I have setup an internet facing classic load balancer and when I provision an EC2 instance with a public IP address the load balancer can do the health check successfully but if I provision an identical instance without a public IP address the health check always fails. Everything is the same apart from not adding a public IP address. Same subnet, security groups, NACL etc.
The health check is TCP 80 ping. I have a web server on all instances and LB is listening on port 80.
Any ideas why it could be failing?
Solved. The instance without a public IP is failing to download and install the web server (httpd) so that is why the TCP 80 ping is failing. To access the web I need to use a NAT gateway or put a public IP on it.
curl -I 80 will show you if your web server is listening on that port.
Related
I created a new EC2 instance and a new SG and set the inbound rules to accept custom TCP on port 8080 as well as HTTP and SSH and use that one for my EC2 instance. I can ping the Public DNS and get a "connection refused". The problem is when I create a simple node server on the instance and start it to listen to port 8080, ec2-x-x-x-x.compute-1.amazonaws.com:8080 times out.
Now, if I reroute incoming traffic from port 80 to port 8080 using iptables I can just call the Public DNS and of course I get a response. I also can use a load balancer for this purpose but my question is, does the Public DNS resolve to the VPC? why can't I just hit the endpoint ec2-x-x-x-x.compute-1.amazonaws.com:8080 and get a response from the node server that's running on my instance?
We have a web-application page exposed at port 9090 on an EC2 instance that lives in the private subnet of our AWS setup.
We have a bastion host that is in the public subnet, and it can talk to the instance in the private subnet. We can also ssh to the instance thru the ssh tunnel of the bastion.
Is there a guide to setting up a proxy on this bastion host to access the webpage in the browser that is served on the http://PrivateSubnetEC2Isntance:9090/, by redirecting the traffic to/from http://PublicBastion:9090/?
I tried setting up a HAProxy (on bastion), but it doesn't seem to work: there are no errors in the HAproxy logs, but accessing the page http://PublicBastion:9090 just times-out.
Though this is not an answer, most likely it could be due to:
Security group rules: Did you open port 9090 for everyone in Bastion security group?
Is your HAProxy listening on 0.0.0.0 and not on 127.0.0.1?
I created VPC with public and private subnets like this:
public subnet : bastion server, elastic load balancer, igw
private subnet : ec2 instance(app is running with http 8080 port), nat gateway
Following is the listeners config.
load balancer protocol : http
load balancer port : 80
instance protocol : http
instance port : 8080
When I try with the command 'wget -O - http://elb-xxxxx.us-west-2.elb.amazonaws.com', the result is
Resolving elb-xxxxx.us-west-2.elb.amazonaws.com (elb-xxxxx.us-west-2.elb.amazonaws.com)...
52.x.x.x., 52.x.x.x, 54.x.x.x, ...
Connecting to elb-xxxxxx.us-west-2.elb.amazonaws.com (elb-xxxxxx.us-west-2.elb.amazonaws.com)|52.x.x.x|:80...
failed: Connection timed out.
However, status of load balancer is 'inService' and elb's healthcheck is working!(elb is calling the app's api normally)
When I installed my app on the bastion server in the public subnet, I could access to the app with web broswer and it worked normally.
In sum, VPC and its routing configuration seem to be correct, and elb is also watching the instance correctly.
However, if I try to access to app through elb with elb's DNS name, connection timed out error occurs.
I am stuck in this and need help from you..
I found the problem by myself. I mistakenly added both public and private subnet to elb.. Thanks though..!
Did you by any chance neglect to provide a security group with inbound port 80 open for your load balancer? Here's a link re: setting up security groups for ELB in EC2-classic or VPC.
I'm new to setting up applications and currently facing issues connecting to my IP address.
Recently, I launched my first AWS instance and it was working fine before I attached it to an Elastic IP (trying to attach to my GoDaddy domain). The instance state is "running" and everything looks healthy, but when I go to the Public IP/Elastic IP, I get an error message saying: "This site can’t be reached. XX.XXX.XX.XXX refused to connect". I'm using a Mac and my web server is listening on port 80.
