ELB OutofService if EKS worker nodes in private subnet - amazon-web-services

I create a VPC with 1 public subnets and 2 private subnets like this link
Then I create a new EKS cluster, select 3 subnets. For EKS workers node, I only put in 2 private subnets and this node can be register to cluster.
So I tried to create a sample project in link, everything look good, pod, services, elb can be created. But ELB health check failed, it said "OutofService". In security group worknode, I allowed all traffic for ELB
I there anything I missing ?

Few points you can verify are whether
* elb security group is opened up in worker instance security group
* check whether ELB subnets are the the same Availability Zone as the worker nodes

Related

Private EC2 instances shows unhealthy in elb

I am trying to reach two private subnet EC2 instances from ELB in public subnet. But the instances are always showing as unhealthy. I tried lot of options but nothing worked.
Here is the configuration I tried:
1.Created VPC
DNS resolution: Enabled
DNS hostnames: Disabled
Created 2 Public subnets and 2 Private Subnets. The only difference between these two is the Route table.
Auto-assign public IPv4 address is set to "No" in Public Subnet
I have added Internet gateway as a route in Route table of public subnet.
Public subnet - Route Table
Private subnet - Route table
Created Two EC2 instances in Private subnet . Userdata set to apache webserver
The Security group of the instances
Created an ALB in Public subnet
ALB Security group config is :
Have also added default security group in ALB:
Target group is showing unhealthy for the private EC2 instances
Any help on pointing out why this fails?
Either the EC2 instances are not receiving the request, or they are receiving the request but aren't responding with a 'healthy' response.
Test that the instances are responding to requests
You could launch an EC2 instance in the public subnet, SSH to it and then send requests directly to the EC2 instances to see if they respond (eg curl http://private-ip-address).
If they respond correctly, then the instances themselves are fine and the problem lies with the Load Balancer.
Check the Load Balancer security group
You have shown the Inbound rules for the Load Balancer, but you should also check that the Outbound rules permit traffic to exit the Load Balancer and go to the EC2 instances.
First and foremost - check the apache logs and make sure you see incoming health check samples.
If you don't see them at all - you have a network connectivity issue.
If you do see them - make sure they return 200 code and that it matches the target group's health check configuration.

Is it possible to make AWS EKS nodes (EC2 instances) automatically get an IP from a specific subnet (on the same VPC or another VPC)?

We have an EKS cluster running in a VPC and we are thinking of extending this VPC or creating another VPC with a different subnet IP range. EKS nodes (EC2 instances) are running with multiple ENIs, that is, with multiple private IPs.
We wonder if it is possible to make these EC2 instances which serve as EKS nodes automatically get an IP from this new subnet within current VPC or on the other VPC when they are getting instantiated. If the subnet is on another VPC, should we have a VPC peering connection between two VPCs? Can it be doable by Cloud Formation templates on EKS? What is the best practice here? Thanks.
The option to extend VPC in EKS is via adding secondary CIDR block and configure CNI plugin to use the subnets created in the secondary CIDR block. CNI is ultimately responsible to assign the ip addresses available through the subnet cidr to the pods.
To use the correct CIDR range for VPC extension and to configure the CNI please use the below article :
https://aws.amazon.com/premiumsupport/knowledge-center/eks-multiple-cidr-ranges/

How to load balance AWS private subnet EC2 instances

If I create an ELB and try to attach the private subnet instances, my health check fails: OutOfService.
Question 1 : Can I get a internal / private IP(not IP but dns name) for Load Balancing. i.e not accessible to the internet?
Question 2 : If I have a public dnsname for my Application Load Balancer. How do I attach EC2 instances that are in my private subnet without an Elastic IP(aren't internet accessible).
I am looking for the best approach. Should we have-
ELB --> public subnet EC2 instances (proxy configuration- */* [private_ip]:[port]/* ) ---> Service from Private Subnet/EC2 instance with health checks here.
The traditional architecture is:
Elastic Load Balancer in public subnet
Amazon EC2 instances in private subnet
Security group on Load Balancer permitting port 80 & 443 from 0.0.0.0/0
Security group on instances permitting port 80 from the Load Balancer security group
An Amazon Route 53 Hosted Zone with a CNAME record set pointing to the DNS Name of the Load Balancer
If your instances are failing the Load Balancer health check, check the following:
The instances should have a security group permitting inbound access from the Load Balancer
The Load Balancer health check should be configured with a path to a web page to use for the health check
The instances should have a functioning web server that is responding to the health checks
If you are using an ELB, I would recommend using Auto Scaling Group to put instances in various AZ/subnets.
Look at this tutorial. The benefit of having an ASG that you can optionally also have scale in/our policies.
The archiceture that you have described ELB (Assuming this is public) -> public EC2 instances (as Proxies) -> Private EC2 instances.
Rather you can have your Private EC2 instances fronted with a ELB. Not sure if you really need the public EC2 instances.
If your health check is failing you need to ensure that:
a. You are creating the ELB in the right VPC.
b. The ELB -> EC2 communication is setup correctly by ensuring you have the right Security Groups in place on the EC2 instances.
A highly recommended way would be to have the EC2 instances SG rules setup in such way that they accept traffic only from the SG of the ELB.

