EC2 instances must have a public IP assigned or they fail target group health checks?

Question

I created two different versions of the auto-scaling group template.

The first template doesn't auto-assign a public IP to the EC2 instances on creation, so there is only a private IP assigned to the EC2 instance when created. The target group health checks continuously fail as Unhealthy for the EC2 instance though.

However, in the second template of the ASG in the Network Configuration section I set a public IP to be auto-assigned to the EC2 instance. Then the target group health checks pass no issue.

The public IP auto-assignment is the only difference between the two templates. When creating the ASG from the templates I am selecting the public subnets (meaning they route traffic to the IGW) of the VPC I am working with. I have also tried private subnets with the same issue. The VPC for the EC2 instances is the same as the application load balancer.

The security groups for the ALB and EC2 instances both allow all incoming traffic on port 80.

Since the load balancer and EC2 instances are in the same VPC I assumed the target group would be able to resolve the health checks without needing to assign a public IP to the EC2 instances.

I'm not understanding why it's required to have a public IP assigned to the EC2 instances.

Answer 1

I suspect the issue is that your launch template has userdata code that fetches artifacts from the internet for bootstrapping. Without a public ip assigned to it, the EC2 instance is not be able to bootstrap properly and as a result the web server does not start, resulting in a failed health check.

You should create an EC2 AMI so that your EC2 instances will no longer need to fetch artifacts from the internet upon boot. This way, they will always work regardless of the settings of the network interface associated to the instance.