AWS EC2 Internet access from behind Load Balancer

Question

Using Terraform to setup a VPC with two EC2s in private su.nets. The setup needs to SSH to the EC2s to install package updates from the Inte.net and install the application software. To do this there is an IGW and a NAT-GW in a public su.net. Both EC2s can access the Inte.net at this point as both private su.nets are routing to the NAT-GW. Terraform and SSH to the private su.nets is done via Client VPN.

One of the EC2s is going to host a web service so a Classic mode Load Balancer is added and configured to target the web server EC2. Using Classic mode because I can't find a way to make Terraform build Application mode LBs. The Load Balancer requires the instance to be using a su.net that routes to the IGW, so it is changed from routing to the NAT-GW, to the IGW. At this point, the Load Balancer comes online with the EC2 responding and public Inte.net can access the web service using the DNS supplied End Point for the LB.

But now the web server EC2 can no longer access the Inte.net itself. I can't curl google.com or get package updates.

I would like to find a way to let the EC2 access the Inte.net from behind the LB and not use CloudFront at this time.

I would like to keep the EC2 in a private su.net because a public su.net causes the EC2 to have a public IP address, and I don't want that.

Looking for a way to make LB work without switching su.nets, as that would make the EC web service unavailable when doing updates.

Not wanting any iptables or firewalld tricks. I would really like an AWS solution that is disto agnostic.

Answer 1

A few points/clarifications about the problems you're facing:

• Instances on a public su.net do not need a NAT Gateway. They can initiate outbound requests to the inte.net via IGW. NGW is for allowing outbound IPv4 connections from instances in private su.nets.
• The load balancer itself needs to be on a public su.net. The instances that the LB will route to do not. They can be in the same su.net or different su.nets, public or private, as long as traffic is allowed through security groups.
• You can create instances without a public IP, on a public su.net. However, they won't be able to receive or send traffic to the inte.net.
• Terraform supports ALBs . The resource is aws_lb with load_balancer_type set to "application" (this is the default option).

That said, the public-private configuration you want is entirely possible.

1. Your ALB and NAT Gateway need to be on the public su.net, and EC2 instances on the private su.net.
2. The private su.net's route table needs to have a route to the NGW, to facilitate outbound connections.
3. EC2 instances' security group needs to allow traffic from the ALB's security group.

It sounds like you got steps 1 and 2 working, so the connection from ALB to EC2 is what you have to work on. See the documentation page here as well - https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html