Loadbalancer cannot get a good health check

Question

I'm confused how the AWS load balancers work. I have a pretty simple setup...

I have a rest based API that needs to be exposed to the internet (port 80) via my load balancer. I only want the load balancer exposed to the internet traffic. I have a security group setup for my instance that restricts direct access to only my ipaddress for testing purposes.

The load balancer is not ip restricted on http, it just has port 80 open (with a listener to my api service on port 3001). The problem is that the load balancer cannot see my instance if I setup any ip restrictions on the instances in question. Once I remove those restrictions on my instances, the health checks start working and I can access the service through the load balancer. The problem with that is my instances now have ports open to the internet that I don't want.

Is there something additional I need to do to allow the load balancer to access my instances when using ip restrictions?

One final note, my health checks work fine until I add the instance-level ip restrictions so I know the health check is not the problem. I think if I added the load balancer's IP to my whitelist, it would work, but that ip is dynamic and not viable for this purpose.

Answer 1

Don't use IP restrictions.

1) Select your LB, select Security tab and note the Security Group ID (something like sg-5555abb). Click on that ID to edit it

2) When you edit your Load Balancer security group, add only one allow rule: HTTP TCP 80 0.0.0.0/0 (and/or 443 if you need it, but you get the idea).

3) Next go to your instance's security group. Allow only Load Balancer's security group to access your instance on port 3001:Custom TCP Rule TCP 3001 sg-5555abb (my-load-balancer). Notice that in Source field you do not enter IP address/mask but Security Group ID from step 1)

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-rules