If I create an ELB and try to attach the private subnet instances, my health check fails: OutOfService.
Question 1 : Can I get a internal / private IP(not IP but dns name) for Load Balancing. i.e not accessible to the internet?
Question 2 : If I have a public dnsname for my Application Load Balancer. How do I attach EC2 instances that are in my private subnet without an Elastic IP(aren't internet accessible).
I am looking for the best approach. Should we have-
ELB --> public subnet EC2 instances (proxy configuration- */* [private_ip]:[port]/* ) ---> Service from Private Subnet/EC2 instance with health checks here.
The traditional architecture is:
Elastic Load Balancer in public subnet
Amazon EC2 instances in private subnet
Security group on Load Balancer permitting port 80 & 443 from 0.0.0.0/0
Security group on instances permitting port 80 from the Load Balancer security group
An Amazon Route 53 Hosted Zone with a CNAME record set pointing to the DNS Name of the Load Balancer
If your instances are failing the Load Balancer health check, check the following:
The instances should have a security group permitting inbound access from the Load Balancer
The Load Balancer health check should be configured with a path to a web page to use for the health check
The instances should have a functioning web server that is responding to the health checks
If you are using an ELB, I would recommend using Auto Scaling Group to put instances in various AZ/subnets.
Look at this tutorial. The benefit of having an ASG that you can optionally also have scale in/our policies.
The archiceture that you have described ELB (Assuming this is public) -> public EC2 instances (as Proxies) -> Private EC2 instances.
Rather you can have your Private EC2 instances fronted with a ELB. Not sure if you really need the public EC2 instances.
If your health check is failing you need to ensure that:
a. You are creating the ELB in the right VPC.
b. The ELB -> EC2 communication is setup correctly by ensuring you have the right Security Groups in place on the EC2 instances.
A highly recommended way would be to have the EC2 instances SG rules setup in such way that they accept traffic only from the SG of the ELB.
Related
I am trying to reach two private subnet EC2 instances from ELB in public subnet. But the instances are always showing as unhealthy. I tried lot of options but nothing worked.
Here is the configuration I tried:
1.Created VPC
DNS resolution: Enabled
DNS hostnames: Disabled
Created 2 Public subnets and 2 Private Subnets. The only difference between these two is the Route table.
Auto-assign public IPv4 address is set to "No" in Public Subnet
I have added Internet gateway as a route in Route table of public subnet.
Public subnet - Route Table
Private subnet - Route table
Created Two EC2 instances in Private subnet . Userdata set to apache webserver
The Security group of the instances
Created an ALB in Public subnet
ALB Security group config is :
Have also added default security group in ALB:
Target group is showing unhealthy for the private EC2 instances
Any help on pointing out why this fails?
Either the EC2 instances are not receiving the request, or they are receiving the request but aren't responding with a 'healthy' response.
Test that the instances are responding to requests
You could launch an EC2 instance in the public subnet, SSH to it and then send requests directly to the EC2 instances to see if they respond (eg curl http://private-ip-address).
If they respond correctly, then the instances themselves are fine and the problem lies with the Load Balancer.
Check the Load Balancer security group
You have shown the Inbound rules for the Load Balancer, but you should also check that the Outbound rules permit traffic to exit the Load Balancer and go to the EC2 instances.
First and foremost - check the apache logs and make sure you see incoming health check samples.
If you don't see them at all - you have a network connectivity issue.
If you do see them - make sure they return 200 code and that it matches the target group's health check configuration.
I have an EKS cluster with worker nodes in private subnet. The worker nodes can access internet via the nat gateway. I have a Route53 hosted zone record routing traffic (alias) to a load balancer.
When I try to access the url (route53 record) from a pod within the EKS cluster, it times out. I tried allowing the worker nodes security group in the inbound rules of the load balancer security group but it does not work. Only thing that works is if I allow the public IP of the nat gateway in the inbound rules of the load balancer security group.
I am sure this setup is very common. My question is, is the solution of allowing the nat gateway public ip in the inbound rules of the LB SG the correct way or is there a better cleaner way to allow the access?
based on what you have described here, it seems like you have a internet facing load balancer and trying to access it from the pod. In this case, the traffic needs to go out to internet(through nat gateway) and come back to the load balancer, that is why it only works when you add the public IP of nat gateway to load balancer's SG.
