Setup: Multiple EC2 servers running behind an ELB. The "elastic" IP address associated with the ELB receives the UDP traffic and passes to an EC2 instance. An API adds items to an SQS, which the EC2 pull from the Queue and trigger outbound UDP messages.
Problem: The solution requires that the Inbound IP address and outbound IP address be the same. The traffic is UDP, and the outbound traffic is triggered by the EC2 pulling data off an SQS. Currently, the outbound traffic is the instances IP, and I need the traffic originating from the EC2 instance to have the same IP as the inbound traffic(to the ELB).
I don't think I can accomplish this with an ELB alone, and I'm looking for solutions that I can use to achieve this.
Any directions would be helpful.
Related
We have EC2 instances in private subnet and the traffic is routed via the NAT Gateway to reach Internet.
EC2 instances are not able to send emails to relaycloud.xyz.com
All the inbound and outbound traffic is allowed in NSG and NACLs.
Error Message says
"A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed connected host has failed to respond."
Security Group and NACL have all the traffic allowed both inbound and outbound.
From Remove port 25 restriction from your EC2 instance:
AWS blocks outbound traffic on port 25 (SMTP) of all EC2 instances and Lambda functions by default. If you want to send outbound traffic on port 25, you can request for this restriction to be removed.
It should work fine if you contact your SMTP server on a different port. Otherwise, you'll need to request for the restriction to be removed.
ELB(Elastic load balancer) can be used to make some compute instances(EC2) sitting in public subnet, public facing(to Internet), by assigning a public IP to ELB, where clients can talk to ELB.
Case 1
EC2 instances(having only private IP) in public subnet, receive http requests via ELB.
In case 1, How does EC2 instance respond back to client? Is it via ELB?
Case 2
EC2 instances(having both private IP & public) in public subnet receive http requests via ELB.
here, it says: "When you receive incoming traffic through the load balancer, the responses will go out the same way."
In case 2, How does EC2 instance respond back to clients? Does EC2 instance sent directly from the public IP address of your instance out to the Internet?
CASE 1
How does EC2 instance respond back to client? Is it via ELB?
Yes. A request coming thru the ELB will be forwarded to the EC2, and the EC2 response will go back thru the ELB and forwarded to the client. So yes, the ELB is playing its role in both directions.
CASE 2
In case 2, how does EC2 instance respond back to clients? Does EC2 instance sent directly from the public IP address of your instance out to the Internet?
If the request comes via the ELB, then the instance will send its response to the ELB, which will then forward to the client. In other words, requests coming thru the ELB always get their response thru the ELB:
CLIENT <-> ELB <-> EC2
In the referenced post (link), the person wrote:
When you receive incoming traffic through the load balancer, the responses will go out the same way. However, traffic that is originating from your instance will not pass through the load balancer. Instead, it is sent directly from the public IP address of your instance out to the Internet. The ELB is not involved in that scenario.
It's talking about traffic that is originated (initiated) by your EC2. Example: apt-get update will fetch a bunch of HTTP servers. This traffic won't pass the ELB. If you haven't changed the default VPC and route tables, the traffic will traverse the Internet Gateway (IGW) and go to the internet.
I was wondering if someone could answer the question for me?
My understanding right now is:
Client makes request and packets first hit the route table for the public subnet
Route table routes the packets to the ELB
ELB routes packets to NAT Gateway
NAT Gateway routes packets to route table for private subnet
Private route table routes packets to one of the three nodes
Is this correct? Also are there any resources to understand the packet flow?
There are some notable problems with your description.
Classic ELBs do not route packets.
They work at either layer 4 (TCP mode) or layer 7 (HTTP mode) and in both cases they copy payload from one TCP connection (browser to ELB) to another TCP connection (ELB to instance) and back. This is why the instance sees the IP address of the balancer rather than the IP address of the browser. IP packets are below layer 4.
NAT Gateways are not used at all in handling ELB traffic.
NAT Gateways are for outbound connections, which means connections originated inside your VPC to destinations outside. This does not include reply traffic from the ELB. Without a NAT Gateway, the traffic through the ELB works the same as always, but the instances on the private subnet have no way of establishing outbound connections -- to talk to third party APIs, to set their clock to external time servers, to download software updates, or to communicate with any AWS service that doesn't have a VPC endpoint configured, such as S3, DynamoDB, etc.
The route tables are mostly irrelevant, because the only route that is actually used is the default route on the public subnet(s) where the ELB itself is located. This route allows the reply traffic to return from the ELB to the external client via the Internet Gateway. Everything else uses the implicit local routing that is built into VPC and not configurable -- traffic inbound from the client is implicltly routed to the ELB, and traffic between ELB and the instances is implicitly routed in both directions as well, because the source and destination IP addresses are internal private addresses of the ELB and the instances. The ELB and the instances communicate directly, not using any gateway device (such as a NAT Gateway).
For each connection needed, the ELB specifically selects one healthy instance and creates a connection to it. When the balancer is in TCP mode, there is a 1:1 relationship between client connections and instance connections. When the balancer is in HTTP mode, there are typically fewer instance connections than client connections, because the ELB will only establish as many connections to the instances as are needed based on traffic, and client connections tend to spend a significant amount of time doing nothing, between page loads.
I have a pretty simple question that drives me nuts. I am trying to understand how VPC router (routing tables) and ELB interact with another.
I read documentation and tried understanding it, but without success. My current understanding of a VPC is pretty much like this:
Data passes the I-GW
The I-GW uses the VPC router and its routing tables to forward the request/traffic to the ELB.
The ELB is used to address e.g. EC2 instances
What I think I got from the internet:
Data passes the I-GW
The ELB is using listeners to determine incoming traffic (e.g. Port 80)
ELB is forwarding the traffic to the instances.
Updated by adding diagram (sry, I did not earn the privileges to upload one directly). :(
enter image description here
VPC or subnet route tables are used for routing packets originating within the VPC/ subnet i.e. outbound traffic NOT inbound traffic. Traffic to AWS ELB DNS name is resolved to an IP address via DNS resolution + IP routing (IP routing) to reach destination. Traffic from your VPC is routed using route tables. Hope this helps
I have a server running on ec2 but I cant connect to the localhost 8085. Any suggestions ?
Check to make sure your setup has the following:
There is an elastic IP attached to the instance, or it has a public IP address.
The security group allows incoming traffic on the correct port.
The network ACL of the subnet that allow for the needed inbound and outbound traffic, or you're using the non-existent/default ACLs, which allow all inbound/outbound traffic.
An Internet Gateway is in the same VPC as the instance.
There is a rule in the subnet's route table that sends internet-bound traffic to the Internet Gateway.
You may also find this AWS article helpful for using the Internet Gateway in your VPC.