Consider the following setup based on this document :
10.0.0.0/16 -> local 0.0.0.0/0 -> igw-67e14203 (Internet Gateway)
10.0.0.0/16 -> local 0.0.0.0/0 -> igw-67e14203
With the above setup, the load balancer works perfectly and I can reach the web server urls and applications from the public internet. However, with this setup, the servers in the private subnet (10.0.2.0/24,10.0.3.0/24,10.0.4.0/24) are not able to access anything outside the local network - not even the AWS yum repositories. When I change the routing table for the private subnets to: 10.0.0.0/16 -> local 0.0.0.0/0 -> nat-0a71345c417d7758a
The configuration for ELB is as follows:
"AppServerLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Scheme": "internet-facing",
"Tags": [
{
"Key": "environment",
"Value": {
"Ref": "Environment"
}
}
],
"SecurityGroups": [
{
"Ref": "LoadBalancerSecurityGroup"
}
],
"Subnets": [
{
"Ref": "AppServerSubnetAZ0"
},
{
"Ref": "AppServerSubnetAZ1"
},
{
"Ref": "AppServerSubnetAZ2"
}
]
}
}
The subnets AppServerSubnetAZ0
, AppServerSubnetAZ1
and AppServerSubnetAZ2
are private subnets with a route that points to NAT Gateway as described earlier.
The instances in the private subnet can access outside Internet but then the LoadBalancer stops working. I start getting timeouts on the load balancer.
The Network ACL's are set properly and the only change in the two above scenarios is the change in the routing table.
Just can't seem to figure out what is going wrong? I would have assumed that the NAT gateway would have taken care of routing load balancer traffic as well as in the article/link above?
Thank you for your help!
I don't know how feasible it is to make both a NAT gateway and ELB to work for EC2 instances in Private subnet.
One work around I will suggest you is keep your Routing table
10.0.0.0/16 -> local
0.0.0.0/0 -> igw-67e14203 (Internet Gateway)
And achieve the NAT using an EC2 instance instead of NAT Gateway.
You are misinterpreting the referenced document.
The load balancer must be on a public subnet, and the instances should be on a private subnet.
Why does this work when the route on the private subnet points to the Internet Gateway? That's a trick question. If the defaut route points to the Internet Gateway, it's not actually a private subnet any more. It's a public subnet.
Don't think in terms of conventional networks, where it makes sense that the balancer and the instances behind it would often be on a common subnet. VPC doesn't work that way. There's no performance penalty for traffic across subnet boundaries within an availability zone, nor a performance advantage for traffic within a single subnet.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.