I have a Network Load Balancer and an Application Load Balancer, they work just fine, but as I need fixed IPs/hostnames I decided to create a Global Accelerator for each one.
Global Accelerator with Application Load Balancer works but with Network Load Balancer it doesn't respond...
Example:
ALB:
$ nc -zv <application-load-balancer>.awsglobalaccelerator.com 80
Connection to <application-load-balancer>.awsglobalaccelerator.com 80 port [tcp/*] succeeded!
NLB:
$ nc -zv <network-load-balancer>.awsglobalaccelerator.com 1883
nc: connect to <network-load-balancer>.awsglobalaccelerator.com port 1883 (tcp) failed: Connection timed out
I have changed Health Check port configuration for the NLB to 1883, and the Global Accelerator is shown as " All healthy".
And as I said, the Network Load Balancer itself works:
$ nc -zv <network-load-balancer>.elb.sa-east-1.amazonaws.com 1883
Connection to <network-load-balancer>.elb.sa-east-1.amazonaws.com 1883 port [tcp/*] succeeded!
Both load balancers are very similar (similar instances, same VPC, subnets, etc).
AWS docs say I can use Global Accelerator with both types of Load Balancers.
I don't know why the NLB Global Accelerator doesn't respond.
What am I missing?
More info:
- I'm testing in sa-east-1 region (South America)
- I need Global Accelerator because the LBs are part of terraform for deployment, so for every build the LBs hostname changes
- I could use Elastic IP's for NLB, but to do that I'd need to change my existing subnets (and as far as I know I can't use Elastic IPs for ALBs)...
If static ip is the only thing you need to achieve then I am not getting the point using Global accelerator and NLB together. Because both provides the features of static ip.
For static ip facility there are 2 options
Use Global accelerator on top of ALB(easy configuration and high cost)
Use NLB and forward your request to ALB(complex configuration and cost effective)
For 2nd option you can get reference from below link.
https://www.bluematador.com/blog/static-ips-for-aws-application-load-balancer
Related
I have an app hosted on ECS (ec2) network that listens on port 4000 (HTTP) and it's connected to ALB by dynamic port mapping - here everything is working correctly.
ECS service has ALB as a load balancer
But the same app accepts TCP connection (from GPS devices) port 5010. When I try to create a Network load balancer and in the target group specify port 5010 connection doesn't work.
Security groups are ok, ec2 instance SG allows all TCP from all clients (ipv4 and ipv6)
ECS Task (bridge network) port mapping looks like this:
0:5010
0:4000
Of course, if I create a target group with the id that dynamic port mapping gave me, everything works fine, but that's not the case. I want o use a dynamic port feature
Maybe someone knows how to solve that problem?
Thanks in advance for helping me!
I create ECS service and it runs 1 ecs instance and I can see the instance is registered as a target of the load balancer.
Now I trigger a Auto Scaling Group (by just incrementing desired instance count) to launch a new instance.
The instance is launched and added to the ECS cluster. (I can see it on ECS instances tab)
But the instance is not added to the ALB target. (I expect to see 2 instances in the following image, but I only see 1)
I can edit AutoScalingGroup 's target group like the following
Then I see the following .
But the health check fails. It seems the 80 port is not reachable.
Although I have port 80 open for public in the security group for the instance. (Also, instance created from ecs service uses dynamic port mapping but instance created by ALS does not)
So AutoScalingGroup can launch new instance but my load balancer never gives traffic to the new instance.
I did try https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-unhealthy-checks-ecs/?nc1=h_ls and it shows I can connect to port 80 from host to the docker container by something like curl -v http://${IPADDR}/health.
So it must be the case that there's something wrong with host port 80 (load balancer can't connect to it).
But it is also the case the security group setting is not wrong, because the working instance and this non working instance is using the same SG.
Edit
Because I used dynamic mapping, my webserver is running on some random port.
As you can see the instance started by ecs service has registered itself to target group with random port.
However instance started by ALB has registered itself to target group with port 80.
The instance will not be added to the target group if it's not healthy. So you need to fix the health check first.
From your first instance, your mapped port is 32769 so I assume if this is the same target group and if it is the same application then the port in new instance should be 32769.
When you curl the IP endpoint curl -I -v http://${IPADDR}/health. is the HTTP status code was 200, if it is 200 then it should be healthy if it's not 200 then update the backend http-status code or you can update health check HTTP status code.
I assume that you are also running ECS in both instances, so ECS create target group against each ECS services, are you running some mix services that you need target group in AS group? if you are running dynamic port then remove the health check path to traffic port.
Now if we look the offical possible causes for 502 bad Gateway
Dynamic port mapping is a feature of container instance in Amazon Elastic Container Service (Amazon ECS)
Dynamic port mapping with an Application Load Balancer makes it easier
to run multiple tasks on the same Amazon ECS service on an Amazon ECS
cluster.
