I am trying to setup a internal load balancer on GCP cloud , and the problem is, when i try to access the same via another instance which falls under same VPC I am facing "Connection refused" error. Firewall rules has been checked as well as cross checked that load balancer and standalone instance which is trying to access are in same subnet.
Internal load balancers are regional, i.e an instance in us-east cannot communicate with an internal load balancer in us-central, even within the same VPC.
You should make sure that your source VM's subnet is in the same region as your ILB's
As a potential workaround you could use this
Related
I set my load balancer to allow traffic on port 80 to the security group of my EC2 instance, but the load balancer refuses to connect. To do a sanity check, when I allow HTTP traffic from my IP to the load balancer, I'm able to connect seamlessly. I can only access the load balancer from my EC2 instance when I allow all traffic to port 80 on my load balancer. I keep checking back and forth to make sure the security group that the EC2 instance is in is the same as the one that the load balancer should allow, so I know it's not that. What else could be blocking the traffic?
Context: I used a load balancer because I wanted a static address for my EC2 instances to access and I don't want the IP to be dynamic. Basically, behind the load balancer is one coordinator instance that I want to manage jobs for the auto scaling EC2 instances. The load balancer can be internal for the purposes I need it for.
Network traffic between an EC2 instance and a public facing load balancer will go out to the Internet and back, it won't stay within the VPC. Once the request leaves the VPC it loses its association with the source security group, which is why your security group rule isn't working. If the EC2 instance has an Elastic IP address assigned to it, you could try adding that to the load balancer's security group instead.
There is probably a better way to do what you are trying to do without having your EC2 instance access a public load balancer. Perhaps the load balancer could be converted to an internal load balancer? Or maybe there is a better way for this EC2 server to communicate with the resources behind the load balancer directly somehow. You would need to post more information about your system and your desired goal for help with that.
So I have just setup an application load balancer but I need a static IP to whitelist my database connection, I found Global Accelerator can do the job so I have set it up and assigned it to the ALB. All showing fine in the console but when I ping my domain (www.example.com), I don't see either of the 2 static IP's assigned... and when I whitelist both IP's my application still cannot connect.
Am I doing something wrong?
Edit: My database is Mongo DB hosted on the Atlas Cloud. In my staging environment I have secured the connection to a single server instance using that servers IP address. Now I'm moving to a production environment with a load balancer, I'm not quite sure how I would achieve the same result, since I have multiple EC2 instances which can be created/destroyed via autoscaling. My thinking is that I need to whitelist the load balancer IP address rather than individual instances.
I am assuming that your architecture is:
Domain name pointing to an Application Load Balancer in AWS
Load Balancer points to an Auto Scaling group of Amazon EC2 instances
The EC2 instances point to your MongoDB database hosted on the Atlas Cloud
You want an static IP address so that the database can permit access from the Amazon EC2 instances
While incoming traffic to the EC2 instances goes through the Load Balancer, please note that the connection from an EC2 instance to the database is a separate outbound connection that is established to the database. This traffic does not go through the Load Balancer. The only traffic coming 'out' of a Load Balancer is the response to requests that came 'in'.
The typical way to implement this architecture is:
Load Balancer in public subnets
Auto-Scaled Amazon EC2 instances in private subnets
A NAT Gateway in the public subnet(s)
This way, the instances in the private subnets can access the Internet via the NAT Gateway, yet they are fully isolated from traffic coming in from the Internet. It has the additional benefit that the NAT Gateway has a static IP address. All traffic going through the NAT Gateway to the Internet will 'appear' to be coming from this IP address.
For fault tolerance, it is recommended to put a NAT Gateway in at least two Availability Zones. Each will have its own static IP address.
Oh, and you could consider moving your database to Amazon DocumentDB (with MongoDB Compatibility), which would reduce latency between the application servers and the database.
I have created one internal load balancer and application deployed on that internal network. For testing purpose I have created one instance in same VPC called "instance1". I am able to curl to load balancer from this instance1 but I am not able to ping this internal load balancer from outside of VPC.
My future plan is to deploy UI on external load balancer and call internal load balancer from there.
Query is, as I am not able to connect to internal load balancer from outside how my UI instance will be able to do the same.
Internal Loadbalancers are for internal connections only. For reaching out your load balancer from a different network, you can use VPC Peering (connect two GCP network) or use Interconnect products (VPN or Direct connection) for secured/dedicated intranet access.
If your application is intended to be accessible from the outside world (the internet), you can use an external load balancer (Layer 4 or Layer 7 if your application is HTTP based).
I've created a Network Load Balancer for use with ECS Fargate. When I try to connect to the load balancer (using either the ELB domain name or it's IP addresses) it won't connect. I don't even see the connection in the flow logs. The machine I'm using to connect to the LB can reach the instances fine, but when I try to hit it through the load balancer I don't get a TCP connection. The security group on the Fargate containers allows anything from anywhere. The load balancer shows the instances health checks as "Healthy" but I still can't get to them.
Changing the ECS task definition to use awsvpc network mode instead of bridge mode resolved this issue for us.
I've spent the majority of today reading google results and documentation on how to connect AWS API Gateway to EC2 instances (created by Elastic Beanstalk) in a private subnet. I know that API Gateway requires targets to be publicly addressable, so...
I manually created an Application Elastic Load Balancer that listens for (and terminates) HTTPS at a public IP address;
I created a VPC with two subnets: one public (holds load balancer) and one private (holds EC2 instances); and,
I believe I have to create security groups that allow everyone/everywhere to connect to the load balancer, but only entities in my public subnet to connect to my EC2 instances.
Unfortunately I'm unable to view the sample Beanstalk application via the load balancer's DNS name. The connection just times-out.
Can someone please confirm I've identified all the steps? Is there any way I can trace my requests to see where they're failing? Or (even better) why they're failing? Thanks!
Check your security groups to make sure that HTTPS traffic is allowed
Make sure your Network ACLs are allowing traffic from your load balance to your EC2 instances
Check your VPC routes to ensure there is a route from your load balancer to your EC2 instance