Amazon ELB in VPC

amazon-ec2 amazon-web-services vpc amazon-elb amazon-vpc
37,260

Solution 1

My teammate and I just have implemented ELB in a VPC with 2 private subnets in different availability zones. The reason you get timeouts is that for each subnet you add to the load balancer, it gets one external IP address. (try 'dig elb-dns-name-here' and you will see several IP addresses). If one of these IP address maps a private subnet, it will timeout. The IP that maps into your public subnet will work. Because DNS may give you any one of the IP addresses, sometimes it works, sometimes it times out.

After some back and forth with amazon, we discovered that the ELB should only be placed in 'public' subnets, that is subnets that have a route out to the Internet Gateway. We wanted to keep our web servers in our private subnets but allow the ELB to talk to them. To solve this, we had to ensure that we had a corresponding public subnet for each availability zone in which we had private subnets. We then added to the ELB, the public subnets for each availability zone.

At first, this didn't seem to work, but after trying everything, we recreated the ELB and everything worked as it should. I think this is a bug, or the ELB was just in an odd state from so many changes.

Here is more or less what we did:

  1. WebServer-1 is running in PrivateSubnet-1 in availability zone us-east-1b with security group called web-server.
  2. WebServer-2 is running in PrivateSubnet-2 in availability zone us-east-1c with security group called web-server.
  3. Created a public subnet in zone us-east-1b, we'll call it PublicSubnet-1. We ensured that we associated the routing table that includes the route to the Internet Gateway (ig-xxxxx) with this new subnet. (If you used the wizard to create a public/private VPC, this route already exists.)
  4. Created a public subnet in zone us-east-1c, we'll call it PublicSubnet-2. We ensured that we associated the routing table that includes the route to the Internet Gateway (ig-xxxxx) with this new subnet. (If you used the wizard to create a public/private VPC, this route already exists.)
  5. Created a new ELB, adding to it PublicSubnet-1 and PublicSubnet-2 (not the PrivateSubnet-X). Also, picked the instances to run in the ELB, in this case WebServer-1 and WebServer-2. Made sure to assign a security group that allows incoming port 80 and 443. Lets call this group elb-group.
  6. In the web-server group, allow traffic from port 80 and 443 from the elb-group.

I hope that helps!

Solution 2

The key here is understanding, that you are not "Adding subnets/availability zones" to ELB, but rather specifying what subnets to put ELB instances into.

Yes, ELB is a software load balancer and when you create ELB object, a custom loadbalancing EC2 instance is put into the all subnets that you specified. So for the ELB (its instances) to be accessible, they have to be put into the subnets that have default route configured via IGW (most likely you classified these subnets as public).

So as already was answered above, you have to specify "public" networks for ELB, and those networks should be from the AZs where your EC2 instances are running. In this case ELB instances will be able to reach your EC2 instances (as long as security groups are configured correctly)

Solution 3

We've implemented ELB in a private subnet so the statement that all ELB's need to be public isn't completely true. You do need a NAT. Create a private subnet for the private ELB's, turn on VPC DNS and then make sure the private routing table is configured to go through the NAT. The subnet security groups also need to be setup to allow traffic between ELB and App, and App to DB subnets.

Beanstalk health checks won't work as they can't reach the load balancer, but for services that need to be outside of the public reach this is a good compromise.

Suggested reading to get your VPC architecture started: http://blog.controlgroup.com/2013/10/14/guided-creation-of-cloudformation-templates-for-vpc/.

Solution 4

You must add the following settings.

  1. Public subnet zone b = Server NAT
  2. Private subnet zone c = Server Web
  3. Public subnet zone c = ELB

The trick is routing:

  1. The router to NAT is attach with gateway A.
  2. The router to Server Web is attach to NAT.
  3. The router to Public subnet is attach with gateway A.