Attaching ELB to ASG in Private Subnet

Thanks for your time in advance. I am pretty new to AWS and trying to setup a cloud facing application processing HTTP / HTTPS requests.
I have a domain-name (example.com) attached to the Elastic Load Balancer (ELB) and my requirement is just to have a ELB attached to a AutoScaling group (ASG) which would have a min-max of 2-5 EC2s. Preferably I would want to place my EC2s created by ASG to be placed in a private subnet.
I was following the solution provided here, but as I understand in step 5, it is for connecting the ELB to existing EC2 instances. But my requirement is to attach it to a ASG and hence cannot connect to specific EC2 instances.
I am focusing on just two AZ for now and created a public and private subnet each in both the AZ. After creating the ELB and attaching it to two public subnets, I proceeded for Launch-Configuration & ASG. I would request some clarification on the implication of the following selections while setting up the LC and ASG.
While creating a Launch Configuration for an ASG, in one of the steps (IP Address Type) I have three options, namely:
(1) Give Public IP to new instances if created in default VPC/SubNet
(2) Always Public IP for new instances
(3) No Public IP for new instances.
Which one of the above should be selected given my requirement?
Additional Questions
When selecting the subnets while creating ASG, should I select both public and private subnets or only public SN or only Private SN ? My guess was Private subnet only as I wanted to place the EC2 in private SN.
If the EC2s created by the ASG will be deployed in Private SN, what else should be present in the public subnet?
Thanks again for your time and guidance.
Update on 6/13
For the questions I had posted above, I went ahead with choices as below:
While creating a Launch Configuration for an ASG, IP Address Type : No Public IP for new instances.
When selecting the subnets while creating ASG : Only Private SN
I placed a NAT Gateway in the public subnet and updated the routing table of Private Subnet to include a route for 0.0.0.0/0 to NAT
Things are working now !!
You can find the AWS document on attaching to an autoscaling group here. You attach the ELB to the ASG, or if its an application load balancer you attach the target group for your ALB to the ASG:
To attach a load balancer to a group
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
On the navigation pane, under Auto Scaling, choose Auto Scaling
Groups.
Select your group.
On the Details tab, choose Edit.
Do one of the following:
[Classic Load Balancers] For Load Balancers, select your load
balancer.
[Target groups] For Target Groups, select your target group.
Choose Save.
You do no need public IP addresses if your instances will be behind an ELB. You should also launch them in a private subnet. Your ELB will be in public subnets and relay communications to your instances in those private subnets. The ELB will also be assigned a DNS name you alias to a custom DNS name of your own.
From the docs above, you can also attach and detach using the CLI:
To attach a Classic Load Balancer
Use the following attach-load-balancers command to attach the
specified load balancer to your Auto Scaling group:
aws autoscaling attach-load-balancers --auto-scaling-group-name my-asg --load-balancer-names my-lb
To attach to a target group
Use the following attach-load-balancer-target-groups command to attach
the specified target group to your Auto Scaling group:
aws autoscaling attach-load-balancer-target-groups --auto-scaling-group-name my-asg --target-group-arns my-targetgroup-arn
To detach a Classic Load Balancer
Use the following detach-load-balancers command to detach a load
balancer from your Auto Scaling group if you no longer need it:
aws autoscaling detach-load-balancers --auto-scaling-group-name my-asg --load-balancer-names my-lb
To detach a target group
Use the following detach-load-balancer-target-groups command to detach
a target group from your Auto Scaling group if you no longer need it:
aws autoscaling detach-load-balancer-target-groups --auto-scaling-group-name my-asg --target-group-arns my-targetgroup-arn

How many subnets required in a VPC

I wish to implement my website in AWS virtual private cloud (VPC) with the following requirement:
The web tier will use an Auto Scaling group across multiple Availability Zones (AZs).
The database will use Multi-AZ RDS MySQL and should not be publicly accessible.
What is the minimal number of subnets required?
I assume one subnet = one AZ. Having said that, I will be needing 2 subnets for the RDS instance and one for my web tier which might have to sit in the public subnets? so total 3 minimal?
You have two options:
Do everything in Public Subnets, using Security Groups to protect your database, or
Use Public & Private Subnets
If both options, you would need:
An Amazon VPC
An Internet Gateway (which connects the VPC to the Internet)
An Elastic Load Balancer
An Auto Scaling group of Amazon EC2 instances running your web tier
An Amazon RDS Multi-AZ database -- you have indicated a preference for MySQL
Also, you would create three security groups:
A Load Balancer security group, permitting inbound traffic from the Internet (0.0.0.0/0) for HTTP (port 80) and presumably HTTPS (port 443)
A Web Tier security group, permitting inbound traffic from the Load Balancer security group on the same ports
A Database security group, permitting inbound traffic from the Web Tier security group on port 3306 (MySQL)
Option 1: Do everything in public subnets
In this option, you can put all services inside a Public Subnet (which is defined as a subnet connected to the Internet via an Internet Gateway).
You wish to implement a multi-AZ solution, so you will need one subnet per AZ. If you choose to use two AZs, this means you will need two subnets. (You could choose to use more than two AZs/subnets, if they are available in your region.)
Deploy your Load Balancer in both subnets. Create your Auto Scaling group to use both subnets. Create an Amazon RDS DB Subnet Group across both subnets for use by the multi-AZ database and launch the database into that DB Subnet Group.
The security groups will ensure that only the Load Balancer is exposed to the Internet. Nothing else will be publicly accessible.
Option 2: Use Public & Private Subnets
Some people prefer using Private Subnets to ensure resources are not exposed to the Internet. This is mostly to remain compatible with traditional on-premises architecture that does not have the concept of a Security Group.
This option would involve:
A Public Subnet in each AZ: Put your Load Balancer in these subnets
A Private Subnet in each AZ: Put your Web Tier Auto Scaling group and your database in these subnets (defined via the DB Subnet Group)
Use the same Security Groups as option 1
But if you put 3 subnet in different AZ as you said that is better for security and accessibility from web-server.
There is no requirement for 3 subnet.
If you put 2 subnet in different AZ and 1 is public and 1 is private that is also able to communicate with each other because of in 1 VPC multi-pal instance can calumniate with each other and different.
But if you put 3 subnet in different AZ as you said that is better for security and accessibility from web-server.