I am trying to create following infrastructure using terraform.
LoadBalancer -> ECS-Service -> Fargate (nginx images, count=2)
After applying terraform plan, I can see that a target groups shows two healthy targets. But when i try to access loadbalancer dns name from browser, I am getting request-timeout. Ping is also not working for lb dns name.
Loadbalancer is an non-internal application loadbalancer with security-group allowing all traffic on 80 port to all IPv4.
Need help.
Did you configure LB in the public subnet? seems like it's in a private subnet, and did you tried to access the application from aws network to verify the LB working inside AWS VPC network?
curl lb_dns
or
nslookup lb_dns
from any ec2 machine within the VPC if that worked, its mean the LB in only reachable with in private subnet, move LB to public subnet and should work.
Related
Using Terraform to setup a VPC with two EC2s in private subnets. The setup needs to SSH to the EC2s to install package updates from the Internet and install the application software. To do this there is an IGW and a NAT-GW in a public subnet. Both EC2s can access the Internet at this point as both private subnets are routing to the NAT-GW. Terraform and SSH to the private subnets is done via Client VPN.
One of the EC2s is going to host a web service so a Classic mode Load Balancer is added and configured to target the web server EC2. Using Classic mode because I can't find a way to make Terraform build Application mode LBs. The Load Balancer requires the instance to be using a subnet that routes to the IGW, so it is changed from routing to the NAT-GW, to the IGW. At this point, the Load Balancer comes online with the EC2 responding and public Internet can access the web service using the DNS supplied End Point for the LB.
But now the web server EC2 can no longer access the Internet itself. I can't curl google.com or get package updates.
I would like to find a way to let the EC2 access the Internet from behind the LB and not use CloudFront at this time.
I would like to keep the EC2 in a private subnet because a public subnet causes the EC2 to have a public IP address, and I don't want that.
Looking for a way to make LB work without switching subnets, as that would make the EC web service unavailable when doing updates.
Not wanting any iptables or firewalld tricks. I would really like an AWS solution that is disto agnostic.
A few points/clarifications about the problems you're facing:
Instances on a public subnet do not need a NAT Gateway. They can initiate outbound requests to the internet via IGW. NGW is for allowing outbound IPv4 connections from instances in private subnets.
The load balancer itself needs to be on a public subnet. The instances that the LB will route to do not. They can be in the same subnet or different subnets, public or private, as long as traffic is allowed through security groups.
You can create instances without a public IP, on a public subnet. However, they won't be able to receive or send traffic to the internet.
Terraform supports ALBs. The resource is aws_lb with load_balancer_type set to "application" (this is the default option).
That said, the public-private configuration you want is entirely possible.
Your ALB and NAT Gateway need to be on the public subnet, and EC2 instances on the private subnet.
The private subnet's route table needs to have a route to the NGW, to facilitate outbound connections.
EC2 instances' security group needs to allow traffic from the ALB's security group.
It sounds like you got steps 1 and 2 working, so the connection from ALB to EC2 is what you have to work on. See the documentation page here as well - https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
I've been following the instructions here: https://aws.amazon.com/blogs/networking-and-content-delivery/simulating-site-to-site-vpn-customer-gateways-strongswan/
I can successfully get the VPN up and running, but I can't successfully ping internal IP addresses from behind the VPN.
Here's my setup:
"On-prem" is simulated using a VPC with IP address: 172.19.0.0/16. The VPN is deployed on an EC2 instance in the subnet 172.19.16.0/20. This subnet has the following route table:
Destination
Target
172.19.0.0/16
local
172.21.0.0/16
eni-XXXXXXXXX
0.0.0.0/0
igw-XXXXXXXXX
Where eni-XXXXXXXXX is the network interface of the EC2 instance that has the VPN deployed on it.
