I have two different accounts:
One in Europe eu-central-1: Have the Route53 DNS entries from domain
Another in China cn-north-1: Have the ALB resource and the EC2 resource.
In China, my service is a concourse pipeline. The service is up and running on the instance, and on the target groups I can see the healthy flag. At the instance as well I can access the web page by curl localhost:8080.
I have the entry:
concourse.domain.name CNAME web.account.info.eu-central-1.elb.amazonaws.com
I Can resolve the entry and it's point to the right alb. But still, no answer.
Does anyone have any ideas?
Thanks.
There would be 2 steps to follow to find the route case.
If your ALB public DNS name is working and routing traffic to your instance then please check the value of the "Hosted zone" in the property of ALB and Route 53 match.
If your ALB does not routing traffic make sure your have set up Listener for each traffic type (http,https...ect) which your application is about to listen to and also have target group for perspective port(80,8080...)for each listener traffic type.
Make sure each target group has at least one instance to handle each type of traffic on each port.
Hope this was helpful
Related
I want route53 to failover from ALB1 to ALB2.
I've set up a DNS hosted zone, using ALB FQDN, set up Alias record for ALB1, set failover routing policy, based on a health check using ALB1 endpoint FQDN, also set up Alias record for ALB2 as secondary.
Each ALB has a target group of two ec2 running simple apache website.
ALB1 has two ec2, I tried shutting them, and/or turning httpd, to simulate failed health check and each time this happens, I get bad gateway error message. It doesn't seem to want to failover to ALB2.
What am I doing wrong/incorrectly or don't understand? My goal is to simulate a failover.
Please advise.
You need to have your own domain. You can't re-define AWS owned domain that is provided to you by your ALB. Then you create the R53 fail-over records for your own domain, e.g. myapp.org.
I have a pretty simple question that drives me nuts. I am trying to understand how VPC router (routing tables) and ELB interact with another.
I read documentation and tried understanding it, but without success. My current understanding of a VPC is pretty much like this:
Data passes the I-GW
The I-GW uses the VPC router and its routing tables to forward the request/traffic to the ELB.
The ELB is used to address e.g. EC2 instances
What I think I got from the internet:
Data passes the I-GW
The ELB is using listeners to determine incoming traffic (e.g. Port 80)
ELB is forwarding the traffic to the instances.
Updated by adding diagram (sry, I did not earn the privileges to upload one directly). :(
enter image description here
VPC or subnet route tables are used for routing packets originating within the VPC/ subnet i.e. outbound traffic NOT inbound traffic. Traffic to AWS ELB DNS name is resolved to an IP address via DNS resolution + IP routing (IP routing) to reach destination. Traffic from your VPC is routed using route tables. Hope this helps
I have recently added a ALB for 2 instances in EC2.
I want to make the ALB and EC2 instances to be private so I added the security group for each services.
What I did is that I added the IP Addresses in HTTPS of the EC2 instances in the ALB sg. vice versa in the EC2 sg.
In Route 53. I made a subdomain to link in the DNS name of ALB.
I tried to test it first using sg that is public and it works fine and can access the EC2 application.
But after I tried to set the sg for both the ALB and EC2.
When I test it, It can't access it.
Where did I go wrong?
A security group can allow traffic from a CIDR range of IP addresses, or from another Security Group. Thus, you should configure the following Security Groups:
ALB-SG: Allow HTTP/S from 0.0.0.0/0 (if you want it open to the world). Associate it with the ALB.
App-SG: Allow HTTP from ALB-SG. Associate it with your EC2 instances (or Auto Scaling group Launch Configuration).
The Application Security Group (App-SG) is thus permitting incoming traffic from the Load Balancer. Or, more specifically, from any resource that is associated with ALB-SG.
Route 53 should have a CNAME record pointing your desired domain name to the DNS Name of the Load Balancer.
I deployed a simple website on EC2 instance, and created an elastic load balancer, routing traffic to this EC2 instance.
I also created a CNAME record on my DNS registrar, pointing my domain (www.example.com) to the load balancer DNS name (load-balancer-1234567890.us-east-1.elb.amazonaws.com).
I can successfully reach my site in the browser in 3 different ways:
EC2 instance public IP (Eg: 54.89.99.99)
ELB public DNS name (Eg: load-balancer-1234567890.us-east-1.elb.amazonaws.com)
My domain DNS (Eg: www.example.com)
But, for security reasons, I want my EC2 instance to be accessible on port 80 only from the load balancer.
So, I changed the security group for the EC2 instance:
removed the rule that allowed traffic on port 80 from all sources (0.0.0.0/0)
added a rule to allow traffic on port 80 from my VPC (172.31.0.0/16)
added a rule to allow traffic on port 80 from the ELB security group (sg-xxxxxxxx)
After that, I still can access my website from the ELB DNS name, but now I can't access from my domain anymore (www.example.com). I get the error: ERR_CONNECTION_TIMED_OUT.
What's wrong?
This seems like a DNS caching issue in your machine or in DNS servers.
To clear the cache in your machine flush the DNS using ipconfig /flushdns
If the issue persisted try traceroute www.example.com (Or tracert www.example.com in Windows) to see whether it reaches the ELB. If the source IP is different that the current DNS configurations,
It can be due to a misconfiguration (Double check)
If latest DNS modification is not propagated (If its points to a previous configuration) then wait for some time till the DNS servers clears the cache based on the TTL value.
When you create a load balancer, you select the AZs that the load balancer is located within. This means that your load balancer is located within your VPC and not outside of it (this is normal and expected).
Since your Security Group allows traffic from within your VPC (which duplicates the ELB security group as both are allowing traffic), then there is something wrong with either your Security Group settings or your Load Balancer is configured wrong. Also double check the load balancer security group settings.
I've setup an Application Load Balancer in my primary VPC where most of my instances are. I have some instances in another VPC hosting docker services and I want to setup rules to access these at http://domain.com/services/. I have peering enabled between the two VPCs and I've created a target group, but the ALB only lists target groups within its own VPC. Is there any way to access the target group in the peered VPC or am I out of luck? I've been unable to find any leads on google so far. I've made sure the subnets in the ALB have routing through the VPC peering, but that hasn't helped.
You can load balance using ALBs and use the internal IP address of the peered VPC. You can do this via selecting the target type as ip when setting up the Target Group.
Amazon has a great write up on this exact problem and solution: https://aws.amazon.com/blogs/aws/new-application-load-balancing-via-ip-address-to-aws-on-premises-resources/
Since you are going VPC to VPC, substitute their "on premise" wording with "my other VPC". I just set this up using a host header routing for the ALB to cross two VPCs with a single ALB.
try with Route 53 routing policy. you can balance instance beyond the region also.