In my AWS account,
I have the following setup:
1x ECS cluster with 2 services (service-a and service-b)
Each service has their own target group
service-a binds the port on 443
service-b binds the port on 8888 (I needed to do that, because 443 might be already allocated by service-a)
Both services are reachable with HTTPS protocol
1x ALB which will be used in both service to load balance traffic
1x HTTPS Listener on the ALB (balances traffic by path)
1x Security group for the ALB (only allows inbound traffic from a given network)
1x Security group for all ECS EC2 Instances which are allowing inbound traffic from the ALB (on port 443 (HTTPS) and 8888 (Custom TCP Rule))
However:
service-b is always unhealthy.
I tried to add a new HTTPS Listener on the ALB which listens on port 8888 and this listener forwards the traffic to my service-b-target-group as expected.
Does anyone have any clue?
Thanks in advance!
Did you configure an advanced health check of your target group for service b?
it should look like this
picture here
The default setting of the target group is "traffic port". If you have configured an path-based routing, the traffic port is the same for both target groups.
Request on url.com:443/service-a and url.com:443/service-b will try to do health checks on port 443 on both target groups
For service-b you should define an advanced health check on a specific port, because your service listens on that port (8888 in your case)
Related
I've follow the documentation of I've read https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
and I want to create a security group in AWS which allows only one IP access to ports 80 or 443, but AWS is blocking everything even the IP which should have access when I apply this group.
We are using nginx in the ec2 server and the certificate was created with certbot
What do you mean by "blocking everything"?
From these 2 rules, port 80 and port 443 are only open to the one IP that you had given. If this is a webapp, it is likely that you'll have a loadbalancer setup to receive the traffic.
Check the ELB security group and block traffic there (If there is an ELB setup)
Check the VPC NACL if there are any block for port 80/443 traffic. If that is the case, NACL rule will take precedence here
Make sure you check your outbound rules also. If by "Blocking everything", you meant the outbound traffic
Edit the inbound rule to be only lock out any other port to the instance ip address only, while you open 443 and 80 to everyone.
eg. if ur ec2 instance public ip is 13.255.77.8 and you don't want port 5000 to be accessible to the public, create a custom tcp with your that is only acessible to that port ie mapping port 5000 to this ip - 13.255.77.8/32
What can be a simple ALB health check for 2 app servers behind an ALB. These are not web hence I am not installing http on these servers.
You have option of configuring HTTP/HTTPS/TCP traffic for health check.
With ALB you need to associate an target group. Health checks are configured against this target group.
Your 2 app servers must be serving some traffic (say: TCP traffic over port 3306, if its running mysql). This is known as traffic port , the same port where your ALB is listening.
When you create Target group, you have to mention that health check will be done on this traffic port.
This is what you get when you attempt to create target group:
I setup an ELB to accept http/https traffic with a security group to allow all http/https traffic. Instead of pointing the domain to the EC2 IP, it is instead pointed at the alias of the ELB.
The EC2 is setup to accept http/https from any location at the moment, amongst ssh from my computer.
The target group is setup to forward traffic via https to the instances, and health check is performed via http. The targets show as healthy. In addition, the DNS for the ELB, and the website, throws a 502 error, and is unsecure accessible via https.
When I configure the target group to forward traffic via http to the instances, and the health check is performed via http, the targets still show as healthy. The ELB DNS / website is accessible for the ELB, though https still throws an unsecure warning.
Port 443 shows as closed. I have apache setup to listen to both port 80 and port 443 in order to serve the website. Normally, I would have the certificates on the server and would route port 80 to port 443 to serve them, so that's why they're both enabled.
I have an application running on an AWS EC2 instance with the domain's nameservers on AWS as well. I have an A record with the public IP.
I've create a secure certificate with ACM and also created an ELB Load Balancer. My domain still doesn't show the HTTPS in front of it.
Can anyone provide some help? Many thanks
Have you tried this ?
First, you need to open HTTPS port (443). To do that, you go to https://console.aws.amazon.com/ec2/ and click on the Security Groups link on the left, then create a new security group with also HTTPS available. Then, just update the security group of a running instance or create a new instance using that group.
After these steps, your EC2 work is finished, and it's all an application problem.
Credit to : https://stackoverflow.com/a/6253484/8131036
The solution is pretty simple.
First of all, edit the listeners on your ELB and do the following:
443 (HTTPS) => 80 (HTTP) - and apply ACM certificate.
What this essentially is doing is tells the ELB to listen on port 443 (HTTPS) and terminate the certificate and then forward traffic internally over port 80 (HTTP) - the port the instance is listening on.
You can also add port 80 (HTTP) and forward to port 80 (HTTP) (recommended and then set up your application to redirect all users to HTTPS). You can read more about ELB and setting up listeners here Create a Classic Load Balancer with an HTTPS Listener
Second thing you need to do is update Route 53 to point to ELB.
ascisolutions.com. A ALIAS s3-website-us-west-2.amazonaws.com. You can read more about it here Routing Traffic to an ELB Load Balancer
Let me know if you have more questions in the comments section and I'll do my best to reply.
You cannot install an ACM certificate on an ec2 instance directly, but you can install it on your load balancer and have the load balancer terminate SSL.
Create a target group and register your ec2 instances using port 80.
In your ELB, setup listeners for both port 80 and 443. You'll need to add your ACM cert to your https listener (port 443). Note that the certificate needs to be issued in the same region as your ELB.
The ELB does not handle redirecting insecure traffic to HTTPS, if needed, you will need to update your application to redirect http to https.
Is it possible to have an application running on an EC2 instance and have a load balancer listen on port 80 but proxy it to the instances port 8080?
I cannot seem to get this to work. What setting to I need to change. I am running the cluster behind an application load balancer.
Adding answer with AWS management snippets .
Add the instance port in the target group, refer below image for it. for example i've added tomcat 8080 port to the target group port/
Make sure that your ELB is internet facing. refer below image of ELB summary , which says that my ELB is internet -facing. and check that your routing is properly added.
You define the instance port in the Target Group. You need to configure the Target Group to use port 8080. Then point the Application Load Balancer's port 80 listener to the Target Group. The ALB will listen on port 80, and forward requests to port 8080 on the Target Group instances.