Things I have checked:
internet connection is working
not using any firewall/anitvirus
emptied all cache/cookies
not using a proxy server
My Security Group
– inbound ports 80, 8080, 22 and 3389;
– outbound ports 8080, All traffic.
My VPC
– subnet ID is verified and "available"
– route Tables 172.31.0.0/16 & 0.0.0.0/0 are "active", not propagated
Can someone help and please point out what I'm doing wrong?
Attaching an Elastic IP Address to an Amazon EC2 instance does not change anything on the instance itself. It is purely an assignment of a Public IP Address within the Amazon VPC.
Amazon EC2 instances do not normally know their own public IP address. Instead, traffic sent to the Public IP Address is routed through the Internet Gateway and then to the private IP address of the instance. As long as you did not somehow configure the old public IP address within the instance, the assignment of the Elastic IP Address should not be a problem.
You can remove the Elastic IP Address and try connecting again -- the instance will receive an auto-assigned IP address again (which might change whenever you start/stop the instance).
Some things you could try are:
Connect to another instance in the same subnet, with the same Security Group. If this works, then you know that the problem is with the instance itself, rather than the network.
Try connecting to the non-responsive instance from another instance in the same subnet using the private IP address of the non-responsive instance. This will eliminate potential networking problems.
The standard things to always check when attempting to connect from the Internet to an EC2 instance are:
Internet Gateway attached to the VPC
You are referencing the instance via a Public IP Address
Instance was launched in a public subnet, which means that the subnet is associated to a Route Table that routes to the Internet Gateways
Security Group is permitting the inbound traffic from your IP Address and port (outbound traffic configuration is irrelevant because Security Groups are stateful)
Network ACL is not blocking the traffic (by default it permits all inbound and outbound traffic)
The instance is listening on the port (eg Linux SSH on port 22, Windows RDP on port 3389)
There are no host-based firewalls on the instance blocking traffic (eg Windows Firewall)
I always reboot my Linux servers on AWS after associating an elastic IP. Normally I wouldn't blindly suggest rebooting a Linux server, but I have found it helpful in cases like this. There are several things you should think about before rebooting. Making sure you don't have important files exclusively on volatile storage would be one example.
Re "...when I go to the Public IP/Elastic IP..." How are you going to the address? Sounds like you're trying to connect with a web browser.
Have you tried connecting from your Mac over some other protocol, like ssh? That would be another way to confirm that your elastic IP is in effect
Have you tried to connect to the web server more directly? Like using wget from the server's shell? You would use the private IP address or localhost, so that doesn't help diagnose the elastic IP address.
My app was easy deployed on 3 instances using OpsWorks. I can Access it using instance IP's fine.
My question is: how can I access it using load balancer?
ELB says all 3 instances are InService, but typing public DNS on browser, it loads forever and shows nothing.
Testing ELB public DNS on http://whatsmydns.com it shows IP's that aren't from my instances.
Am I doing something wrong?
I have added Public DNS to my app as hostname.
There are a couple things to check:
Check that your load balancer listeners are configured to listen
and pass traffic to the same port that the instance is listening on
(for example http traffic 80 => http 80, https traffic 443 => https
443)
Check that the security group of the webservers allows
traffic from the loadbalancer. Though if you can access your instances directly via browser, I'm guessing they are open to 0.0.0.0/0 so shouldn't be an issue here?
Check that security group of the load balancer allows access to public on all needed ports (typically 80 and 443)
Check that elb healthcheck is not failing (under elb
instances you can see if the instances are in service or not) If it
says "Out of service" that's the problem. You need to make sure that
healthcheck URL is accessible and returns 200.
The DNS of your load balancer is different from your instances - it returns the IP addresses of the instances that the load balancer is running on, AWS usually has at least 3 servers behind the scenes for that.