I seem to be stuck with my architecture for ECS Microservices.
Current State :
ECS cluster with 2 EC2 instances in private subnets exposing a dockerized node express endpoint on port 3000 (1 service, 2 running tasks)
NAT gateway route out from VPC's default route table
internal NLB in front of those 2 EC2 instances.
VPC Link created in API Gateway for targeting the NLB.
API gateway integration with the VPC link (what do I enter as the endpoint URI? is it the DNS of the NLB? or custom domain name in step 6)
Created custom domain name for the API gateway
when I try to send a request to customdomainname:3000/task. I expected the task to be run However I do not get any response(There was an error connecting to customdomainname:3000/task).
Everything works perfectly fine if its an internet facing Application load balancer and instances in public subnet, but I need to use the VPC link approach to secure my application.
I understand my question might be vague, but I would appreciate any input and insights from anyone who has worked on this before
Related
The question is the same as this one but has screenshots of AWS resources' configurations.
Situation:
A backend is hosted as an App Runner service.
The backend needs to communicate with a private RDS instance. So, the App Runner service is add to a VPC.
Backend can now communicate with the RDS instance.
Expected:
Backend should also be able to make HTTP requests to the Internet.
Actual:
Any HTTP request from the backend to the Internet takes forever/times out.
Checklist:
An Internet gateway is connected.
Route table is set to route 0.0.0.0/0 to the Internet gateway.
Security group allows outbound access.
I've tried also putting a NAT gateway in place of the Internet gateway and set up the route table accordingly. But the behaviour was the same. Screenshots below are without the NAT gateway configuration.
Screenshots:
VPC Connector configuration on App Runner service
Security group outbound rule allowing all traffic
Route table routing outbound traffic to internet gateway
Route table association with all subnets (non-explicit. Default, didn't change)
How I know that my service has no outbound Internet access:
I'm making a request google.com
I've made a log before, after, and in catch of the request.
Log happens before, but then nothing happens. And my API that invokes this request keeps loading forever (until it Gateway Timeouts after 5 minutes).
So, what is wrong in my configuration above/How can I give outbound Internet access to the service?
And btw, I can access the service itself (i.e., inbound traffic) through the domain generated by App Runner.
A related discussion: https://github.com/aws/apprunner-roadmap/issues/109
According to the official App Runner documentation, you must use a NAT Gateway to provide Internet access to App Runner applications running in a VPC.
You mentioned you already tried to use a NAT Gateway in your question, but I think you configured it incorrectly. Please bear in mind the following:
Your VPC needs both public and private subnets configured in order to properly use a NAT Gateway. Public subnets are subnets that have a route to the Internet Gateway. Private subnets are subnets that have a route to the NAT Gateway.
The NAT Gateway itself must reside in a public subnet.
The App Runner application must be configured to run only in private subnets.
I'm trying to make beanstalk instances not connect outside the VPC to public internet.
The problem is that, when I clear the outbound security group and actually block the internet access, it makes the instances not start properly and throw error "502 Bad Gateway", also the health status in beanstalk change to "unknown".
When I checked the system log I saw that the instance is trying to connect outside the VPC in the user data script.
How can I solve this problem?
Using EB environment in a private subnet (no internet) is not that straight forward. The general consideration of how to do this are described in the AWS docs:
Using Elastic Beanstalk with Amazon VPC
For example, EB uses Network Time Protocol (NTP) thus you have to have internet connectivity. Without that, as docs describe, there are issues with Elastic Beanstalk health reporting.
You also need to setup VPC endpoints for Elastic Beanstalk as well as the endpoints for other services (e.g. S3):
Using Elastic Beanstalk with VPC endpoints
If you .ebextenstions install any packages from the internet, you need to ensure that you have properly setup NAT gateway or NAT instance.
The docs also provide example in CloudFormation vpc-private.yaml with exemplary setup for Internet gateway, NAT gateway, and route table.
