0

As I have been researching, there are two ways of placing EC2 instances in front of ALBs in a given availability zone:

  1. Placing them in the same public subnets referenced by ALB in that availability zone + giving them a public IP

  2. Placing them in private subnets + creating a NAT Gateway a public subnet referenced by ALB in that availability zone

I would like to be able to place ALBs in front of EC2 instances without public IP, for example, an EC2 instance without a public IP in a public subnet referenced by an ALB

When I try to do this the ALB says my EC2 instance is unhealthy, but when I give the intance a public IP the ALB almost instantly says its healthy

Why is this the case? This does not seem to be addressed until now in stack overflow (this seem to be the only answer until now)

Matias Haeussler
  • 1,061
  • 2
  • 12
  • 25
  • 2
    You must be doing something wrong. Can you post details or screesnhots of your ALB setup, target group, security groups, health checks. – Marcin Sep 03 '20 at 22:39
  • Also do your instance in private subnet work? Maybe they require internet access to downoad some dependencies, access aws resources? – Marcin Sep 03 '20 at 22:41
  • what you are doing is the standard setup. the ALB on public subnet. Ec2 instances in private subnet. it should be the security groups causing trouble. In order to test this, Create a new EC2 instance in public subnet and see if you can reach the EC2 instances in the private subnets via telnet – Arun Kamalanathan Sep 03 '20 at 23:39
  • I just waited a while and it became healthy I think it can be related to some services needing a public IP, because the instance comunicates with public SES and S3 endpoints Indeed many errors appeared when trying to send emails through the web app that went away when assigning it a public IP – Matias Haeussler Sep 09 '20 at 21:40

1 Answers1

1

When ALB says ec2 instance is unhealthy it means either of the two:-

  1. the configuration of the health check needs to be checked the port number, protocol, and the path.

  2. Second you don't need to assign private IP without public ip to your ec2 instance behind ALB because Ec2 instance security group should be configured to allow inbound connection from ALB security group called as referencing security group which means ec2 instance will not accept connections others than ALB.

Hence You wont need to assign private ip to your ec2 instance because if you try to access your instance by its public ip it wont respond.

Jatin Mehrotra
  • 9,286
  • 4
  • 28
  • 67