the Flow installation instructions and are installing Flow behind a load balancer, double-check that you've unchecked the box.

Proceed with the next steps of the Flow installation to configure the KOTS app and deploy Flow.


Accessing the application via the load balancer

Once the Flow application pods are fully initialized, the application is available via the URL entered in the Flow configuration screen. Open a browser and try https://FQDN without any ports specified.

back to top


If you need help, please email Support (opens email form) for 24/7 assistance.