Thanks for your time in advance. I am pretty new to AWS and trying to setup a cloud facing application processing HTTP / HTTPS requests.
I have a domain-name (example.com) attached to the Elastic Load Balancer (ELB) and my requirement is just to have a ELB attached to a AutoScaling group (ASG) which would have a min-max of 2-5 EC2s. Preferably I would want to place my EC2s created by ASG to be placed in a private subnet.
I was following the solution provided here, but as I understand in step 5, it is for connecting the ELB to existing EC2 instances. But my requirement is to attach it to a ASG and hence cannot connect to specific EC2 instances.
I am focusing on just two AZ for now and created a public and private subnet each in both the AZ. After creating the ELB and attaching it to two public subnets, I proceeded for Launch-Configuration & ASG. I would request some clarification on the implication of the following selections while setting up the LC and ASG.
While creating a Launch Configuration for an ASG, in one of the steps (IP Address Type) I have three options, namely:
(1) Give Public IP to new instances if created in default VPC/SubNet
(2) Always Public IP for new instances
(3) No Public IP for new instances.
Which one of the above should be selected given my requirement?
Additional Questions
When selecting the subnets while creating ASG, should I select both public and private subnets or only public SN or only Private SN ? My guess was Private subnet only as I wanted to place the EC2 in private SN.
If the EC2s created by the ASG will be deployed in Private SN, what else should be present in the public subnet?
Thanks again for your time and guidance.
Update on 6/13
For the questions I had posted above, I went ahead with choices as below:
While creating a Launch Configuration for an ASG, IP Address Type : No Public IP for new instances.
When selecting the subnets while creating ASG : Only Private SN
I placed a NAT Gateway in the public subnet and updated the routing table of Private Subnet to include a route for 0.0.0.0/0 to NAT
Things are working now !!
You can find the AWS document on attaching to an autoscaling group here. You attach the ELB to the ASG, or if its an application load balancer you attach the target group for your ALB to the ASG:
To attach a load balancer to a group
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
On the navigation pane, under Auto Scaling, choose Auto Scaling
Groups.
Select your group.
On the Details tab, choose Edit.
Do one of the following:
[Classic Load Balancers] For Load Balancers, select your load
balancer.
[Target groups] For Target Groups, select your target group.
Choose Save.
You do no need public IP addresses if your instances will be behind an ELB. You should also launch them in a private subnet. Your ELB will be in public subnets and relay communications to your instances in those private subnets. The ELB will also be assigned a DNS name you alias to a custom DNS name of your own.
From the docs above, you can also attach and detach using the CLI:
To attach a Classic Load Balancer
Use the following attach-load-balancers command to attach the
specified load balancer to your Auto Scaling group:
aws autoscaling attach-load-balancers --auto-scaling-group-name my-asg --load-balancer-names my-lb
To attach to a target group
Use the following attach-load-balancer-target-groups command to attach
the specified target group to your Auto Scaling group:
aws autoscaling attach-load-balancer-target-groups --auto-scaling-group-name my-asg --target-group-arns my-targetgroup-arn
To detach a Classic Load Balancer
Use the following detach-load-balancers command to detach a load
balancer from your Auto Scaling group if you no longer need it:
aws autoscaling detach-load-balancers --auto-scaling-group-name my-asg --load-balancer-names my-lb
To detach a target group
Use the following detach-load-balancer-target-groups command to detach
a target group from your Auto Scaling group if you no longer need it:
aws autoscaling detach-load-balancer-target-groups --auto-scaling-group-name my-asg --target-group-arns my-targetgroup-arn
Related
I have an elastic beanstalk application which has an ALB and ec2 instances that can be created in any of the 6 AZ's based on the auto scaling policy.
I then put an NLB in front to create a single static IP which seems to work fine as long as at least 1 ec2 instance exists in the same AZ that the NLB lives. If ec2 instances exist only in other AZ's the health check is timing out and the routing isn't working from the NLB anymore. Is the below a possible configuration?
Create Security Group/s that allow traffic between ALB and EC2.
Create SG for EC2 instance to allow traffic from SG
I have a CloudFront Distribution with WAF(Web Application Firewall) attached to it, to restrict public access.
I also have a fleet of EC2 instances running under an ASG(autoScaling Group) and I wish to whitelist the EC2 instances to access the CloudFront distribution. Is it possible to create such a configuration in my infrastructure?
Please note that the IP addresses of the EC2 instances are not fixed. They are controlled by the ASG attached. Also, the ASG is created in a public subnet.
Any help would be appreciated. Thanks
You would have to trigger some sort of script every time the ASG adds an instance, to add the instance's public IP to the WAF.
