Find NLB IPs the documented way#926
Open
daxelrod-rh wants to merge 2 commits intorh-mobb:mainfrom
Open
Conversation
DNS lookups are not a reliable way to find all of an NLB's listener IPs. There is no guarantee that the DNS server will give your machine all valid listeners, and there may be more than two. Instead, use an AWS documented technique to find all network interfaces associated with an NLB to get those network interfaces' IPs. Use those IPs for the target group for the public NLB.
There is a section that adds the cert to AWS ACM, and implies it will be used by the NLB for TLS termination, but the NLB is never configured to do so. Since it's fine (arguably better) for the NLB to just handle things at the TCP level and let the cluster handle TLS termination, remove this section.
✅ Deploy Preview for rh-cloud-experts ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
diana-sari
requested changes
May 5, 2026
Contributor
There was a problem hiding this comment.
thanks for updating this article!
a couple of nits from claude check:
- content/rosa/hcp-private-nlb/_index.md:218: --targets ID=$ip,Port=443 is likely wrong. AWS CLI target shorthand uses Id=..., not ID=.... The old
command had this right, and AWS docs also show Id=string.- content/rosa/hcp-private-nlb/_index.md:217-219: the loop probably does not split the IPs correctly. NLB_LISTENER_IPS from --output text is whitespace/
tab-separated, and printf '%s' gives read one line, so this can register all IPs as one malformed target value. A for ip in $NLB_LISTENER_IPS; do ...
done loop would be safer.- content/rosa/hcp-private-nlb/_index.md:218: it removed AvailabilityZone=all. Since this guide registers private ROSA VPC NLB IPs into a target group in
a separate public VPC, AWS requires AvailabilityZone for IP targets outside the target group VPC. The old command used AvailabilityZone=all, and that
should probably stay.- content/rosa/hcp-private-nlb/_index.md:174: typo, listner should be listener.
from visual review:
- assuming you're validating this on most recent ROSA version, please add "validated_version" tag on the front matter per CONTRIBUTING.md
- also if you check Netlify preview, the end of the article's formatting looks chopped (like there's twice repetition or some sort), please fix them also
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DNS lookups are not a reliable way to find all of an NLB's listener IPs. There is no guarantee that the DNS server will give your machine all valid listeners, and there may be more than two.
Instead, use an AWS documented technique to find all network interfaces associated with an NLB to get those network interfaces' IPs. Use those IPs for the target group for the public NLB.
This is a rebase of #605 , which wouldn't let me reopen it after my rebase.