Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Accessing AWS EC2 instances through ELB

I'm trying to set up two instances under an elastic load balancer, but cannot figure out how I'm supposed to access the instances through the load balancer.

I've set up the instances with a security group to allow access from anywhere to certain ports. I can access the instances directly using their "Public DNS" (publicdns) host name and the port PORT:

http://[publicdns]:PORT/

The load balancer contains the two instances and they are both "In Service" and it's forwarding the port (PORT) onto the same port on the instances.

However, if I request

http://[dnsname]:PORT (where dnsname is the A Record listed for the ELB)

it doesn't connect to the instance (connection times out).

Is this not the correct way to use the load balancer, or do I need to do anything to allow access to the load balancer? The only mention of security groups in relation to the load balancer is to restrict access to the instances to the load balancer only, but I don't want that. I want to be able to access them individually as well.

I'm sure there's something simple and silly that I've forgotten, not realised or done wrong :P

Cheers, Svend.


Extra info added:

The Port Configuration for the Load Balancer looks like this (actually 3 ports):

10060 (HTTP) forwarding to 10060 (HTTP) Stickiness: Disabled(edit)

10061 (HTTP) forwarding to 10061 (HTTP) Stickiness: Disabled(edit)

10062 (HTTP) forwarding to 10062 (HTTP) Stickiness: Disabled(edit)

And it's using the standard/default elb security group (amazon-elb-sg).

The instances have two security groups. One external looking like this:

22 (SSH)          0.0.0.0/0
10060 - 10061 0.0.0.0/0
10062              0.0.0.0/0

and one internal, allowing anything within the internal group to communicate on all ports:

0 - 65535 sg-xxxxxxxx (security group ID)

Not sure it makes any difference, but the instances are m1.small types of image ami-31814f58.


Something that might have relevance:

My health check used to be HTTP:PORT/ but the load balancer kept saying that the instances were "Out of Service", even though I seem to get a 200 response on the request on that port.

I then changed it to TCP:PORT and it then changed to say they were "In Service".

Is there something very specific that should be returned for the HTTP one, or is it simply a HTTP 200 response that's required? ... and does the fact that it wasn't working hint towards why the load balancing itself wasn't working either?

like image 432
Svend Hansen Avatar asked Feb 24 '12 12:02

Svend Hansen


People also ask

How do I SSH into EC2 behind load balancing?

Right-click the instance ID for the Amazon EC2 instance running in your environment's load balancer, and then select Connect from the context menu. Make a note of the instance's public DNS address on the Description tab. Connect to an instance running Linux by using the SSH client of your choice, and then type ssh -i .

How do I find my EC2 instance load balancer?

Log in to the Amazon Web Services Management Console and click EC2. Click Load Balancers. The Load Balancers section of the console is divided into upper and lower panes. When you choose a load balancer from the upper pane, details about the load balancer appear in the lower pane.

Is ELB an EC2 instance?

High availabilityThe most well-known service that relies on ELB is Amazon's EC2, as ELB performs a health check to ensure an instance is still running before sending traffic to it. When an instance fails or is unhealthy, ELB routes traffic to the remaining healthy EC2 instances.


1 Answers

It sounds like you have everything set up correctly. Are they the same ports going into the loadbalancer as the instance? Or are you forwarding the request to another port?

As a side note, when I configure my loadbalancers I don't generally like to open up my instances on any port for the general public. I only allow the loadbalancer to make requests to those instances. I've noticed in the past that many people will make malicious requests to the IP of the instance trying to find a security breach. I've even seen people trying to brute force login into my windows machines....

To create a security rule only for the loadbalancers run the following commands and remove any other rules you have in the security-group for the port the loadbalancer is using. If you're not using the commandline to run these commands then just let me know which interface you're trying to use and i can try to come up with a sample that will work for you.

elb-create-lb-listeners <load-balancer> --listener "protocol=http, lb-port=<port>, instance-port=<port>"
ec2-authorize <security-group>  -o amazon-elb-sg -u amazon-elb

Back to your question. Like I said, the steps you explained are correct, opening the port on the instance and forwarding the port to the instance should be enough. Maybe you need to post the full configuration of your instance's security group and the loadbalancer so that I can see if there is something else affecting your situation.

like image 79
bwight Avatar answered Oct 21 '22 09:10

bwight