I have created a classic load balancer and auto scaling policy which launch 2 instance successfully; now when I logged in through ssh to one of the load balancer.
ssh -i "mykeypair.pem" ec2-user#my-load-balancer-1222.us-east-1.elb.amazonaws.com
we looged in with the teminla
[ec2-user#ip-10-0-1-86 ~ ] << here this Ip is one of the instance which was created by auto scaling
now I want to check the security-group of the elb from curl http://169.254.169.254/latest/meta-data/security-groups command but it display the instnace security group name not the elb security group.
My question is how can we check the elb security group?
It seems you have SSH'ed into one of the 2 instances behind the load balancer (I doubt you can SSH into the ELB itself), so that's why you're seeing the security group of that instance.
I believe the way to check the ELB's security group is by using the AWS CLI (or one of their SDKs), using the
aws elb describe-load-balancers --load-balancer-name my-load-balancer
You can find more details in the docs
Note: of course, if you wanted to run this command from within the EC2 instance you SSH'ed into, you would need to make sure you have access to make that invocation. See here for more info, on getting set up.
You should not SSH into an instance via a Load Balancer.
An SSH session is persistent -- you wish to continue talking to the same server. This clashes with the concept of a Load Balancer, which distributes traffic across multiple servers.
Related
I need to perform simple health checks to an ec2 instance that does not have access to the internet. The instance is behind another ec2 using Apache as the frontend.
I can not use an load balancer, nor give the instance access to the internet.
I looked at route53 health checks as an alternative, but it also needs internet connection.
I know I can do it by using a lambda function, but I would like to know if there is any other ( 'aws managed' ) way to do it.
What are you trying to check on the instance? EC2 instances come with status checks by default for general health.
If you want to check something specific, you might run a script on the instance (e.g. through cron) and use AWS CLI (or a similar API) to report the metrics to CloudWatch; you can also set alarms here.
Why not use a load balancer for the health check and just not route any traffic to it? Make sure your security groups allow traffic from the load balancer (assuming ALB) to the EC2 instance, but you can remove any inbound access to the load balancer's security group for added security.
I have a web application launched using ElasticBeanstalk (EB) with load balancer, which instances may be added/removed based on the trigger.
Now I have a Redis server hosted on EC2 with port 6379 that I only want this very EB instances (all the instances launched by this EB) have access to that port.
EB has a security group (SG) called sg-eb and Redis has a SG called sg-redis.
All these are deployed under same VPC but may or may not be the same subnet.
How to I configure sg-redis so that all the instances under the EB have access to redis? I tried adding sg-eb to sg-redis allowing port 6379 but no luck. The only way I made it work was adding each instance's public IP to sg-redis so they have access. Though, if the load balancer adds/removes an instance, I'll need to manually configure sg-redis again.
Update #1
The Redis EC2 instance will have 2 IPs, one public and one private. You can find them when selecting the instance on the EC2 management console. Make sure you connect to that EC2 instance via this internal IP.
I have created a Application Load Balance in Aws.
I have created 2 EC2 and make them a group.
After that I add that group to the ALB with listener 80.
But when the system goes for healthy checks, it gives the error and shows that two registered EC2 are unhealthy.
The error is :
None of these Availability Zones contains a healthy target. Requests
are being routed to all targets.
Availability Zones:
subnet-5691df0f - ap-northeast-1c,
subnet-97ae35e1 - ap-northeast-1a
Please let me know the reason.
AWS Related image
AWS Related image2
I was running into this issue, and also getting a 504 Gateway timeout, and it ended up being this missing rule from the documentation.
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the left navigation, choose Security Groups.
Choose the security group that your container instances use. If you created your container instances by using the Amazon ECS first run wizard, this security group may have the description, ECS Allowed Ports.
Choose the Inbound tab, and then choose Edit.
For Type, choose All traffic.
For Source, choose Custom, and then type the name of your Application Load Balancer security group that you created in Configure Security Groups. This rule allows all traffic from your Application Load Balancer to reach the containers in your tasks that are registered with your load balancer.
