Reputation: 3145
Setting up Amazon Elastic Beanstalk app under VPC
I've created a new environment for my beanstalk app under a vpc. I created a vpc with private and public subnets.
I've configured the security groups as outlined here: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo-vpc-basic.html
The environment seemed to setup correctly but the status is red. Clicking on monitor reveals no data for latency or requests.
The website url returns error code 503.
Not sure what to do
Upvotes: 3
Views: 6904
Answers (3)
Reputation: 808
There is a good AWS CloudFormation template example to create VPC with public and private subnets and the NATs: https://github.com/awsdocs/elastic-beanstalk-samples/blob/9720e38e9da155752dce132a31d8e13a27364b83/cfn-templates/vpc-privatepublic.yaml
May be very useful for those having issues with such VPC configuration.
To deploy it to your AWS using cli:
aws cloudformation deploy --stack-name mystackname --template-file path/to/vpc-privatepublic.yaml
Or you can deploy from CloudFormation UI dashboard.
Upvotes: 0
Reputation: 181
When you created the VPC, I assume you did it using the wizard. In this situation, the NAT is configured to accept calls from "default" security group.
When you created the Elastic beanstalk environment, did you specify that you want the new instances to be on "default" security group?
Check if the new instance belongs to the VPC's default security group in EC2 management area. If it is not a member of default Security group, add this security group to your NAT's inbound connections.
Upvotes: 4
Reputation: 6945
This is almost certainly an issue with not being able to communicate with the NAT. The documentation is a little ambiguous when it comes to configuring your .ebextensions config files.
- Don't mess with the Network ACLs for the VPC. The infrastructure needs to be able to talk to itself.
- The NAT instance & Beanstalk ELB need to be in the Public subnet (10.0.0.0/24)
- The Beanstalk instances themselves need to be in the Private subnet (10.0.1.0/24)
- The Security Group that you apply to the instances needs to also apply to the NAT. That Security Group also needs to be on its own Inbound list so that everything inside that SG can talk to each other.
- Using
curl, try to make outbound calls. First on the Bastion Host, then on the NAT, then on a Beanstalk instance. Are any of them unable to make outbound calls?
I just recently spent a couple of weeks trying to develop a CloudFormation template that handles this stuff. I think that most of it is still in my brain. I think.
If these troubleshooting steps don't help, let me know and I'll dig a little deeper.
Upvotes: 9
Related Questions
- Elastic Beanstalk App in Private VPC without NAT
- How can I change an elasticbeanstalk environment vpc?
- Elastic Beanstalk Custom VPC - This configuration does not contain a load balancer
- Create and assign AWS elastic Beanstalk Spring instance to VPC
- Cannot create an Elastic Beanstalk application in a custom VPC using Terraform
- How can I create a VPC for EBS and RDS?
- Elastic Beanstalk in VPC
- How to setup Application Load Balancer for Elastic Beanstalk in AWS
- Creating Elastic Beanstalk environment with specified VPC
- Allow Elasticbeanstalk application to access EC-2 instance without using a VPC