This is a follow up to my previous question. I'm successfully able to access the public IP over fargate. However, after trying to attach Application load balancer, I cannot access application over public DNS. The registered target always show unhealthy status with 502 error.
Sharing my configuration settings-
VPC
Route Table Public Subnet
Route Table public subnet config
Route Table private subnet
Route Table private subnet config
ACL subnet associations
ACL inbound rules
ACL outbound rules
security inbound rules
security outbound rules
internet gateway
nat gateway
target group
target group health status
task details
service
ALB settings
ALB listeners
Target group with 8081 port
Based on the comments.
There were two issues identified:
Incorrect port on the target group. It was 80 instead of 8081.
Healthy threshold timeout was too short (5 seconds). Increasing it seemed to solved the issue.
Related
I am trying to reach two private subnet EC2 instances from ELB in public subnet. But the instances are always showing as unhealthy. I tried lot of options but nothing worked.
Here is the configuration I tried:
1.Created VPC
DNS resolution: Enabled
DNS hostnames: Disabled
Created 2 Public subnets and 2 Private Subnets. The only difference between these two is the Route table.
Auto-assign public IPv4 address is set to "No" in Public Subnet
I have added Internet gateway as a route in Route table of public subnet.
Public subnet - Route Table
Private subnet - Route table
Created Two EC2 instances in Private subnet . Userdata set to apache webserver
The Security group of the instances
Created an ALB in Public subnet
ALB Security group config is :
Have also added default security group in ALB:
Target group is showing unhealthy for the private EC2 instances
Any help on pointing out why this fails?
Either the EC2 instances are not receiving the request, or they are receiving the request but aren't responding with a 'healthy' response.
Test that the instances are responding to requests
You could launch an EC2 instance in the public subnet, SSH to it and then send requests directly to the EC2 instances to see if they respond (eg curl http://private-ip-address).
If they respond correctly, then the instances themselves are fine and the problem lies with the Load Balancer.
Check the Load Balancer security group
You have shown the Inbound rules for the Load Balancer, but you should also check that the Outbound rules permit traffic to exit the Load Balancer and go to the EC2 instances.
First and foremost - check the apache logs and make sure you see incoming health check samples.
If you don't see them at all - you have a network connectivity issue.
If you do see them - make sure they return 200 code and that it matches the target group's health check configuration.
I have a containerized Lambda deployed that uses the latest image from ECR. I have also already setup the networking with the following:
Subnets
Route Table
private-1.
private-route
private-2.
private-route
public-0.
public-route.
Subnet CIDRs
private-1: 172.31.32.0/20
private-2: 172.31.48.0/20
Private Route Table
Destination
Target
172.31.0.0/16
local.
0.0.0.0/0.
nat-xxx
Public Route Table
Destination
Target
172.31.0.0/16
local.
0.0.0.0/0.
igw-xxx
The Nat Gateway is associatd with the public-1 subnet.
Security Group
All Traffic Inbound and Outbound is allowed for now (for debugging).
Lambda Configuration
Subnets.
Security Groups
private 1 & 2
sg-xxx.
My problem is after I set up this configuration I was able to get access, then I added configuration to talk to a peered vpc for a database connection and that also worked. But immediately following It stopped working. So my confusion is why is it sporadic? I'll randomly change security groups and redo networking and it works once then stops. This is the error I constantly see now which is the first few lines of the lambda invocation.
"errorMessage": "HTTPSConnectionPool(host='maps.googleapis.com', port=443): Max retries exceeded with url: /maps/api/geocode/json?
I have 4 EC2 instances, 2 in the private subnet of each availability zone (2AZs), one hosting App A and the other hosting AppB. The instances are behind 2 internet-facing ALBs (one ALB for each app), with route 53 routing the traffic to the corresponding ALB based on the sub-domain name, and 2 NAT Gateways in each public subnet routing internet traffic for the private instances.
I want appA and AppB to communicate using HTTPs using the domain name of each app.
Will the traffic for each Application come from the load balancer? Since each EC2 instance allows the traffic only from the security group of its ALB.
