I deployed a simple website on EC2 instance, and created an elastic load balancer, routing traffic to this EC2 instance.
I also created a CNAME record on my DNS registrar, pointing my domain (www.example.com) to the load balancer DNS name (load-balancer-1234567890.us-east-1.elb.amazonaws.com).
I can successfully reach my site in the browser in 3 different ways:
EC2 instance public IP (Eg: 54.89.99.99)
ELB public DNS name (Eg: load-balancer-1234567890.us-east-1.elb.amazonaws.com)
My domain DNS (Eg: www.example.com)
But, for security reasons, I want my EC2 instance to be accessible on port 80 only from the load balancer.
So, I changed the security group for the EC2 instance:
removed the rule that allowed traffic on port 80 from all sources (0.0.0.0/0)
added a rule to allow traffic on port 80 from my VPC (172.31.0.0/16)
added a rule to allow traffic on port 80 from the ELB security group (sg-xxxxxxxx)
After that, I still can access my website from the ELB DNS name, but now I can't access from my domain anymore (www.example.com). I get the error: ERR_CONNECTION_TIMED_OUT.
What's wrong?
This seems like a DNS caching issue in your machine or in DNS servers.
To clear the cache in your machine flush the DNS using ipconfig /flushdns
If the issue persisted try traceroute www.example.com (Or tracert www.example.com in Windows) to see whether it reaches the ELB. If the source IP is different that the current DNS configurations,
It can be due to a misconfiguration (Double check)
If latest DNS modification is not propagated (If its points to a previous configuration) then wait for some time till the DNS servers clears the cache based on the TTL value.
When you create a load balancer, you select the AZs that the load balancer is located within. This means that your load balancer is located within your VPC and not outside of it (this is normal and expected).
Since your Security Group allows traffic from within your VPC (which duplicates the ELB security group as both are allowing traffic), then there is something wrong with either your Security Group settings or your Load Balancer is configured wrong. Also double check the load balancer security group settings.
Related
I have a website that I have hosted on an EC2 instance that runs on port 3000. (e.g. 3.27.83.19:3000 - assuming the IP address of the EC2 instance is 3.27.83.19)
I have a domain that I have already bought mydomain.com through AWS that I already see in Hosted Zones.
How can I set-up Route53 so that when someone hits "mydomain.com", it takes them to 3.27.83.19:3000 rather than 3.27.83.19
Thanks!
point domain to instance ip
To point example.com to 3.27.83.19 you simply need to create an A record in route53
point domain to load balancer
To access the website running port 3000 on an EC2 instance through https://example.com, you need a service that accepts traffic on https://example.com and then forward the traffic to the EC2 instance on port 3000. You can easily do it with an AWS application load balancer. I like this approach.
There are many benefits using an application load balancer. The important one is that you can configure the SSL certificate easily. The application load balancer also supports host based routing which allows you to host multiple websites.
If you are looking for less expensive solutions, you can also go for setting up an nginx proxy inside the ec2 instance. I personally don't like this approach because you will need to configure SSL at the application level.
https://aws.amazon.com/premiumsupport/knowledge-center/public-load-balancer-private-ec2/
Hope this helps.
I need to create an internal website for a company accesible only through company's VPN. I have an EC2 instance with a webserver and I was able to access the website through instance's private IP. Now I'm trying to connect the instance to internal ELB and I'm facing a problem with ELB's DNS name.
Instance is added to ELB's target group, they are on the same subnet, it passes the health check, I'm able to send a request from browser to ELB using its IPs addresses but when I try to do the same with ELB's DNS name I don't get any response. Security groups are also correct.
I'm also unable to ping ELB's DNS name from EC2 instance.
Why internal ELB's DNS name does not work in the browser/postman? And how I can fix it?
I have recently added a ALB for 2 instances in EC2.
I want to make the ALB and EC2 instances to be private so I added the security group for each services.
What I did is that I added the IP Addresses in HTTPS of the EC2 instances in the ALB sg. vice versa in the EC2 sg.
In Route 53. I made a subdomain to link in the DNS name of ALB.
I tried to test it first using sg that is public and it works fine and can access the EC2 application.
But after I tried to set the sg for both the ALB and EC2.
When I test it, It can't access it.
Where did I go wrong?
A security group can allow traffic from a CIDR range of IP addresses, or from another Security Group. Thus, you should configure the following Security Groups:
ALB-SG: Allow HTTP/S from 0.0.0.0/0 (if you want it open to the world). Associate it with the ALB.
App-SG: Allow HTTP from ALB-SG. Associate it with your EC2 instances (or Auto Scaling group Launch Configuration).
The Application Security Group (App-SG) is thus permitting incoming traffic from the Load Balancer. Or, more specifically, from any resource that is associated with ALB-SG.
Route 53 should have a CNAME record pointing your desired domain name to the DNS Name of the Load Balancer.
I have multiple EC2 instances connected to a load balancer and the traffic is routed to load balancer using Route53.
Suddenly, I can longer access my website if I type my domain name "www.domain.com". I tried to debug the problem by directly typing the load balancer DNS in the browser and it worked.
To investigate the problem further, I created a single instance and directed the traffic using route53 to the current public IP of the instance. If I use the domain name "www.domain.com" in the browser, I get an error stating that the site can't be reached. If I use the public IP of the instance I can reach the page. I think that means that Route 53 is not directing the traffic to instance.
How can I check that because I have been in this problem for almost two days. Is there is a way to check whether Route 53 routes traffic or not? I am sure my security group of allows traffic For HTTP, HTTPS, SSH and the port numbers are correct.
My app was easy deployed on 3 instances using OpsWorks. I can Access it using instance IP's fine.
My question is: how can I access it using load balancer?
ELB says all 3 instances are InService, but typing public DNS on browser, it loads forever and shows nothing.
Testing ELB public DNS on http://whatsmydns.com it shows IP's that aren't from my instances.
Am I doing something wrong?
I have added Public DNS to my app as hostname.
There are a couple things to check:
Check that your load balancer listeners are configured to listen
and pass traffic to the same port that the instance is listening on
(for example http traffic 80 => http 80, https traffic 443 => https
443)
Check that the security group of the webservers allows
traffic from the loadbalancer. Though if you can access your instances directly via browser, I'm guessing they are open to 0.0.0.0/0 so shouldn't be an issue here?
Check that security group of the load balancer allows access to public on all needed ports (typically 80 and 443)
Check that elb healthcheck is not failing (under elb
instances you can see if the instances are in service or not) If it
says "Out of service" that's the problem. You need to make sure that
healthcheck URL is accessible and returns 200.
The DNS of your load balancer is different from your instances - it returns the IP addresses of the instances that the load balancer is running on, AWS usually has at least 3 servers behind the scenes for that.