I would suggest moving the EC2 instances to private subnets with routes to NAT gateways, then you would only have to whitelist the Elastic-IPs of the NAT Gateway(s).
If I create an ELB and try to attach the private subnet instances, my health check fails: OutOfService.
Question 1 : Can I get a internal / private IP(not IP but dns name) for Load Balancing. i.e not accessible to the internet?
Question 2 : If I have a public dnsname for my Application Load Balancer. How do I attach EC2 instances that are in my private subnet without an Elastic IP(aren't internet accessible).
I am looking for the best approach. Should we have-
ELB --> public subnet EC2 instances (proxy configuration- */* [private_ip]:[port]/* ) ---> Service from Private Subnet/EC2 instance with health checks here.
The traditional architecture is:
Elastic Load Balancer in public subnet
Amazon EC2 instances in private subnet
Security group on Load Balancer permitting port 80 & 443 from 0.0.0.0/0
Security group on instances permitting port 80 from the Load Balancer security group
An Amazon Route 53 Hosted Zone with a CNAME record set pointing to the DNS Name of the Load Balancer
If your instances are failing the Load Balancer health check, check the following:
The instances should have a security group permitting inbound access from the Load Balancer
The Load Balancer health check should be configured with a path to a web page to use for the health check
The instances should have a functioning web server that is responding to the health checks
If you are using an ELB, I would recommend using Auto Scaling Group to put instances in various AZ/subnets.
Look at this tutorial. The benefit of having an ASG that you can optionally also have scale in/our policies.
The archiceture that you have described ELB (Assuming this is public) -> public EC2 instances (as Proxies) -> Private EC2 instances.
Rather you can have your Private EC2 instances fronted with a ELB. Not sure if you really need the public EC2 instances.
If your health check is failing you need to ensure that:
a. You are creating the ELB in the right VPC.
b. The ELB -> EC2 communication is setup correctly by ensuring you have the right Security Groups in place on the EC2 instances.
A highly recommended way would be to have the EC2 instances SG rules setup in such way that they accept traffic only from the SG of the ELB.
I need a ELB that has a static IP and fronts an auto scaling group.
Looking at the recent announcement, Network Load Balancers can do both of these things. However, when I try setting up a NLB I don't see where to set/get the static IP, nor do I see a way to associate it with an auto scaling group.
When I edit my auto scaling group I search for the NLB previously created in its list of ELBs and the NLB isn't present as a choice.
1) How do I associate an auto scaling group to a NLB?
I'm not sure I understand the concept of target groups with regards to a NLB and auto scaler. If I create a target group, it wants specific instance names or IP's of EC2 instances.
2) Given that those names/IPs change when auto scaler adds/removes instances, how do I know?
3) How/where do I get a static IP for my NLB?
1) use a command like aws autoscaling attach-load-balancers --auto-scaling-group-name my-asg --load-balancer-names my-lb, see http://docs.aws.amazon.com/autoscaling/latest/userguide/attach-load-balancer-asg.html?shortFooter=true
2) you don't need to know, the asg knows
3) attach an Elastic IP, one per subnet the NLB is associated with
OK, figured this out. The sequence is as follows:
Create an empty Target Group
Create a Network Load Balancer. Associate with the empty Target Group
Create an Autoscaling Group with your desired Launch Config, desired counts, and Target Group from above. Leave the Load Balancer empty.
Click on Network Interfaces (left side nav bar in the EC2
services area) and find those associated with your NLB (you can
search for the NLB name). The found entry(s) will show the static
IP of the NLB.
I was setting up an environment using Elastic Beanstalk and I wanted the hosts to be apart of the default VPC for my account. I didn't really understand what the options meant. See the below image for an example:
Associate Public IP Address - How does this differ from the ELB visibility?
Subnets for ELB and EC2 - What do these do? The set-up wizard requires at least one box is selected. During my setup I selected all of the boxes.
VPC Security Group - How does this differ from the security group of the EC2 hosts. I use the security groups to SSH onto the hosts. Why does the VPC need a security group?
If selected, the ELB will be created with a public IP address associated to it (or the EC2 instance will if you select single instance instead of load balanced during the setup). Visibility is just for ACLs, and won't actually give it a publically accessible IP.
In a common VPC setup, you'll have both public and private subnets with a NAT in between them. Things in the public subnet can usually access the Internet and private subnet. Private subnet can usually just access the local subnet. In a load balanced EB environment, you'd typically place the ELB in the public subnet and the EC2 instance(s) in the private subnet.
VPC security groups are for your resources (anything in your VPC). They're just prefixed with the term VPC so as to distinguish between VPC security groups and legacy EC2 security groups (for EC2 instances that are not part of any VPC). The option in the UI only affects the EC2 resources in your VPC though I believe...not the ELB.