Impala Load Balancing with Amazon Elastic Load Balancer

In a previous post, we explained how to configure a proxy server to provide load balancing for the Impala daemon. The proxy software used was HAproxy, a free, open source load balancer. This post will demonstrate how to use Amazon’s Elastic Load Balancer (ELB) to perform Impala load balancing when running in Amazon’s Elastic Compute Cloud (EC2).


Similar to HAproxy, an Elastic Load Balancer is a reverse proxy that will take incoming TCP connections and distribute them amongst a set of EC2 instances. This is done partly for fault tolerance and partly for load distribution. Cloudera’s Using Impala through a Proxy for High Availability details how load balancing applies to part of Impala.

To summarize, the proxy will allow us to configure our Impala clients (Hue, Tableau, etc) with a single hostname and port. This well-known hostname will not have to be changed out if there were to be a failure of one or multiple Impala daemons. It will also distribute the load of running a query’s coordinator processing amongst the Impala daemons.

The steps we will take to set up the Impala load balancer are:

  1. Configure security groups.
  2. Create the ELB.
  3. Configure the ELB.
  4. Add instances to the ELB.
  5. Test the ELB.
  6. Configure Impala.


The following examples require that you have the AWS CLI software installed and configured on your system. This can be on your Windows, Mac, or Linux workstation/laptop or on a Linux host running elsewhere. Spinning up an EC2 instance running Amazon Linux might be the fastest way to get the tools.

Of course, you will need an AWS account and IAM privileges to create both the security groups and the ELB.


The following code is run in a shell (bash or cmd.exe) on the system with the AWS CLI tools.

First, we will need to name the cluster that is running the Impala service. This will be used to name the ELB and security groups. Then, we will create some variables that will hold the ID numbers of existing AWS infrastructure. Lastly, we use an additional variable named $OPTS for general AWS CLI options we may need.

We will have to look up the VPC ID, the ID of the subnet where we will be deploying the load balancer, and the instance IDs of the Hadoop cluster workers that are running the Impala Daemon. The ELB can reside in the same subnet as the Hadoop cluster or it can be placed in a separate subnet. It is advisable to keep the ELB in the same Availability Zone as the cluster. (You are deploying your Hadoop cluster instances to the same AZ, right?)

#OPTS="--profile default --region us-west2"

If you have tagged your objects appropriately, you can use aws ec2 describe-* to look them up programmatically. These are examples. Your environment will be different.

# Return the VPCID of the VPC named "Cluster1".
VPCID=$(aws $OPTS ec2 describe-vpcs --output text --query 'Vpcs[*].VpcId' \
  --filter Name=tag:Name,Values="${CLNAME}")

# Return the SUBNETID of the subnet named "Cluster1 Private subnet 0".
SUBNETID=$(aws $OPTS ec2 describe-subnets --output text \
  --query 'Subnets[*].SubnetId' \
  --filter Name=tag:Name,Values="${CLNAME} Private subnet 0")

# Return the instance IDs of instances tagged "env=Cluster1" and "type=worker".
INSTANCES=$(aws $OPTS ec2 describe-instances --output text \
  --query 'Reservations[*].Instances[*].InstanceId' \
  --filters "Name=tag:env,Values=${CLNAME}" Name=tag:type,Values=worker)

Step 1

Second, we will define new security groups. The first group will allow client initiated traffic to reach the ELB. This should be locked down to something smaller than “everything” ( especially if you have your cluster on the big, bad Internet.
The second group will allow the ELB to reach the Impala daemons running on the Hadoop cluster worker nodes.

echo "Allow Impala connections from clients to the load balancer."
FRONTEND=$(aws $OPTS ec2 create-security-group --output text --vpc-id $VPCID \
  --group-name "${CLNAME} Impala FE" --description "Impala Front-End Traffic")
aws $OPTS ec2 authorize-security-group-ingress --group-id $FRONTEND \
  --protocol tcp --port 21000 --cidr
aws $OPTS ec2 authorize-security-group-ingress --group-id $FRONTEND \
  --protocol tcp --port 21050 --cidr

echo "Allow Impala connections from the load balancer to the cluster."
BACKEND=$(aws $OPTS ec2 create-security-group --output text --vpc-id $VPCID \
  --group-name "${CLNAME} Impala BE" --description "Impala Back-End Traffic")
aws $OPTS ec2 authorize-security-group-ingress --group-id $BACKEND \
  --protocol tcp --port 21000 --source-group $FRONTEND
aws $OPTS ec2 authorize-security-group-ingress --group-id $BACKEND \
  --protocol tcp --port 21050 --source-group $FRONTEND

Then we will add each EC2 instance to the new $BACKEND security group.

