Your internal load balancer must have a private subnet - amazon-web-services

I want to create an internal NLB on AWS to two EC2 instances in two AZs/subnets.
Configuration: 1 VPC, two AZs , 2 private and 2 public subnets:
AZ
eu-central-1a
eu-central-1b
public subnet
public 1
public 2
private subnet
private 1A
private 2A
The EC2 instances are located in the private subnets.
Under Mappings/eu-central-1a I can select public 1 or private 1A.
Under Mappings/eu-central-1b there's only public 2 and the error message:
Your internal load balancer must have a private subnet.
You can update the subnet’s route table in the VPC Console
The private networks and their route tables look identical. Not sure, what else needs to be done.

I used AWS CLI meanwhile. That solved the problem.
# aws elbv2 create-load-balancer --type network --name my-load-balancer --subnets subnet-07.......9528 subnet-0a..........5170 --scheme internal

To solve this issue, remove the internet gateway from the route table of the private subnets if they exist there.

Related

Not able to ping private ec2 instance from a public ec2 instance within same VPC but in different subnets and different AZ's

I have created a vpc. Within that I have 2 subnets, one is private and other is public on two different az's. Within these subnets, I have one ec2 instance in private subnet nd other in public subnet. Now what I want is to ssh into the private ec2 instance.
Till now what I have done is:
On the Public instance, I have added a Security Group (public-SG) that permits Inbound connections on port 22 (SSH) from anywhere.
On the Private instance, I have added a Security Group (Private-SG) that permits Inbound connections on port 22 from public-SG.
I am able to ssh into public EC2 instance but from that instance I am unable to ping the private EC2.
I have create public and private subnets and each subnet has route table associated with them.
I am attaching the route table information.
Public route table:
And private route table is:
Also adding private ec2 security group details:

How can I connect to the internet from my private subnet in AWS VPC?

I am trying to set up a VPC with public and private subnets in the us-east-1 region.
My setup is like,
I have 2 public subnet and 2 private subnets in the us-east-1 region.
The private subnets span across two AZ us-east1a & us-east1b.
I have a c5 instance in the public subnet of us-east-1b. This instance also has a secondary private ENI in private subnet of us-east-1b for the private instances in both my private subnet (us-east-1a & us-east-1b) to have internet access.
Below are the route tables:
The public subnets are associated to 1 table named external where I have 0.0.0.0 pointed to an Internet gateway.
The private subnets are associated to another table internal where I have 0.0.0.0 pointed to the private ENI of the public instance in public subnet of us-east-1b as I mentioned in the beginning.
The main route table is left alone.
The Problem:
I am able to access internet from private instances in us-east-1b but cannot access internet from private instances in us-east-1a. i.e. if I ping 8.8.8.8 or any resources outside the VPC I do not get any response from the latter.
Please let me know how I can fix this. Is it not possible to route private instances situated in a different private AZ to the internet irrespective of the AZ where the public instance and private ENI.
My references are:
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#NATInstance

How can I create a VPC for EBS and RDS?

I made a Django app and deployed it on Elastic Beanstalk. I made a Postgres DB with RDS as well. I want to add both of these to a VPC.
I created the VPC using the VPC wizard (VPC with Public and Private Subnets): which created, as the name suggests, one public and one private VPC.
I was told here that I need to add a second private subnet for RDS. Now I have:
1 public subnet (10.0.0.0/24)
2 private subnets (10.0.1.0/24 and 10.0.10.0/24)
I also know that from here that I needed to "modify the route table of the new private subnet to point to the NAT gateway". However, I am not sure what that means. Right now, here is what my route tables look like:
One for the public subnet
One for the private subnet (main)
Also, after configuring this, what do I need to do to add my RDS to this? Should I just make a subnet group with these 2 private subnets and set it when configuring the RDS? I think I know how to do EBS using CLI.
Please let me know if you need any more information! Thanks!
For the private subnets your route tables should point 0.0.0.0/0 to NAT gateway, as shown on the screenshot:
Example SG for RDS for testing:

<AWS VPC> Unable to ping private subnet instance from a public subnet instance

May I seek for assistance about a lab exercise on AWS VPC that I was going through? Thanks.
I created a new VPC, a public and private subnet respectively, and then launched 2 EC2 instances into each of the subnet respectively. I also setup the security groups required for pinging (ICMP) access on the private subnet security group. However, I could not ping the instance in the private subnet from the instance in the public subnet.
Below are the setup:
VPC: (CIDR block 10.0.0.0/16)
Public subnet: (CIDR block 10.0.1.0/24)
Private subnet: (CIDR block 10.0.2.0/24)
Route table for public subnet:
Route table for private subnet:
Security group for public facing instance:
Security group for private facing instance: (All ICMP - IPv4 allowed from private subnet CIDR block)
Public facing EC2 instance launched in public subnet:
Private facing EC2 instance launched in private subnet:
SSH-ed into public instance, but then cannot ping private instance from there:
Additionally, tried to SSH into the private instance from the public instance (private key already added to public instance), also failed:
Thank you very for your help in advance.
Finally found the problem, the security group for the public facing instance is missing an outbound rule.
When this is added back, the ping is successful.

Setting up a non-default VPC with a public and a private subnet and without using the "Create VPC" wizard

I set up a non-default VPC using the "Create VPC" rather than the "Create VPC Wizard" command button on the VPC service's home page in the AWS Management Console - that's because I will eventually automate the process using CloudFormation. I set up an Internet Gateway for the Public subnet and a NAT gateway to serve the private subnet. Then I created an Amazon Linux instance for each subnet.
I was able to ping www.columbia.edu on the Public subnet but my "sudo yum update" command within the instance on the Private subnet - the execution of that command returned a message that the repo couldn't be found.
What went wrong?
The Internet Gateway was not the problem. It was attached to the correct VPC and its status was { State: attached, Attachment state: available } By default, the Internet Gateway will point to the Public subnet of the VPC at the time the Internet Gateway is created.
The Custom Route Table for the Public subnet aka { Main: No } includes in the "Routes" tab as its last line the default route 0.0.0.0/0 igw-**** where igw-**** is the ID of the Internet Gateway. In the "Subnet Associations" tab, the Public subnet is explicitly associated with the Custom Route Table.
At this point, verification by pinging www.columbia.edu from the instance on the Public subnet should be successful.
The NAT Gateway needs to point to the correct VPC, you need to assign it an EIP (Elastic IP address), and you need to specify needs its location as the Public subnet at the time of creation. If you misconfigured the NAT gateway, you may have no choice but to delete the misconfigured NAT Gateway, create a new NAT Gateway with the correct configuration and restart your public and instances so that your instances can call on the right NAT Gateway.
The Main Route Table { Main: yes } includes in the "Routes" tab as its last line the default route 0.0.0.0/0 nat-**** where nat-**** is the ID of the NAT Gateway. One more time: the private IP address of the NAT Gateway must be one of the private addresses of the Public subnet.
At this point, running "sudo yum update" on the instance on the private subnet - that command should be successful.
If you are adding more public subnets, make sure to associate each newly added public subnet with the Internet Gateway - I think the Internet Gateway automatically does that but it doesn't hurt to verify.
If you are adding more private subnets, make sure to assign a brand new NAT Gateway to each newly added private subnet. Remember, if the AZ (Availability Zone) goes down, so does the NAT Gateway that serves the AZ.