Choose Save to finish.
Check if your heath check parameters in target group is properly configured
protocol and port should be pointing to something where response header return 200 ok
screenshot target group settings
also, check if you EC2 heath check is ok or not and the Subnet you added to Alb should have at least 1 Ec2 running any of those subnets,
check the security group also should allow ALB to look for EC2
AwS link 3: https://i.stack.imgur.com/TEOnU.gif]2
AWS Link 4
I encountered a similar issue while learning to setup load balancer for my EC2 instance.
It turns out that under Target Groups:
the "path" under the "Health Check" tab was not registered although it showed the correct value "/".
Therefore I just edited the path value(by clicking the "edit health check") to "/" and saved it again just so that the system can register that value. (you could also try saving it to some other value, say "/health", first and then saving it back to "/")
This seemed to fix my problem.
Hi all I just encountered the same issue and the solution is a setting in the ALB (Application Load Balancer) itself
Make sure the ALB AZ matches your instance AZ here is a screenshot of the setting. I am using us-east-1a and us-eas-1e for my instance. So my ALB setting for AZ should match that, click on the "Edit Subnets" button to edit your AZ on your ALB
Ensure that communication is allowed at security group level between your load balancer and your targets.
From AWS
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html
You must ensure that your load balancer can communicate with registered targets on both the listener port and the health check port [...] you must verify that the security groups associated with the load balancer allow traffic on the new port in both directions.
For example, a simple way to portray the rules you would require if you have a PUBLIC FACING load balancer in security group sg-001 and three EC2 targets in another security group sg-002 is as follows:
Just add new AZs by clicking on the Edit Subnet under the Load Balancer description.
So I set up a proxy server in AWS EC2 (let's say EC2 A) under Elastic Load Balancer with AWS AutoScaling groups... So I have 5 of EC2 : A under this elastic load balancer that has one DNS server endpoint for this proxies.
Through this proxy DNS (e.g. http://myelb.elb.aws.com), I want to send HTTP request from EC2 B.
Then where should I set up the security group?
And what kind of security rules for this program flow?
I tried to add EC2 A to the Elastic Load Balancer but it keeps being OutofService, never got to InService mode.
OutofService indicates that your Elastic Load Balancer is either not ready, or the instances are failing their Health Check. If you point to the little "i" information icon, it will explain why an instance is not InService.
Within your Elastic Load Balancer, take a look at the Health Check tab and confirm that it is configured correctly. It will either be checking a URL (eg /index.htm) or checking a port (eg port 80). If your "A" servers are listening on port 80, the quickest way to pass the health check is to set it to TCP and set the Healthy Threshold to 2 attempts.
Your Security Groups should have these settings:
A Security Group on your Elastic Load Balancer (eg ELB-SG) that allows incoming traffic either from the whole Internet (0.0.0.0/0) or at least from your "EC2 B" instance (specifically, it should allow traffic where the source is the name of a security group associated with your B instance).
A Security Group on your "EC2 A" instances that allows incoming traffic from the security group on your Load Balancer (ELB-SG).
If you are worried that your Security Groups are incorrectly configured, start troubleshooting by opening up access to the entire Internet (0.0.0.0/0) and, once you have confirmed connectivity, progressively reduce access to the above settings.
I have an Amazon Beanstalk Load Balancer setup which adds / removes ec2 servers as needed. The security group for this load balancer is called prod-sc.
I also have an Amazon EC2 instance using security group elasticsearch-sc.
Now I need elasticsearch-sc to allow port 9200 to be accessed from prod-sc
However everytime I try to configure this in the elasticsearch-sc by providing the prod-sc Group ID, I get an error saying
Could not update your security group rules (No changes were made): You may not define rules between a VPC group and a non-VPC group.
How can I give prod-sc access to elasticsearch-sc?
Can you try creating elasticsearch-sc as a VPC security group?
Read the guide for more details.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
http://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html