EC2: Huge spike in incoming network traffic

Question

I am seeing huge network in traffic to my application on ec2 instance hosted through Elastic Beanstalk. The app is served through a classic load balancer.

1. The instance has public IP but public IP access over http(s) is restricted to load balancer only
2. Load Balancer is publicly accessible

Given this, I am unable to find a possibility where instance will receive higher network in than the load balancer. I am expecting to enable WAF and Shield on load balancer which should rectify the issue assuming the traffic is coming through load balancer. But if that's the case

1. Why doesn't load balancer chart show the spikes?
2. In which cases we see underlying instance get more than the load balancer. Please see charts included below.

EC2 Network In

Load Balancer Processed Bytes

Any help or indications will be highly appreciated.

Answer 1

Turned out to be the network drive (efs) which was hitting max IO and AWS was capping the throughput I/O. When the app couldn't access it, the app server went down.

App was flushing a large amount of updates to the network file system so when we increased the throughput by setting Throughput mode it seems to have fixed the issue.

Lesson for me to learn here was EC2 network in actually included all IO to EC2 network interface including internal app traffic to efs.

Answer 2

Maybe some crawlers try to access your instance directly. Generaly it would be better to place your instance into the private subnet and restrict the access by the secrurity group.