How to Setup Qlik Sense (single node) behind AWS ELB (Classic)

By
Barry Stevens
November 22, 2016

If you have read my post How to install Qlik Sense in AWS you would have seen I have had the chance to have a play with installing Qlik Sense on the AWS infrastructure.  Well I wanted to take it one step further by deploying the Qlik Sense server behind an AWS ELB (Elastic load balancer), why? Well, to see if it could be done and so we could apply a SSL Certificate from AWS Certificate Manager service.
As I am familiar with setting up an ELB I assumed it would be relatively easy, here is what I did (I will also assume if you’re attempting to do this you will have some knowledge of AWS etc).

Installing Qlik Sense

Install Qlik Sense as per my How to install Qlik Sense in AWS post.

AWS Bits

Security Group(s)

Create a Security Group in AWS to allow the appropriate traffic through, specifically inbound Ports 4244 (Windows Authentication) and 443 (HTTPS).  I originally opened all ports to test then limited them down to these ones shown below and I explicitly chose to not accept HTTP as Qlik Sense by default is HTTPS only.

qlik-elb-sg

Note: Make sure your security group for the Qlik server will accept traffic from your ELB, and to be totally secure lock it down to only accept traffic from the ELB.  You may need to modify the security group created in the installation step.

Create an ELB (Classic)

Define Load Balancer by giving it a name and selecting the appropriate VPC.

Listener Configuration, set appropriate protocols and ports.

qlik-elb-listener

Select a Subnet for each Availability Zone where you wish traffic to be routed by the load balancer.

Assign Security group by selecting the security group created above.

Configure Security Settings, select appropriate method for assigning a SSL certificate, I used the one I created in my previous post about ACM.

Configure Health Check, previously when trying to configure a health check this has tripped me up so I basically set the health check to be as simple possible when testing (ie I don’t want the health check to be failing because I configured wrong) so set this to ping port TCP:443.

Assign the appropriate EC2 instance, ie the Qlik Sense server created above

At this point we have the ELB configured and pointing to the Qlik Sense server; A quick check to see if the ELB is registering the Qlik Server as Healthy, a good start.
Next a test, accessing the qmc, https://elb-url/qmc, enter my credentials, fantastic all looking good (there will be a certificate warning which we’ll resolve later).  Now on to testing the hub, https://elb-url/qmc, enter my credentials, hmmm not so good; the following error was seen.

qlik-elb-error


Well, that was not as easy as I thought, at this point I went through the usual by checking and adding the ELB url to the Websocket Whitelist etc but still the same error.
Not even google helped me on this and it appeared that others had tried and failed with setting this up in this way.  About to give up I thought I would reach out to the Qlik support team who were very responsive however they didn’t give me a solution but pointed me in the right direction.

HUB uses Web Sockets. If Web Sockets is broken by anything between Qlik Sense and browser, HUB cannot work correctly.
It may be possible to configure ELB so that it doesn't break Web Sockets. Please consult Amazon for details.

After some more searching I concluded that I needed to change the Listener configuration to forward more than just the HTTPS traffic on port 443 so I modified the HTTPS to be SSL (Secure TCP).

qlik-elb-listener-change


Another test using the ELB’s URL and Success.  It now appears that Qlik Sense server is working behind the ELB.
The next step was to route traffic for our selected domain name (the one used to create the SSL Certificate) using AWS’s Route53.  Once Route53 is configured (A future post) we can access Qlik Sense (both qmc and hub) sitting behind an ELB using our specified domain name without the browser security certificate warning – job done.
Ok time for my disclaimer(s),

  • I am still in the process of testing to ensure all HUB functionality is not broken
  • I have very little experience using/dealing with web sockets, and so my solution may not be an acceptable work around for some instances and care should be taken when implementing in your environment.

Finally, I am open to any comments on why my solution shouldn’t be used – Please let me know
You learn something everyday
Barry, Preventer of Chaos

Barry Stevens is part of our Data Ops team who specialises in SAS Administration, helping you prevent chaos.

Connect with Barry on LinkedIn or read some of his other blogs here.

ContactAboutFree StuffMailer
Copyright © 2019 OptimalBI LTD.