  GROUPID=$(aws $OPTS ec2 describe-instance-attribute --instance-id $INSTANCEID \
    --attribute groupSet --output text --query 'Groups[*].GroupId')
  aws $OPTS ec2 modify-instance-attribute --instance-id $INSTANCEID \
    --groups $GROUPID $BACKEND

Step 2

Next we get to the meat of this post: creating the load balancer. We will create an ELB with the name “elb-impala-Cluster1” and tell it to listen on ports 21000/TCP and 21050/TCP. The ELB will reside on subnet $SUBNETID and be a member of the security group $FRONTEND. This ELB will be internal/private and will not be available on the Internet. You can change this with the --scheme argument.

aws $OPTS elb create-load-balancer \
  --load-balancer-name elb-impala-${CLNAME} \
  --listeners \
  "Protocol=TCP,LoadBalancerPort=21000,InstanceProtocol=TCP,InstancePort=21000" \
  "Protocol=TCP,LoadBalancerPort=21050,InstanceProtocol=TCP,InstancePort=21050" \
  --subnets $SUBNETID \
  --security-groups $FRONTEND \
  --scheme internal

Step 3

After creation, we will modify some of the ELB configuration. This command will modify the Connection Idle Timeout value to 3600 seconds. It will also set up logging to go to a previously created S3 bucket named “Cluster1-logs” where files prefixed with “Cluster1-Impala” will be written every 60 minutes.

aws $OPTS elb modify-load-balancer-attributes \
  --load-balancer-name elb-impala-${CLNAME} \
  --load-balancer-attributes \

Further modifications to the ELB will add a health check for the ELB to determine if individual instances are available. The ELB will connect to port 21000/TCP every 30 seconds to test if the instance application is listening. The individual checks will timeout after 5 seconds with no response. The instance will be considered to have failed after two failed checks. The instance will return to a healthy status after five successful checks.

aws $OPTS elb configure-health-check \
  --load-balancer-name elb-impala-${CLNAME} \
  --health-check \

Step 4

Finally, we will attach the Hadoop worker instances to the ELB and load balancing will begin to be available.

aws $OPTS elb register-instances-with-load-balancer \
  --load-balancer-name elb-impala-${CLNAME} \
  --instances $INSTANCES

Lets not forget to look up the all-important DNS name that we will be using to talk to the ELB. We will use this to configure our client applications and for impala-shell.

ELBDNSNAME=$(aws $OPTS elb describe-load-balancers --load-balancer-names \
  elb-impala-${CLNAME} --output text --query 'LoadBalancerDescriptions[*].DNSName')
echo "*** SAVE ME ***"


Step 5

We will test our implementation to confirm that it works to our expectation.

for (( i = 0 ; i < 10; i++ )); do
  impala-shell -i ${ELBDNSNAME} -q 'SELECT pid();' 2>&1 | grep Coordinator:

You should get output similar to the following which shows that we are connecting to a new coordinator each time:

Query submitted at: 2017-06-23 19:53:00 (Coordinator: http://ip-10-30-1-35.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:01 (Coordinator: http://ip-10-30-1-4.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:01 (Coordinator: http://ip-10-30-1-46.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:01 (Coordinator: http://ip-10-30-1-33.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:01 (Coordinator: http://ip-10-30-1-10.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:01 (Coordinator: http://ip-10-30-1-35.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:02 (Coordinator: http://ip-10-30-1-4.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:02 (Coordinator: http://ip-10-30-1-46.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:02 (Coordinator: http://ip-10-30-1-33.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:02 (Coordinator: http://ip-10-30-1-10.ec2.internal:25000)

Configure Impala

Step 6

Technically, there is nothing you need to configure in Impala. At least not on an insecure (non-Kerberized) cluster. You do need to tell other applications in your Hadoop distribution about the load balancer.

From Cloudera’s Using Impala through a Proxy for High Availability:

On systems managed by Cloudera Manager, on the page Impala > Configuration > Impala Daemon Default Group, specify a value for the Impala Daemons Load Balancer field. Specify the address of the load balancer in host:port format. This setting lets Cloudera Manager route all appropriate Impala-related operations through the proxy server.


Since we at Clairvoyant tend to do a lot of security-enabled Hadoop deployments, it makes sense to describe how to get TLS enabled on the ELB.

Amazon has a service called AWS Certificate Manager. This service lets you provision a CA-signed TLS certificate onto the ELB with very little effort and will automatically update the certificate for you before it expires.

First we will request a certificate. Set the variable $DNAME to the name of the fully qualified domain name that you are using for the certificate. Then we will add tags so that we can provide a simple name.


