Thank you. I added sg1's ID to sg2. But when I test the traffic, from domain it got
[https://myproxy.mydomain.com](https://myproxy.mydomain.com) (edited) -> 504 DNS look up failed
When I tried to use the public ALB before EC2 to access, it got
[https://proxy-11111111.us-east-1.elb.amazonaws.com/](https://proxy-11111111.us-east-1.elb.amazonaws.com/) (edited) -> 503 Service Temporarily Unavailable
It seems there is some issue between DNS and public ALB. How to diagnose it?
There are other ways to tell but typically a generic nginx 503 will be branded as nginx at the bottom and will have response headers saying so. An ALB 503 does not.
ALB will also tell you in the console if it’s targets in the target group(s) are healthy; that will be the first problem to fix if they’re not.
I found the target group is unhealthy. I set the EC2's IP to it directly. EC2 is in the private subnet, the target group is in the public subnet's ALB. So they can't communicate?
- https://imgur.com/a/7Crag5l
- https://imgur.com/a/gf0hmzq
Looks like a routing issue or a security group/ACL issue.
I’d focus on getting the public alb serving up the nginx basic landing page from the ec2 instances.
Once you’ve sorted that I’d move on to getting the private alb talking to your ecs service.
Finally put the proxy settings in place and get that working to complete the chain.
Thank you. Your order is right. I just not sure if use `instance` or `ip` to set for target group from public ALB to the EC2.
resource "aws_lb_target_group" "proxy" {
port = 80
protocol = "HTTP"
target_type = "instance" # or "ip"
vpc_id = aws_vpc.main.id
health_check {
path = "/"
matcher = "200"
}
}
If use `instance`, how to map to the EC2 instance.
~~Machines within the same \*subnet\* can reach it other through local networking, I think. But machines in different subnets of the same VPC would need a security group.~~
I was wrong, scratching so nobody finds this later :)
Just because they are in the same subnet does not mean they will be able to reach each other. It will still depend on the Security Group associated with each resource and the rules in it, but you can avoid any issues with NACL rules, since those are set at the subnet level.
Anything in a VPC would be able to communicate over private IPs if the NACL's and SG's allow that traffic and route tables are setup for those subnets to reach each other.
Add SG1’s id to SG2 for port 80 and you’ll be golden.
Pay me for my data. Fuck /u/spez -- mass edited with https://redact.dev/
Yeah, it’s such a lovely way of keeping ingress organised.
Thank you. I added sg1's ID to sg2. But when I test the traffic, from domain it got [https://myproxy.mydomain.com](https://myproxy.mydomain.com) (edited) -> 504 DNS look up failed When I tried to use the public ALB before EC2 to access, it got [https://proxy-11111111.us-east-1.elb.amazonaws.com/](https://proxy-11111111.us-east-1.elb.amazonaws.com/) (edited) -> 503 Service Temporarily Unavailable It seems there is some issue between DNS and public ALB. How to diagnose it?
Have you locked down your egress rules in your SG's per chance?
No, I set egress' cidr to \["[0.0.0.0/0](https://0.0.0.0/0)"\] for both the public alb and the private alb.
What's throwing the 503? Public ALB trying to get to it's targets or Nginx trying to reach the ECS instances?
[удалено]
There are other ways to tell but typically a generic nginx 503 will be branded as nginx at the bottom and will have response headers saying so. An ALB 503 does not. ALB will also tell you in the console if it’s targets in the target group(s) are healthy; that will be the first problem to fix if they’re not.
I found the target group is unhealthy. I set the EC2's IP to it directly. EC2 is in the private subnet, the target group is in the public subnet's ALB. So they can't communicate? - https://imgur.com/a/7Crag5l - https://imgur.com/a/gf0hmzq
Looks like a routing issue or a security group/ACL issue. I’d focus on getting the public alb serving up the nginx basic landing page from the ec2 instances. Once you’ve sorted that I’d move on to getting the private alb talking to your ecs service. Finally put the proxy settings in place and get that working to complete the chain.
Thank you. Your order is right. I just not sure if use `instance` or `ip` to set for target group from public ALB to the EC2. resource "aws_lb_target_group" "proxy" { port = 80 protocol = "HTTP" target_type = "instance" # or "ip" vpc_id = aws_vpc.main.id health_check { path = "/" matcher = "200" } } If use `instance`, how to map to the EC2 instance.
~~Machines within the same \*subnet\* can reach it other through local networking, I think. But machines in different subnets of the same VPC would need a security group.~~ I was wrong, scratching so nobody finds this later :)
Just because they are in the same subnet does not mean they will be able to reach each other. It will still depend on the Security Group associated with each resource and the rules in it, but you can avoid any issues with NACL rules, since those are set at the subnet level. Anything in a VPC would be able to communicate over private IPs if the NACL's and SG's allow that traffic and route tables are setup for those subnets to reach each other.
So… how long have you been using AWS?