With the Classic Load Balancer, you must statically map port numbers
on a container instance. The Classic Load Balancer does not allow you
to run multiple copies of a task on the same instance because the
ports conflict. An Application Load Balancer uses dynamic port mapping
so that you can run multiple tasks from a single service on the same
container instance.
Your created target group will not work with dynamic port, you have to bind the target group with ECS services.
dynamic-port-mapping-ecs
HTTP 502: Bad Gateway
Possible causes:
The load balancer received a TCP RST from the target when attempting to establish a connection.
The load balancer received an unexpected response from the target, such as "ICMP Destination unreachable (Host unreachable)", when attempting to establish a connection. Check whether traffic is allowed from the load balancer subnets to the targets on the target port.
The target closed the connection with a TCP RST or a TCP FIN while the load balancer had an outstanding request to the target. Check whether the keep-alive duration of the target is shorter than the idle timeout value of the load balancer.
The target response is malformed or contains HTTP headers that are not valid.
The load balancer encountered an SSL handshake error or SSL handshake timeout (10 seconds) when connecting to a target.
The deregistration delay period elapsed for a request being handled by a target that was deregistered. Increase the delay period so that lengthy operations can complete.
http-502-issues
It seems you know the root cause, which is that port 80 is failing the health check and thats why it is never added to ALB. Here is what you can try
First, check that your service is listening on port 80 on the new host. You can use command like netcat
nv -v localhost 80
Once you know that the service is listening, the recommended way to allow your ALB to connect to your host is to add a Security group inbound rule for your instance to allow traffic from your ALB security group on port 80
I'm trying to set up Load balancing to my cluster that I created via container engine but I keep getting 502 Server Error.
Here is what I do.
I make sure that my service really runs taking this ip in kubernetes dashboard
I have only one instance group. So this belongs cluster
80 port is open for every instance in Firewall rules
I created a load balancer with this configuration. As you can see I set the only instance group I got, also I set up health check. The health check is http endoint /api/ping/ that returns HTTP 200 with body "pong". But I keep getting 502 ERROR. I understand it happens because health check doesn't pass. Apperently it's because when load balancer is sending request it's sending directly to instances, instead of to docker containers. If I go by ip of vm isntance where I host my cluster I will get nothing as well.
I want to do it so I could switch traffic between different clusters If I decide to create a new one, also I would be able to balance https traffic.
Maybe it will help someone so I will post the answer.
I created my pods via UI kubernetes using their consructor-form. When I used this form ports were not exposed to the host machine(Even I marked them as External ports). I wrote an yaml config and exposed ports there to host machine. After this balancer started working.
I used this block to expose 80 port to host machine
ports:
- containerPort: 80
hostPort: 80
protocol: TCP
I have an domain that needs to be routed to both an Application Load Balancer and an EC2-instance depending on the URL path. The Application Load Balancer has a limit of 10 rules per ALB, and I need more.
So to workaround this limit of 10 URLs I would like to setup a request pipeline as follows:
ALB for domain.com -> Docker container with HAProxy with routing rules/reverse proxy -> routes to another ALB or EC2-instance
The setup is fine, I'm having problems with setting up the HAProxy and it's health check. I would like the ALB to health check on a different port rather than the traffic port. In HAProxy I can simply setup multiple frontends, one for the routing (port 80) and one for health check (port 60000). But if I enter port 60000 in the ALBs target group I can't deploy another service due to the dynamic mapping.
Any ideas how to solve this? I rather not expose the health check on port 80 due to it being available for the public net but if that's the only solution it's fine (but how to do it?).
I ended up with using monitor-uri as the healthcheck, not ideal since it's exposed to port 80 but no secret info is showing there anyway.
I set up a load balancer in a Availability Zone and added some EC2 instances in the same zone. The health check works fine. Now I tried to access the load balancer using its host name from outside. Even though I can access individual hosts behind the load balancer without any issue, I got a connection time-out error if I tried to connect to the load balancer:
$ wget -O test "http://xxxx.us-west-1.elb.amazonaws.com:8080/"
--2014-04-01 21:26:59-- http://xxxx.us-west-1.elb.amazonaws.com:8080/
Resolving xxxx.us-west-1.elb.amazonaws.com... 11.111.111.11
Connecting to xxxx.us-west-1.elb.amazonaws.com|11.111.111.11|:8080... failed: Connection timed out.
Listener configuration is like this (I don't know how to format this better):
Load Balancer Protocol | Load Balancer Port | Instance Protocol | Instance Port | Cipher | SSL Certificate
HTTP 8080 HTTP 8080 N/A N/A
Any insight/comment would be appreciated.
It turned out that it was because I set it up as VPC Load Balancer. In that case I have to access it through a private IP address :)