Problem with accessing ASG in private subnet from elb

Question

i have the 502 error in the ALB.

my vpc and routes.

resource "aws_vpc" "My_VPC" {
  cidr_block           = "${var.vpcCIDRblock}"
  instance_tenancy     = "${var.instanceTenancy}" 
  enable_dns_support   = "true" 
  enable_dns_hostnames = "true"
tags = {
    Name = "My VPC"
  }
}
resource "aws_subnet" "Public_Subnet" {
  vpc_id                  = "${aws_vpc.My_VPC.id}"
  cidr_block              = "${var.subnetCIDRblock}"
  map_public_ip_on_launch = "true" 
  availability_zone       = "eu-central-1a"
tags= {
   Name = "My Public Subnet"
  }
} 

resource "aws_subnet" "Public_Subnet_elb" {
  vpc_id                  = "${aws_vpc.My_VPC.id}"
  cidr_block              = "${var.subnetCIDRblock4}"
  map_public_ip_on_launch = "true" 
  availability_zone       = "eu-central-1"
tags = {
   Name = "My Public Subnet ELB"
  }
} 

resource "aws_subnet" "Private_Subnet" {
  vpc_id                  = "${aws_vpc.My_VPC.id}"
  cidr_block              = "172.16.2.0/24"
  map_public_ip_on_launch = "false" 
  availability_zone       = "$eu-central-1a"
tags = {
   Name = "My_Private_Subnet"
  }
}

resource "aws_internet_gateway" "My_VPC_GW" {
  vpc_id = "${aws_vpc.My_VPC.id}"
  
tags = {
        Name = "My VPC Internet Gateway"
    }
}

resource "aws_route_table" "eu-central-1a" {
    vpc_id = "${aws_vpc.My_VPC.id}"
    route {
        cidr_block = "0.0.0.0/0"
        gateway_id = "${aws_internet_gateway.My_VPC_GW.id}"
    }

    tags  = {
        Name = "Public Subnet"
    }
}
resource "aws_main_route_table_association" "public" {
  vpc_id                 = "${aws_vpc.My_VPC.id}"
  route_table_id         = "${aws_route_table.eu-central-1a.id}"
}

resource "aws_route_table_association" "eu-central-1a-public" {
    subnet_id = "${aws_subnet.Public_Subnet.id}"
    route_table_id = "${aws_route_table.eu-central-1a.id}"
}

resource "aws_route_table_association" "elb" {
    subnet_id = "${aws_subnet.Public_Subnet_elb.id}"
    route_table_id = "${aws_route_table.eu-central-1a.id}"
}
resource "aws_eip" "eip" {
  vpc        = true
  depends_on = ["aws_internet_gateway.My_VPC_GW"]
}
resource "aws_nat_gateway" "gateway" {
    allocation_id = "${aws_eip.eip.id}"
    subnet_id     = "${aws_subnet.Public_Subnet.id}"
    depends_on    = ["aws_internet_gateway.My_VPC_GW"]
}
output "NAT_GW_IP" {
  value = "${aws_eip.eip.public_ip}"
}
## Routing table

resource "aws_route_table" "private_route_table" {
    vpc_id   = "${aws_vpc.My_VPC.id}"
}
resource "aws_route" "private" {
  route_table_id         = "${aws_route_table.private_route_table.id}"
  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id         = "${aws_nat_gateway.gateway.id}"
}
# Associate subnet private_subnet to private route table
resource "aws_route_table_association" "private_subnet_association" {
    subnet_id = "${aws_subnet.Private_Subnet.id}"
    route_table_id = "${aws_route_table.private_route_table.id}"
}

each security group open for incoming traffic for port 80 443 and 22 . outbound are 0.0.0.0

ELB

resource "aws_lb" "test" {
  name               = "test-lb-tf"
  internal           = false
  load_balancer_type = "application"
  security_groups    = ["${aws_security_group.elb-security.id}"]
  subnets            = ["${aws_subnet.Public_Subnet_elb.id}","${aws_subnet.Public_Subnet.id}"]

  enable_deletion_protection = false
  depends_on = ["aws_nat_gateway.gateway"]
  access_logs {
    bucket  = "test-listener"
    prefix  = "test-lb"
    enabled = true
  }

  tags = {
    Environment = "production"
  }
}
resource "aws_lb_target_group" "test" {
  name     = "moodle-tg"
  port     = "80"
  protocol = "HTTP"
  vpc_id   = aws_vpc.My_VPC.id
  target_type = "instance"
  deregistration_delay = "300"
  health_check {
    path = "/"
    interval = "300"
    port = "80"
    matcher = "200"
    protocol = "HTTP"
    timeout = "10"
    healthy_threshold = "10" 
    unhealthy_threshold= "10" 
  }
}
resource "aws_lb_listener" "front_end" {
  load_balancer_arn = aws_lb.test.arn
  port              = "80"
  protocol          = "HTTP"
  depends_on = ["aws_nat_gateway.gateway"]
  default_action {
    target_group_arn = "${aws_lb_target_group.test.arn}"
    type             = "forward"
  }
}
resource "aws_lb_listener_rule" "asg-listener_rule" {
    listener_arn    = aws_lb_listener.front_end.arn
    priority        = 100
    depends_on = ["aws_nat_gateway.gateway"]
    condition {
      path_pattern {
        values = ["/"]
      }
    }
    
    action {
        type = "forward"
        target_group_arn = aws_lb_target_group.test.arn
    }
}

ASG

resource "aws_launch_configuration" "moodle-lc" {
    name_prefix = "moodle-lc-"
    image_id = "${data.aws_ami.centos.id}"
    instance_type = "${var.instance}"
    security_groups = ["${aws_security_group.web_ubuntu1.id}"]
    key_name = "moodle_agents"
    user_data = "${file("init-agent-instance.sh")}"
    depends_on = ["aws_nat_gateway.gateway"]
    lifecycle {
        create_before_destroy = true
    }
}

resource "aws_autoscaling_group" "moodle-agents" {
    vpc_zone_identifier = ["${aws_subnet.Private_Subnet.id}"]
    name = "agents"
    max_size = "20"
    min_size = "1"
    health_check_grace_period = 300
    health_check_type = "ELB"
    desired_capacity = 2
    target_group_arns = ["${aws_lb_target_group.test.arn}"]
    force_delete = true
    launch_configuration = "${aws_launch_configuration.moodle-lc.name}"
    depends_on = ["aws_nat_gateway.gateway"]
    lifecycle {
        create_before_destroy = true
    }
    tag {
        key = "Name"
        value = "Agent Instance"
        propagate_at_launch = true
    }
}

user_data script just installs apache web-server and starts it

I read this article link and my code looks the same for me can someone please explain where I made a mistake.

Without nat-gateway(and ASG are in public subnet) everything works fine, but it doesn't have sense to use ALB for accessing instances that are already visible in the internet.

Problem with accessing ASG in private subnet from elb

Answers (1)

Related Questions