Missed Team ’24? Catch up on announcements here.

Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Atlassian Data Center on AWS: the unknown benefits of Application Load Balancers

AWS is the most popular option for hosting Data Center Atlassian applications in the cloud. If you’ve ever attended an Atlassian Summit (and paid any attention to Data Center migration content), chances are you have encountered one or two talks covering the journey to Amazon Web Services. Like this one

Atlassian even provides Quick Start Templates for deploying all its major applications. This is, for example, what you would do when putting Jira Data Center on AWS.

AWS ALB application load balancer Jira.png

As you may know if you’ve been part of an AWS deployment project, templates like these are based on the Atlassian Standard Interface (ASI), with outstanding benefits like high availability and security. But these are frequently mentioned.

However, there are certain aspects that have been less explored by Atlassian. And in this article, I’d like to go into some of the hidden gems of the central piece in the ASI VPC: The Application Load Balancer.

Application Load Balancers: the hidden gems of AWS and ASI

My point here is: if you’ve gone through the setup or otherwise deployed Jira or Confluence Data Center on AWS, you already have an Application Load Balancer. The ALB controls traffic to your nodes and ensures uptime. That’s a good thing.

But there are some other things that your AWS ALB can do that your users and your colleagues in the Atlassian admin team will enjoy just as much.

Authentication with AWS Application Load Balancers

For example: Did you know that Application Load Balancers can be configured to handle user authentication?

A major advantage is that your Jira Data Center will never be touched by traffic that hasn’t previously authenticated. Say no more to that attack surface.

A con is that you will create a Double Sign On flow: your users authenticate when they reach the ALB, then again when they are redirected to the Identity Provider.

But that problem already has a solution. A couple of months ago resolution, the company I work for, launched AWS ALB and Amazon Cognito Authentication. This Marketplace app is available for both Server and Data Center hostings, and uses the authentication HTTP headers sent by Amazon AWS Load Balancers to log you in directly without the second step.

Which means you can build a real Single Sign On experience, with the added security of the ALB.

However, there’s a lot more to it with the second version we just released.

How to put Application Load Balancers at the core of your User Management strategy

aws alb authentication and provisioning.png

With version 2, the authentication part becomes a bit of a misnomer: the app can now also provision users! And there’s multiple options.

Methods for provisioning users during login

There are two different methods for provisioning users during login

  • Provision users Just In Time with the claims sent by the load balancer

  • Provision users during login via the REST API of the Identity Provider, and sync them.

These two alternatives can create new users locally and update their groups and attributes. However, they cannot be used to deactivate users.

Have a look at the documentation on these two methods

Methods for provisioning users regardless of login

However, the two options above are only a small part of the provisioning might that comes with User Sync.

In fact, User Sync is a bit like rebuilding an old-school LDAP sync, but on the cloud.

That means that users don’t have to wait until the moment they login to have all their info updated, or to be created for the first time. Instead, you can choose to sync the entire cloud directory from the IdP at any time:

  • Sync at scheduled intervals. For example, every night at 3 am. Or every Saturday, if your user database is larger.

  • Trigger the sync manually. For example, right after updating Jira to a new version.

With these two options, it’s not only possible to create new users and to update them. It’s also possible to deactivate them!

And of course, you can also filter which users should be synced by groups. For example, you could carry over only users in the group jira-users, so as not to give unnecessary access to anybody.

In other words: you get the full might of our User Sync product, which is also included as a module of our SAML SSO apps.

Testing the app in Data Center deployments

As I mentioned above, the app has just been approved for Data Center and can be installed in any on premise installations of Jira and Confluence. Test it out yourself and let us know how you find it!

Evaluate AWS ALB and Amazon Cognito Authentication for Jira

Evaluate AWS ALB and Amazon Cognito Authentication for Confluence

And in case you have any doubts or need help figuring out the best configuration options to fit your requirements, feel free to schedule a free screenshare session with our team!



Log in or Sign up to comment
AUG Leaders

Atlassian Community Events