Adam Jimenez
Adam Jimenez

Reputation: 3145

Setting up Amazon Elastic Beanstalk app under VPC

I've created a new environment for my beanstalk app under a vpc. I created a vpc with private and public subnets.

I've configured the security groups as outlined here: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo-vpc-basic.html

The environment seemed to setup correctly but the status is red. Clicking on monitor reveals no data for latency or requests.

The website url returns error code 503.

Not sure what to do

Upvotes: 3

Views: 6904

Answers (3)

Nikita Mendelbaum
Nikita Mendelbaum

Reputation: 808

There is a good AWS CloudFormation template example to create VPC with public and private subnets and the NATs: https://github.com/awsdocs/elastic-beanstalk-samples/blob/9720e38e9da155752dce132a31d8e13a27364b83/cfn-templates/vpc-privatepublic.yaml

May be very useful for those having issues with such VPC configuration.

To deploy it to your AWS using cli:

aws cloudformation deploy --stack-name mystackname --template-file path/to/vpc-privatepublic.yaml

Or you can deploy from CloudFormation UI dashboard.

Upvotes: 0

Rakesh Bollampally
Rakesh Bollampally

Reputation: 181

When you created the VPC, I assume you did it using the wizard. In this situation, the NAT is configured to accept calls from "default" security group.

When you created the Elastic beanstalk environment, did you specify that you want the new instances to be on "default" security group?

Check if the new instance belongs to the VPC's default security group in EC2 management area. If it is not a member of default Security group, add this security group to your NAT's inbound connections.

Upvotes: 4

Ryan Parman
Ryan Parman

Reputation: 6945

This is almost certainly an issue with not being able to communicate with the NAT. The documentation is a little ambiguous when it comes to configuring your .ebextensions config files.

  1. Don't mess with the Network ACLs for the VPC. The infrastructure needs to be able to talk to itself.
  2. The NAT instance & Beanstalk ELB need to be in the Public subnet (10.0.0.0/24)
  3. The Beanstalk instances themselves need to be in the Private subnet (10.0.1.0/24)
  4. The Security Group that you apply to the instances needs to also apply to the NAT. That Security Group also needs to be on its own Inbound list so that everything inside that SG can talk to each other.
  5. Using curl, try to make outbound calls. First on the Bastion Host, then on the NAT, then on a Beanstalk instance. Are any of them unable to make outbound calls?

I just recently spent a couple of weeks trying to develop a CloudFormation template that handles this stuff. I think that most of it is still in my brain. I think.

If these troubleshooting steps don't help, let me know and I'll dig a little deeper.

Upvotes: 9

Related Questions