stackoom
  简体   繁体   中英

Setting up Application Load Balancer for Private Subnet EC2 instances running tomcat

 原文  2021-11-21 22:12:06       amazon-ec2/ aws-load-balancer/ private-subnet

Question

I have setup a VPC with two public subnets and two private subnets. The two private subnets have two EC2 instates and each has tomcat server running on port 8080.

I have set up a load balancer (terraform) as following but the health check is always failing. Can someone help me with what's wrong here.

Security Groups:

# Create Security Group for the Application Load Balancer
# terraform aws create security group
resource "aws_security_group" "alb-security-group" {
  name        = "ALB Security Group"
  description = "Enable HTTP/HTTPS access on Port 80/443"
  vpc_id      = aws_vpc.OrchVPC.id

  ingress {
    description = "HTTP Access"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    description = "HTTPS Access"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "ALB Security Group"
  }
}

# Create Security Group for the Bastion Host aka Jump Box
# terraform aws create security group
resource "aws_security_group" "ssh-security-group" {
  name        = "SSH Security Group"
  description = "Enable SSH access on Port 22"
  vpc_id      = aws_vpc.OrchVPC.id

  ingress {
    description = "SSH Access"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "SSH Security Group"
  }
}

# Create Security Group for the Web Server
# terraform aws create security group
resource "aws_security_group" "webserver-security-group" {
  name        = "Web Server Security Group"
  description = "Enable HTTP/HTTPS access on Port 80/443 via ALB and SSH access on Port 22 via SSH SG"
  vpc_id      = aws_vpc.OrchVPC.id

  ingress {
    description     = "HTTP Access"
    from_port       = 80
    to_port         = 80
    protocol        = "tcp"
    security_groups = ["${aws_security_group.alb-security-group.id}"]
  }

  ingress {
    description     = "HTTPS Access"
    from_port       = 443
    to_port         = 443
    protocol        = "tcp"
    security_groups = ["${aws_security_group.alb-security-group.id}"]
  }

  ingress {
    description     = "HTTP/HTTPS Access"
    from_port       = 8080
    to_port         = 8080
    protocol        = "tcp"
    security_groups = ["${aws_security_group.alb-security-group.id}"]
  }

  ingress {
    description     = "SSH Access"
    from_port       = 22
    to_port         = 22
    protocol        = "tcp"
    security_groups = ["${aws_security_group.ssh-security-group.id}"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "Web Server Security Group"
  }
}

Load Balancer:

# Target group for application load balancer
resource "aws_lb_target_group" "targetgroup" {
  health_check {
    interval            = 5
    path                = "/"
    protocol            = "HTTP"
    timeout             = 2
    healthy_threshold   = 2
    unhealthy_threshold = 2
  }

  stickiness {
    type    = "lb_cookie"
    enabled = true
  }

  name        = "targetgroup"
  port        = 8080
  protocol    = "HTTP"
  target_type = "instance"
  vpc_id      = aws_vpc.OrchVPC.id
}

# Load Balancer Target Group attachment for first instance
resource "aws_lb_target_group_attachment" "myec2vm1tg1" {
  target_group_arn = aws_lb_target_group.targetgroup.arn
  target_id        = aws_instance.myec2vm1.id
  port             = 8080
}

# Load Balancer Target Group attachment for second instance
resource "aws_lb_target_group_attachment" "myec2vm2tg1" {
  target_group_arn = aws_lb_target_group.targetgroup.arn
  target_id        = aws_instance.myec2vm2.id
  port             = 8080
}


# Applicaiton Load Balancer
resource "aws_lb" "alb" {
  name               = "alb"
  internal           = false
  load_balancer_type = "application"
  security_groups    = [aws_security_group.alb-security-group.id]
  subnets            = [aws_subnet.PublicSubnet1.id, aws_subnet.PublicSubnet2.id]

  tags = {
    Name = "alb"
  }

  timeouts {
    create = "30m"
    delete = "30m"
  }
}

# Load Balancer Listener
resource "aws_lb_listener" "alblistener" {
  load_balancer_arn = aws_lb.alb.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.targetgroup.arn
  }
}

1 answers

solution1
 0  2022-01-11 04:16:46

Can you check in console -> security group of those instances to ensure, it has given inbound rule so that load balancer can do the HTTP request to your web server.

security group inbound rule

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to load balance AWS private subnet EC2 instances Setting up load balancer at my EC2 instance at AWS Pushing to multiple EC2 instances on a load balancer EC2 instances removed from load balancer AWS: Why is a public IP required for load-balancing to my private subnet EC2 instances? Setting up Redash Instance in private subnet. EC2 status check failed How do I connect a public-facing load balancer to EC2 instances in a private VPC Set static private IP addresses to AWS EC2 Instances registered with an AWS Elastic Load Balancer Amazon ELB for EC2 instances in private subnet in VPC AWS best method to ssh between EC2 instances in private subnet
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM