Deploying IBM Cognos with an AWS Application Load Balancer
Why an ALB?
An Application Load Balancer (ALB) may seem unnecessary when thinking about architecting Cognos on AWS. ALBs are most often used in serverless patterns or containerized applications. Those architectures obviously don’t apply to Cognos. However, that doesn’t mean we can’t borrow design patterns from other architectures to benefit a Cognos deployment. Two reasons we recommend leveraging an ALB when deploying Cognos are simplified administration and improving your security posture.
Simplified Administration
Setting up a Cognos gateway to use SSL is almost always a headache. It usually requires coordinating with multiple teams to get the actual certificate, update DNS rules, adjust firewall rules, and anything else that may be needed. Troubleshooting issues with SSL are just as cumbersome to solve because it requires all those teams to conduct their own investigation to ensure their piece of the workflow isn’t the culprit.
This is where an ALB can help ease this administrative burden. SSL can be configured on the ALB itself. All traffic will then terminate via SSL to the ALB, and then is passed to the Cognos gateway server(s). So far, nothing seems that special about this configuration. That’s because the real value of this configuration is during Cognos upgrades. When it’s time to upgrade, new instances can be provisioned, and the software can then be installed. When it’s time to cutover, the ALB can simply be pointed to the new servers. And that’s it. There is no need to reconfigure DNS entries, import certificates, or mess around with firewall rules. That was all done when the ALB was originally set up and doesn’t need to be re-worked during an upgrade. This also greatly enhances your ability to rollback should a showstopper be found with the new environment. Rolling back to the old environment simply requires pointing the ALB back to the old servers. This can be done in seconds. It’s important to note that the same gateway URL will work regardless of which set of servers the ALB has been pointed to. Nothing changes for the end users.
You can further extend this approach by using a shared ALB. For example, if the QA, Dev, and Sandbox environments have relatively low traffic, they can share an ALB. Traffic can be routed to the respective environment using path-based routing. This can help further reduce administration overhead by only managing a single ALB for multiple environments. An example of path-based routing for a shared ALB is below.
Improved Security Posture
Your overall security posture should also be improved by using an ALB. Placing an ALB in front of the Cognos gateways means only the ALB will be exposed to the Internet. The Cognos instances, including the gateway servers, can then remain private. Requests sent from the ALB to Cognos will be carried over the private AWS network. Consolidating and limiting ingress points to an application should always be considered when architecting a solution. Leveraging an ALB will place one additional buffer between key company resources and the open Internet.
Conclusion
Implementing an ALB with Cognos may seem like unnecessary overhead. However, it can greatly ease the burden of administrators during upgrades by placing the SSL and DNS configuration at a fixed point that is separate from the application components. Placing the Cognos instances behind an ALB also allows those instances to remain private, rather than having direct access to the Internet. This further enhances the security posture of the environment making it less susceptible to attack.
Cognos to AWS Blog Series
Join us here for more updates to this series to address questions and discuss patterns to consider when migrating Cognos to AWS. If you need help sooner, reach out to us now! We’d love to have a conversation with you about your AWS migration journey.
Next Steps
We hope you found this article informative. Be sure to subscribe to our newsletter for data and analytics news, updates, and insights delivered directly to your inbox.
If you have any questions or would like PMsquare to provide guidance and support for your analytics solution, contact us today.