Now, in terms of the solution, it depends on what you are trying to do here:
if you only need to consume the service inside the cluster, you can use DNS name created for that service inside the cluster. in this case the traffic will stay inside the cluster. you can read more here
if you need to make the service available to other clusters but same VPC, you can use a private load balancer and add the security group of worker nodes to the load balancer SG.
if the service needs to be exposed to internet, then your solution works but you have to open the SG of the public load balancer to all public IPs accessing the service.
I have 4 EC2 instances, 2 in the private subnet of each availability zone (2AZs), one hosting App A and the other hosting AppB. The instances are behind 2 internet-facing ALBs (one ALB for each app), with route 53 routing the traffic to the corresponding ALB based on the sub-domain name, and 2 NAT Gateways in each public subnet routing internet traffic for the private instances.
I want appA and AppB to communicate using HTTPs using the domain name of each app.
Will the traffic for each Application come from the load balancer? Since each EC2 instance allows the traffic only from the security group of its ALB.
Should the security group for each app allow the traffic from the other or the traffic will come from the load balancer?
I have DNS resolution activated for the VPC.
For traffic within the setup you've described the ingress traffic for the domains will enter through the load balancer which will then forward the requests to the EC2 instance(s). As long as the load balancers security group allows the inbound traffic you will receive the traffic.
For egress traffic for your application it will depend on both your EC2 and routing configuration.
If your EC2 instance resides within a public subnet (and has a public IP address) then the EC2 will route traffic via the internet gateway. If your EC2 instance is in a private subnet you will need to use either a NAT Gateway or NAT instance to route traffic to the internet.
These options will be configured within the route table for the subnet(s) that are applicable, in addition the outbound security group rules for your EC2 instance will need to allow access to the destination ip, port and protocol that you want. By default the security group will allow all outbound access.
I created an internal network load balancer (NLB) to connect to EC2 instances on a private subnet. I want to restrict access to the EC2 instances only from the network load balancer. I used these instructions https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html#target-security-groups but it did not work.
Basically, I added the IP address of the network interface of the NLB to the security group with my specific port (eg: 8080 10.4.2.9/32) allowed but that did not work. When i switched to all allow (eg: 8080 0.0.0.0/32) it worked, but i do not want other instances to have access to the ec2 instance.
Any ideas on why this is not working?
Thanks
For what you are trying to accomplish, NLB is the wrong load balancer.
NLB is a layer 4 load balancer. This means that the IP address that you see (at the EC2 instance) is the IP address of the client and not the IP address of the load balancer. With NLB you must allow the client's IP address in your security group.
You want a layer 7 load balancer to implement what you want to do (block other systems in your VPC from accessing your EC2 instances directly). This means ALB or the classic ELB.
If you're using a Network Load Balancer, update the security groups
for your target instances, because Network Load Balancers do not
have associated security groups.
If your target type is an IP, add a rule to your security group to
allow traffic from your load balancer to the target IP.
If your target type is an instance, add a rule to your security group to
allow traffic from your load balancer and clients to the target IP.
You can allow traffic in the EC2 instance security group. As your
instance is in private subnet for that you need to lunch load
balancer in the same region but in public subnet.
Know about your use case first.
Best use cases for Network Load Balancer:
When you need to seamlessly support spiky or high-volume inbound TCP
requests.
When you need to support a static or elastic IP address.
If you are using container services and/or want to support more than one
port on an EC2 instance. NLB is especially well suited to ECS (The
Amazon EC2 Container Service).
security-group-load-balancer
new-network-load-balancer-effortless-scaling-to-millions-of-requests-per-second
what-is-a-network-load-balancer
I have recently added a ALB for 2 instances in EC2.
I want to make the ALB and EC2 instances to be private so I added the security group for each services.
What I did is that I added the IP Addresses in HTTPS of the EC2 instances in the ALB sg. vice versa in the EC2 sg.
In Route 53. I made a subdomain to link in the DNS name of ALB.
I tried to test it first using sg that is public and it works fine and can access the EC2 application.
But after I tried to set the sg for both the ALB and EC2.
When I test it, It can't access it.
Where did I go wrong?
A security group can allow traffic from a CIDR range of IP addresses, or from another Security Group. Thus, you should configure the following Security Groups:
ALB-SG: Allow HTTP/S from 0.0.0.0/0 (if you want it open to the world). Associate it with the ALB.
App-SG: Allow HTTP from ALB-SG. Associate it with your EC2 instances (or Auto Scaling group Launch Configuration).
The Application Security Group (App-SG) is thus permitting incoming traffic from the Load Balancer. Or, more specifically, from any resource that is associated with ALB-SG.
Route 53 should have a CNAME record pointing your desired domain name to the DNS Name of the Load Balancer.