Reputation: 4202
Private subnet not talking to public - health check failing
I am trying to achieve the following architecture depicted in this blog
I have a Fargate Service using an ENI (with private IP of 10.0.241.85) running in a private subnet (let's call 'subnet-1'). The ENI also has an Elastic IP as it fails to pull the image from ECR if not. I don't think this will matter though? The container in my service is exposing ports 3000/4000. I then have my ALB & NAT gateway in a public subnet (let's call this 'subnet-2'). The ALB forwards traffic on ports 80/443 to the necessary target group. The target group has 2 registered tasks targeting the private IP on the ENI (1 on port 3000 & the other on 4000). To the best of my knowledge, this should allow traffic in, correct?
For traffic out, subnet-1 has a default route (0.0.0.0/0) to the NAT gateway in subnet-2, this should allow traffic out, correct?
All services are in the same VPC & the same availability zone (where applicable)
I have 2 security groups utilised by these services:
- test
- api
test (inbound)
test (outbound)
api (inbound)
api (outbound)
We leverage ephemeral ports for communication between the 2 security groups
NOTE: I removed the destination here but, yeah, the destination is test security group
| Service | Security Groups |
|---------|-----------------|
| ENI | test |
| | api |
|---------|-----------------|
| ALB | api |
|---------|-----------------|
subnet-1 route table
subnet-2 route table
NOTE: The covered route is just a peering connection out so nothing to do with this
From what I know, the 2 subnets should be able to communicate using the private IPs of the services within them which is what I have done here.
The health check fails with the generic message of:
Task failed ELB health checks
I have also looked to this blog for a bit more help but to no avail.
Any help would be greatly appreciated :)
Upvotes: 2
Views: 1715
Answers (1)
Reputation: 34426
If your task is listening on ports 3000 & 4000, your security group (test I guess, based on your comments) will need to permit these ports. As configured now, I don't see ports 3000 and 4000 as allowed.
Couple of other notes - an elastic IP on your ENI in a private subnet won't do anything as private subnets cannot have direct access to the internet. If you're having problems connecting to ECR without it there must be some other problem.
Also, your SG rules are permitting very large CIDR blocks like 0.0.0.0/0. A more secure configuration would only permit the particular security group that needs access. In this case, you would want the ports for your app (sounds like 3000 and 4000) from the SG ID of your load balancer.
Upvotes: 2
Related Questions
- <AWS VPC> Unable to ping private subnet instance from a public subnet instance
- Why can't access a server with a public IP within the same network?
- Your internal load balancer must have a private subnet
- AWS Fargate Cluster unable to access Internet with NAT and Internet Gateways in place
- Problem with accessing ASG in private subnet from elb
- AWS Lambda in public subnet cannot access the internet
- ECS Fargate + Network Load Balancer Healthcheck
- Cannot connect to internet-facing NLB forwarding traffic to a private instance
- AWS: Security Group to allow access internet-facing Load balancer to be accessed from private instances
- AWS Public/Private subnet not accessible to internet with NAT setup