We are trying to configure ALB for the AWS EC2 docker containerized Rasa Server with Port 5005.
We have attached the Rasa Server to the ALB but we are receiving unhealthy checks with 504 timeout gateway although we are getting the response from the Rasa server Ip address.
We are not able to get the health checks from the ALB after configuring the '/' path. But in the browser, we are getting the healthy response if we use the Rasa Server IP address instead of the ALB DNS name.
Private subnets, security groups and the VPC are configured as same in the ALB and the Rasa Server.
Can you help us here
The 504 timeout indicates that the Load Balancer is unable to speak to the target group.
As you're able to speak to the container (which indicates it is running), the most likely reason is that one of the security groups of the host is not providing inbound access from the load balancer.
Ensure that it can provide inbound access to your load balancer on the specific port.
Other than this check that the target group is configured to use the correct port within the target group, it is easy to accidentally set as port 80 which would lead to it attempting to either health check or service traffic via port 80
Related
I face an issue in AWS Elastic BeanStalk health checking. I deployed to my NodeJS application to AWS via elastic beanstalk. Then I give permission my elastic load balancer TCP 443 port accessible for only my domain that is routed by Cloudflare. Basically, My elastic load balancer is only accessible by Cloudflare,
Due to the fact that I use Cloudflare, AWS health checks can not be able to access to the endpoint of the load balancer. How can fix this issue? I don't want to open my load balancer TCP 443 port to all world people. I want to open TCP 443 port for the only Cloudflare and, at the same time, I want to use health check of AWS :)
If somebody reads this question in the future, I thought that the health-check is being executed, externally - accessing publicly. But I have just learned that it was not :)). It is being executed directly internally. There is no problem related to Cloudflare or the security group or any other thing!
If there is an error in your ELB regarding this, the problem is probably related to your codebase, not the security group or other configurations.
I have configured to use my ip in the security group on ec2 instance. But I am getting 504 gateway timeout error.
When I make it open to world i.e 0.0.0.0/0 then it works well.
I checked for my IP address on the ec2 instance using "who am i" and this is similar to the one in the security group.
Please suggest how to make it work only for my machine.
I have followed the steps mentioned on
possible to whitelist ip for inbound communication to an ec2 instance behind an aws load balancer?
This is how my inbound rule for the security group looks.
All traffic All All 123.201.54.223/32 Dev Security Rule
Security groups will not allow you to make it work on a machine-by-machine basis, only by IPs and security groups, eg if you limit ingress by IP, any other machine using that same IP address (usually on same network/access point etc) will also be allowed in, not just your machine.
If you are using a load balancer, then it is the load balancer that should have access to your instance via its security group, and your access via IP should be controlled in the load balancer's security group, so you should use the settings you have quoted (at least to begin with!) on your LB security group, not your instance security group.
With the instance or group of instances (ie those that are behind the load balancer) in their security groups you want to only allow ingress from the load balancer security group, there's no need to set an IP address ingress (unless you want to allow eg ssh access from specific IP addresses or want them to talk to a database instance).
504 gateway timeout error It's mean your LB not able to communicate with the desired instance and you are able to communicate with LB.
All traffic All All 123.201.54.223/32 Dev Security Rule This will only allow traffic from you IP not Load Balancer IP.
You do not need to mention your IP in the security group of EC2, You have to allow traffic from LB that is 10.0.0.0/16.
HTTP 504: Gateway Timeout
Description: Indicates that the load balancer closed a connection
because a request did not complete within the idle timeout period.
Cause 1: The application takes longer to respond than the configured
idle timeout.
Solution 1: Monitor the HTTPCode_ELB_5XX and Latency metrics. If there
is an increase in these metrics, it could be due to the application
not responding within the idle timeout period. For details about the
requests that are timing out, enable access logs on the load balancer
and review the 504 response codes in the logs that are generated by
Elastic Load Balancing. If necessary, you can increase your capacity
or increase the configured idle timeout so that lengthy operations
(such as uploading a large file) can complete. For more information,
see Configure the Idle Connection Timeout for Your Classic Load
Balancer and How do I troubleshoot Elastic Load Balancing high
latency.
Cause 2: Registered instances closing the connection to Elastic Load
Balancing.
Solution 2: Enable keep-alive settings on your EC2 instances and make
sure that the keep-alive timeout is greater than the idle timeout
settings of your load balancer.
ts-elb-errorcodes-http504
What can be a simple ALB health check for 2 app servers behind an ALB. These are not web hence I am not installing http on these servers.
You have option of configuring HTTP/HTTPS/TCP traffic for health check.
With ALB you need to associate an target group. Health checks are configured against this target group.
Your 2 app servers must be serving some traffic (say: TCP traffic over port 3306, if its running mysql). This is known as traffic port , the same port where your ALB is listening.
When you create Target group, you have to mention that health check will be done on this traffic port.
This is what you get when you attempt to create target group:
My app was easy deployed on 3 instances using OpsWorks. I can Access it using instance IP's fine.
My question is: how can I access it using load balancer?
ELB says all 3 instances are InService, but typing public DNS on browser, it loads forever and shows nothing.
Testing ELB public DNS on http://whatsmydns.com it shows IP's that aren't from my instances.
Am I doing something wrong?
I have added Public DNS to my app as hostname.
There are a couple things to check:
Check that your load balancer listeners are configured to listen
and pass traffic to the same port that the instance is listening on
(for example http traffic 80 => http 80, https traffic 443 => https
443)
Check that the security group of the webservers allows
traffic from the loadbalancer. Though if you can access your instances directly via browser, I'm guessing they are open to 0.0.0.0/0 so shouldn't be an issue here?
Check that security group of the load balancer allows access to public on all needed ports (typically 80 and 443)
Check that elb healthcheck is not failing (under elb
instances you can see if the instances are in service or not) If it
says "Out of service" that's the problem. You need to make sure that
healthcheck URL is accessible and returns 200.
The DNS of your load balancer is different from your instances - it returns the IP addresses of the instances that the load balancer is running on, AWS usually has at least 3 servers behind the scenes for that.
I have created a aws elastic load balancer and associated my existing instance with it. The instance is passing the health test. I accessed my instance directly using the ip:port and I am able to view the content. I have linked the same port in the aws configurations. When I try the DNS name in my browser, I do not get any response. What do you think is the issue?
Is your ELB publicly accessible? (You can see this on the ELB settings page.)
Does your ELB has the right security group?
Can you telnet into the ELB on the given port (80?)
Are you using HTTP or HTTPS?
Are you using HTTP health check?
update:
I assume your health check is on port 80, so do you have a listener for that ELB on port 80 to port 80?
Are you doing HTTP port forwarding ( not TCP)?