Should the security group for each app allow the traffic from the other or the traffic will come from the load balancer?
I have DNS resolution activated for the VPC.
For traffic within the setup you've described the ingress traffic for the domains will enter through the load balancer which will then forward the requests to the EC2 instance(s). As long as the load balancers security group allows the inbound traffic you will receive the traffic.
For egress traffic for your application it will depend on both your EC2 and routing configuration.
If your EC2 instance resides within a public subnet (and has a public IP address) then the EC2 will route traffic via the internet gateway. If your EC2 instance is in a private subnet you will need to use either a NAT Gateway or NAT instance to route traffic to the internet.
These options will be configured within the route table for the subnet(s) that are applicable, in addition the outbound security group rules for your EC2 instance will need to allow access to the destination ip, port and protocol that you want. By default the security group will allow all outbound access.
I have configured a cloud with following configuration
VPC with a public and private subnet in two availability zones. Public subnet has an internet gateway and private subnet has a NAT gateway configured
An internet-facing Network Load Balancer allowing TCP traffic configured in both availability zones
A target group to forward traffic from the load balancer
An EC2 instance in private subnet configured with haproxy listening at port 80. It's security group is configured to accept TCP traffic at port 80 from both the subnets in which NLB is configured
Added this instance to the target group, the status is healthy
When I try to hit the NLB DNS it is giving me 'Connection timed-out' error. I am expecting that when I hit NLB DNS it should forward me to the private instance. I have checked many AWS documents such as this link but still cannot find the resolution to this issue. Please feel free to ask for more information if this is not sufficient.
It's security group is configured to accept TCP traffic at port 80 from both the subnets in which NLB is configured
When targets are registered by instance-id, the security group for instances behind an Internet-facing NLB need to allow traffic from 0.0.0.0/0 -- or whatever range of public IP addresses need to access them through the balancer -- not just the subnets of the balancer (which are needed for health-checks).
If your target type is an instance, add a rule to your security group to allow traffic from your load balancer and clients to the target IP.
https://aws.amazon.com/premiumsupport/knowledge-center/security-group-load-balancer/
Unlike ALB and Classic balancers, NLB traffic has the source address of the external client when the targets are configured by instance-id, and this is the address the security group is matching against.
If I create an ELB and try to attach the private subnet instances, my health check fails: OutOfService.
Question 1 : Can I get a internal / private IP(not IP but dns name) for Load Balancing. i.e not accessible to the internet?
Question 2 : If I have a public dnsname for my Application Load Balancer. How do I attach EC2 instances that are in my private subnet without an Elastic IP(aren't internet accessible).
I am looking for the best approach. Should we have-
ELB --> public subnet EC2 instances (proxy configuration- */* [private_ip]:[port]/* ) ---> Service from Private Subnet/EC2 instance with health checks here.
The traditional architecture is:
Elastic Load Balancer in public subnet
Amazon EC2 instances in private subnet
Security group on Load Balancer permitting port 80 & 443 from 0.0.0.0/0
Security group on instances permitting port 80 from the Load Balancer security group
An Amazon Route 53 Hosted Zone with a CNAME record set pointing to the DNS Name of the Load Balancer
If your instances are failing the Load Balancer health check, check the following:
The instances should have a security group permitting inbound access from the Load Balancer
The Load Balancer health check should be configured with a path to a web page to use for the health check
The instances should have a functioning web server that is responding to the health checks
If you are using an ELB, I would recommend using Auto Scaling Group to put instances in various AZ/subnets.
Look at this tutorial. The benefit of having an ASG that you can optionally also have scale in/our policies.
The archiceture that you have described ELB (Assuming this is public) -> public EC2 instances (as Proxies) -> Private EC2 instances.
Rather you can have your Private EC2 instances fronted with a ELB. Not sure if you really need the public EC2 instances.
If your health check is failing you need to ensure that:
a. You are creating the ELB in the right VPC.
b. The ELB -> EC2 communication is setup correctly by ensuring you have the right Security Groups in place on the EC2 instances.
A highly recommended way would be to have the EC2 instances SG rules setup in such way that they accept traffic only from the SG of the ELB.