I have an Elastic Beanstalk web service running Tomcat + Java 8. I also have an API Gateway, which will contain an endpoint pointing to a VPC Link. I am having issues with deploying the Beanstalk with the settings I believe I should be using. My goal is to make the Beanstalk web service only accessible via the API Gateway endpoint, so no external user/service can access the xyz.us-east-2.elasticbeanstalk.com URL directly.
To accomplish this, I created a VPC through the console that uses the 10.0.0.0/16 IPv4 block.
I also created two sets of subnets, "EC2Subnets" which uses 10.0.0.0/24, and "ELBSubnets" which uses 10.0.1.0/24.
From the ebcli, I run:
$eb create MyApp --elb-type network --vpc
Which prompts for some info:
Enter the VPC ID: vpc-myvpcID
Do you want to associate a public IP address? (Y/n): y
Enter a comma-separated list of Amazon EC2 subnets: subnet-myec2subnetID
Enter a comma-separated list of Amazon ELB subnets: subnet-myelbsubnetID
Enter a comma-separated list of Amazon VPC security groups:
Do you want the load balancer to be public? (Select no for internal) (Y/n): n
Doing this causes a hang in adding the EC2 instance to Beanstalk, and eventually leads to an error: "The EC2 instances failed to communicate with AWS Elastic Beanstalk, either because of configuration problems with the VPC or a failed EC2 instance. Check your VPC configuration and try launching the environment again."
What am I doing wrong? Obviously something is wrong with my network, but I am struggling to see what it is exactly.
EDIT: Managed to figure it out; the VPC needed an Internet Gateway added to its Route Table. To do this, I created an Internet Gateway, attached it to the VPC, then went into that VPC's route table and added the newly created gateway to correspond to 0.0.0.0/0.
Managed to figure it out; the VPC needed an Internet Gateway added to its Route Table. To do this, I created an Internet Gateway, attached it to the VPC, then went into that VPC's route table and added the newly created gateway to correspond to 0.0.0.0/0.
I am relatively new to AWS. I've been able to:
Setup edge-optimized API Gateway endpoints (w/a custom domain ... install an SSL cert, etc.)
Route requests from API Gateway to a server running on an EC2 instance via HTTP proxy
For learning, I'd like to put a Network Load Balancer (NLB) between API Gateway and the EC2 instance. After that, I want to experiment with Auto-Scaling Groups (in order to see how EC2 instances can be scaled out/in).
BUT I'm stuck on the NLB. After adding it in, requests made to API Gateway endpoints simply return internal server error.
Question
Should I be using an internal or internet-facing NLB to route the requests from API Gateway to the EC2 instances?
When I opt to use an internal NLB, I get a warning message You are creating an internal Load Balancer, but there is an Internet Gateway attached to these subnets ... and then I run into the internal server error problem.
When I setup an internet-facing NLB, API Gateway warns me something to the effect of, "Your NLB is already public-facing, so the use of a VPC Link might be unnecessary".
Can someone shed some light on what I should be doing?
I was able to create a NLB in a private subnet and create a VPC link. Private Subnets use network address translation (NAT) gateways, not internet gatways.
Link: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
NLB
VPCLink
I've spent the majority of today reading google results and documentation on how to connect AWS API Gateway to EC2 instances (created by Elastic Beanstalk) in a private subnet. I know that API Gateway requires targets to be publicly addressable, so...
I manually created an Application Elastic Load Balancer that listens for (and terminates) HTTPS at a public IP address;
I created a VPC with two subnets: one public (holds load balancer) and one private (holds EC2 instances); and,
I believe I have to create security groups that allow everyone/everywhere to connect to the load balancer, but only entities in my public subnet to connect to my EC2 instances.
Unfortunately I'm unable to view the sample Beanstalk application via the load balancer's DNS name. The connection just times-out.
Can someone please confirm I've identified all the steps? Is there any way I can trace my requests to see where they're failing? Or (even better) why they're failing? Thanks!
Check your security groups to make sure that HTTPS traffic is allowed
Make sure your Network ACLs are allowing traffic from your load balance to your EC2 instances
Check your VPC routes to ensure there is a route from your load balancer to your EC2 instance