ARN=$(aws $OPTS acm request-certificate --domain-name $DNAME \
  --subject-alternative-names $ELBDNSNAME --output text)
aws $OPTS acm add-tags-to-certificate --certificate-arn $ARN --tags \

At this point, the certificate is not yet issued. Emails have been sent to the domain contacts for approval of the request. Once the request is approved, we can continue with assigning the certificate to the ELB. We can list the certificates and watch to see if it has been approved. If there is any output to this command, it means the request has been approved by the domain owner.

aws $OPTS acm list-certificates --certificate-statuses ISSUED --output text \
  | grep $ARN

Lastly, we will modify the ELB from TCP mode to SSL mode and tell it to use the TLS certificate on ports 21000/TCP and 21050/TCP.

aws $OPTS delete-load-balancer-listeners \
  --load-balancer-name elb-impala-${CLNAME} --load-balancer-ports 21000
aws $OPTS elb create-load-balancer-listeners \
  --load-balancer-name elb-impala-${CLNAME} \
  --listeners \

aws $OPTS delete-load-balancer-listeners \
  --load-balancer-name elb-impala-${CLNAME} --load-balancer-ports 21050
aws $OPTS elb create-load-balancer-listeners \
  --load-balancer-name elb-impala-${CLNAME} \
  --listeners \

You should now have an Amazon-signed TLS certificate protecting your ELB traffic. To confirm, run the following command and look for something like issuer= /C=US/O=Amazon/OU=Server CA 1B/CN=Amazon.

openssl s_client -connect ${ELBDNSNAME}:21000 -nbio /dev/null \
  | openssl x509 -noout -issuer

Thats it. Happy load balancing!

IoT in Healthcare

The healthcare industry is undergoing a huge transformation. With the introduction of new IOT devices like FitBit and Livongo, health care is changing from visits to the hospitals and clinics, to diagnoses from your phone or social media. Traditional healthcare systems might be subject to imminent extinction, thanks to the aggressive digitization that has taken over the industry.

The key word that we believe characterizes this change is ‘connections.’ People are becoming more connected with their body, as they can visualize and track all aspects of their health and wellness. The physician and patient are better connected as the doctor now has access to health data that goes beyond the annual checkup and past health records. The business and employees are more connected as employers now have a way of tracking the well-being of their employees.

We are starting to see the development of software services that are changing the industry to the connected healthcare network. Healthcare API companies offer a platform to build apps on, while providing storage and analytics for IOT device data. Wellness apps collect health data from a variety of connected IOT devices and analyze it within the app. Remote patient monitoring packages allow for doctors and caregivers to track continuously and in real time a patient’s vitals, and other conditions like blood glucose and oxygen levels. We believe these developments signal a huge change in medical care as we know it. The goal for technology and data-focused companies like Clairvoyant, in this medical revolution, is to embody the change that is happening and help build more connections between patient and physician, patients and their data, and businesses and their employees. Rather than just providing an API platform, or keeping everything contained to an app, we believe the best service will be a cloud-based connection service with an intuitive UI to integrate users into the system. This will allow care providers and hospitals to easily manage their many users with real-time, seamlessly transferred data. With respect to building connections between the patients and their data, the best user experience will be to get notifications through a variety of social media and personal devices so that patients are completely connected and informed about their body.

By building these connections, our vision is to usher in a new wave of specialized and individualized medical care.  An ecosystem of IT service providers, data technology companies, and wearable device manufacturers is looking to integrate electronic health records (EHR) into this analytics platform. With large volumes of collected data from these devices over a population in a defined time interval, the analytics and prediction engines will become much more adept at recognizing conditions and making recommendations. Coupled with a real-time stream from IOT devices, as well as more sophisticated vital monitoring systems will bring about a ‘digital health monitor’ for each person. Helping create this digital health monitor thereby reducing cost, of monitoring with real-time actionable data triggers is in our long-term vision for the next level of healthcare.

A digital health monitor that is continuously monitoring body signals through data streams from IOT devices triggers multiple alerts to healthcare providers, caregivers, family etc based on the individual triggers and health condition. This would lower costs and time of individual care while providing instant response and support across different health conditions. Some might view this as only useful to those who have a chronic condition and need constant monitoring, but we believe this anticipates a new wave of preventative medicine. Even healthy people can minimize visits to the doctor by analyzing their digital twin data and predicting if some vitals point to a dangerous condition. The vast stores of patient health data will reveal trends in conditions and the digital twin will warn you before the illness sets in.

The beginning of this new age of medicine is being ushered in by today’s healthcare platforms for IOT devices. We are looking to better build these connections from your body to the doctor to the caregiver and back to yourself to help you better understand your own health and bring in a new age of medicine.