Flood Aqueduct: Cloud Load Testing for Behind the Firewall

How to use Flood Aqueduct to harness the power of the cloud to load test an application that sits behind a company firewall

Flood Aqueduct is an exciting new product offering that we developed after the many requests we received about the need for a solution to testing on-premise applications. Customers who wanted to use Flood’s cloud based load testing against their applications that weren’t open to the outside world didn’t have much choice but to whitelist IP ranges and poke holes in their firewalls.

With Flood Aqueduct, you are now able to configure and install a secure VPN tunnel and allow our grid nodes to communicate with and simulate load against your internal applications easily and securely.

This blog post will detail a simple example of setting Aqueduct up to access a simple website that cannot be accessed directly from the outside world.

Setting up the basic web application, SSL and domain name

To prove the value of Aqueduct, we need to set up a securely hosted website on our own computer that we can use for testing.  We’ll attempt to set one up that uses SSL and has its own domain name (just like a real enterprise application would have).  This will effectively show that the Aqueduct tunnel we set up on our laptop allows traffic from the cloud back in to the secure site hosted on our same machine..

We’ll be using a dummy HTTPS enabled website called ecorp.dev - to set this up we will follow the instructions listed on the Github repository here: https://github.com/flood-io/ecorp.dev

The instructions are for using the OSX Terminal and Docker needs to be installed.  If you need help setting this up on Windows or Linux, please drop us a line.

Once we have completed the steps and your NGINX web server is running in its own terminal window, you should see it waiting for some requests:

We’ll need to modify our local /etc/hosts file so that any request that calls the domain that we set up, www.ecorp.dev, will be served by the local web server.

# Host Database
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##       localhost broadcasthost
::1             localhost  www.ecorp.dev

Here’s what the local hosts file should look like - the value is the IP address given to my machine by my WiFi router so this IP address will be listed in my local hosts file. If this IP changes - we will need to update the local hosts file as well as restart any running tunnels by using:

> aqueduct --restart --target https://www.ecorp.dev

Let’s see if our web application works by using a simple curl command in a second terminal window - as follows:

By using curl -k https://www.ecorp.dev we can see that the web server responds with a very simple message that shows us it’s running and can be accessed locally. You can also try to view the URL in your browser so when you click https://www.ecorp.dev it should show you the same response.

Setting up a VPN tunnel with Aqueduct

Since we now have a nice little web server hosting a very simple application we are ready to setup Aqueduct and create a new tunnel so that this application can be accessed by Flood Grid nodes for load testing.

Flood Aqueduct supports Windows, Mac, and Linux and binaries for the respective operating system can be found here: https://aqueduct.flood.io/aqueduct-ssl/getting-started/installing

Once you have downloaded and followed the installation instructions you can simply run from the command line:

> aqueduct version

Which will show the version and that Aqueduct has been successfully installed and configured.

You should see similar text as in the above screenshot.

Now, creating a tunnel to our local web application is fairly straightforward and can be done with the following command:

> aqueduct --target https://www.ecorp.dev

This will create a tunnel directly to our web application so it can be accessed from Flood Grid nodes for load testing. The output of this command should take up to a couple of minutes and look like the following:

Please take note of the region that your tunnel uses above - as you can only use Grids in the same region when running load against your tunnel.

You can also use the following command to see the current active tunnels:

> aqueduct status

This command should output something similar to the following:

The LOCAL IPV4 address will be needed in the hosts file you upload to Flood to run a new load test.

The TIME UNTIL SHUTDOWN valuewill need to be ample time for you to run your load test as when the tunnel expires - your tunnel won’t be available any more and your load tests will fail. Using the --duration parameter when starting your tunnel will allow you to increase or decrease this time.

Executing a Flood against your web application using Aqueduct

With your web application server and Aqueduct tunnel set up - it’s time to run a test to verify if it actually works and all your effort has paid off.

First you’ll want to configure Aqueduct to use your Flood account. If you don’t already have a Flood account, you can sign up for a free trial. While logged in, get your API Access Token, which will make sure the tunnel is connected to your Flood site.

Then run:

> aqueduct configure

This command will ask you to paste in your token from Flood as well as select the default region for any tunnels.

Then we need to have a load test script and correctly configured .hosts file that we’ll need to upload to Flood.

The Load Test script is a very simple JMeter script that simply calls www.ecorp.dev a number of times with multiple users just like a normal load test.

It is important that we target http://www.ecorp.dev instead of the secure site we set up at https://www.ecorp.dev in the JMeter script as the tunnel routes all requests against the http site to the secure https target regardless.

The hosts file we need to upload along with the JMeter script is used by the Grid nodes to resolve requests to the tunnel IP address. It needs to be specified as follows:

The IP address used in this hosts file needs to be taken from the previous address returned by the tunnel - named as LOCAL IPV4.

With these two files - we will now need to launch a Grid in the same region as the tunnel. In our case we have created a tunnel in ap-southeast-2 or the Sydney region so a corresponding Grid will need to be initiated.

When creating a new Flood - we simply need to upload both files and select the Grid we just launched and run the test.

Now, if we have set up everything correctly - we should see the Flood requesting the tunnelled URL successfully.

Putting It All Together

The sample files to test the Aqueduct tunnel are available for download for your reference in the following locations:- JMeter script and tunnel .hosts file.  Please feel free to download this script and use it for your own starting point to load test your application using Aqueduct.

When you have your own script created, you can upload it into Flood to execute it with 100’s or 1,000’s of concurrent users. The free trial will provide you with enough node hours to execute this test outlined here for 1 hour with roughly 5,000 concurrent users.

If you are load testing using Aqueduct, we’d love to hear from you. Drop us a note and share any ideas that are working for you and feel free to ask our team any of your tough questions!

Start load testing now

It only takes 30 seconds to create an account, and get access to our free-tier to begin load testing without any risk.