ELB details:

1.Zone: Public subnet zone c 2.Instance: Server Web 3.Security Groups: enable ports

http://docs.amazonaws.cn/en_us/ElasticLoadBalancing/latest/DeveloperGuide/UserScenariosForVPC.html

Share:
37,260

Related videos on Youtube

Kevin Willock
Author by

Kevin Willock

I'm a Canadian living abroad in Hong Kong

Updated on July 05, 2022

Comments

  • Kevin Willock
    Kevin Willock almost 2 years

    We're using Amazon EC2, and we want to put an ELB (load balancer) to 2 instances on a private subnet. If we just add the private subnet to the ELB, it will not get any connections, if we attach both subnets to the ELB then it can access the instances, but it often will get time-outs. Has anyone successfully implemented an ELB within the private subnet of their VPC? If so, could you perhaps explain the procedure to me?

    Thanks

  • Kevin Willock
    Kevin Willock about 12 years
    yeah, we came to the same conclusion, i just forgot to update this. Thanks for the answer :)
  • andres.riancho
    andres.riancho almost 11 years
    This is a good source of related information: forums.aws.amazon.com/thread.jspa?messageID=453594&#453594
  • Cfreak
    Cfreak almost 11 years
    I regret that I have but one upvote to give. Thanks! I was banging my head against the wall for the last 2 hours trying to figure this out.
  • Craig Watson
    Craig Watson almost 11 years
    If I could upvote this a million times, I would. Thank you SO!
  • Michel Feldheim
    Michel Feldheim almost 11 years
    So your webservers are in both, the public and the private network?
  • Manish Singh
    Manish Singh about 10 years
    I am facing exactly the same problem but I'm still struck. If I add PublicSubnet-X (not the PrivateSubnet-X) then my instance attached to ELB gets OutOfService because I do not have any instance in the Public Subnet, instance count shows 0. If I add both, then the instance is operating normally, but then I face the timeout issue. Am I missing something? Can someone please help?
  • nickdnk
    nickdnk about 9 years
    "Also, picked the instances to run in the ELB, in this case WebServer-1 and WebServer-2." - What instances do you run "in the ELB"? Don't you mean you run EC2 intances in the private subnet? I don't get it. I've been doing exactly what you posted from the beginning, but the Environment fails to start and remains in grey state.
  • Jeff Loughridge
    Jeff Loughridge about 8 years
    You make an important point in your first sentence. The AWS Console is not intuitive in this regard. It leads one to believe that you doing something wrong when you don't see EC2 instances from your private subnets if you deploy the ELB in the public subnet(s).
  • gsalgadotoledo
    gsalgadotoledo about 7 years
    has your instances a public IP?
  • BatteryAcid
    BatteryAcid about 7 years
    I also found these instructions helpful: docs.aws.amazon.com/AmazonVPC/latest/UserGuide/…
  • Brett Green
    Brett Green over 6 years
    Here's some official info from AWS team that is helpful also. aws.amazon.com/premiumsupport/knowledge-center/…
  • Perimosh
    Perimosh over 6 years
    Hello. In step "Made sure to assign a security group that allows incoming port 80 and 443.", what rules are you adding? Inbound for every where? Or just from the sg of the web-server?
  • tzwickl
    tzwickl over 4 years
    Thank you so much for this answer I just had the exact same problem and was already questioning my sanity why I couldn't get this to work :)
  • dancl
    dancl over 4 years
    For me the gotchya was the load-balancer security group needed an egress rule to the instances for the health-check

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Amazon ELB for EC2 instances in private subnet in VPC
How to use IPSec / Openswan with Amazon's Virtual Private Cloud (VPC) and EC2?
Is it okay to use an Elastic Load Balancer for ssh/sftp traffic?
How to connect to outside world from amazon vpc?
Assigning Static IP Address to AWS Load Balancer
Multiple VPC and Subnet with same CIDR blocks
AWS:EC2 enable dns-hostname for host in non default vpc
Does AWS Application load balancer actually support compression?
How to assign EIP to Autoscaling Group of VPC in Cloudformation template
How to solve AWS ELB/EC2 HTTP 503 with timeout settings?