My cloud VPC has the CIDR range: 172.21.0.0/16. I have an EC2 instance deployed in the 172.21.32.0/20 subnet which has the following route table:
Destination
Target
172.21.0.0/16
local
172.19.0.0/16
vgw-XXXXXXXXX
0.0.0.0/0
igw-XXXXXXXXX
Where the vgw-XXXXXXXXX is the virtual gateway associated with the VPN I have.
I can send traffic from my "on-prem" VPC into my cloud VPC successfully, but no traffic comes back out. I've tested this by SSHing into an EC2 instance in my "on-prem" VPC and then pinging a private IP address of an EC2 instance in my cloud VPC and I can see the pings are received by the EC2 instance in the cloud VPC, but my "on-prem" instance never receives the response.
I have checked my security groups and NACLs and they are not preventing this type of traffic.
Is there something misconfigured here?
This is not an entirely satisfying answer, but I moved from using a Virtual Private Gateway to using a Transit Gateway and I was able to get it to work.
I have a Fargate instance running on port 3000. For this service "Service Discovery" is enabled, and corresponding hosted zone is created in Route 53. I have added name servers from this hosted zone in my domain registrar(GoDaddy) DNS setting.
I want to route all traffic from my domain to this Fargate instance. Currently, I don't see a need to add an ALB since the traffic is very little and routing is simple. So I want to know the following
Is it possible to route my traffic from Route 53 to the Fargate instance running on port 3000 without an ALB? If Yes, how can I do it?
Is ALB required for configuring SSL? Or I can do it without an ALB?
See this article under the heading External Networking.
TL;DR is to create a VPC with a public subnet and an attached IP address via an internat gateway, and ensure your Fargate cluster/task is running in that VPC.
If you want to run SSL without a load balancer (which one of it's responsibilities can be for terminating SSL, you will need to terminate the SSL certificates yourself from your Fargate task.
I have this current Cloudformation config setup:
PasteBin example here
This runs a web app, there's also some networking config in there which routes outbound traffic through a nat gateway with an elastic ip.
--
Separately we have a manually created site-to-site VPN setup in AWS
screenshot, elastic ip created by cloudformation :
The other side of the VPN specified that our private ip range for the connection to work has to be in 192.168.242.0/24.
Also they have specifically whitelisted 192.168.242.230 at their end. Which is the private ip of the elasticip which the Cloudformation above created.
How can I establish a connection from my EBS ec2 instance to a server protected by this VPN? At the moment the connection just times out.
You would need to add a route table rule to allow traffic to X.X.X.X/X flow via the Virtual Private Gateway(vgw-xxxxxx)
Destination Target
x.x.x.x/x vgw-xxxxxx
I created VPC with public and private subnets like this:
public subnet : bastion server, elastic load balancer, igw
private subnet : ec2 instance(app is running with http 8080 port), nat gateway
Following is the listeners config.
load balancer protocol : http
load balancer port : 80
instance protocol : http
instance port : 8080
When I try with the command 'wget -O - http://elb-xxxxx.us-west-2.elb.amazonaws.com', the result is
Resolving elb-xxxxx.us-west-2.elb.amazonaws.com (elb-xxxxx.us-west-2.elb.amazonaws.com)...
52.x.x.x., 52.x.x.x, 54.x.x.x, ...
Connecting to elb-xxxxxx.us-west-2.elb.amazonaws.com (elb-xxxxxx.us-west-2.elb.amazonaws.com)|52.x.x.x|:80...
failed: Connection timed out.
However, status of load balancer is 'inService' and elb's healthcheck is working!(elb is calling the app's api normally)
When I installed my app on the bastion server in the public subnet, I could access to the app with web broswer and it worked normally.
In sum, VPC and its routing configuration seem to be correct, and elb is also watching the instance correctly.
However, if I try to access to app through elb with elb's DNS name, connection timed out error occurs.
I am stuck in this and need help from you..
I found the problem by myself. I mistakenly added both public and private subnet to elb.. Thanks though..!
Did you by any chance neglect to provide a security group with inbound port 80 open for your load balancer? Here's a link re: setting up security groups for ELB in EC2-classic or VPC.